The Failure Mechanics of Dealer Banks
After completing this reading, you should be able to: Compare and contrast the... Read More
After completing this reading, you should be able to:
Cyber risk refers to the potential exposure to loss resulting from the failure or breach of an organization’s IT systems. According to Cyber Lexicon – a specialized offshoot of the Financial Stability Board that has been set up to address cyber resilience in the financial sector – a cyber incident is defined as:
“Any observable occurrence in an information system that: (i) jeopardizes the cybersecurity of an information system or the system processes, stores or transmits; or (ii) violates the security policies, security procedures or acceptable policies, whether resulting from malicious activity or not.”
Cyber attacks take several forms:
Financial institutions have been forced to adopt a working from home (WFH) policy in an attempt to limit the spread of the virus. But the move has only served to increase the threat of cyber-attacks because of several reasons.
First, households and home networks do not enjoy the same level of protection and sophistication as office networks. For instance, research shows that WFH has increased the use of virtual private networks (VPNs) and remote desktop protocol (RDP) by 33% and 41%, respectively. This has given attackers a new window to launch their attacks and penetrate systems.
Second, WFH comes with new risks. WFH means staff has to share networks with other family members and devices. This has provided new attack points for malware that could ultimately penetrate a firm’s enterprise environment.
For example, video conferencing has been the preferred way to hold meetings. But some video conferencing devices and services have been found to have suboptimal anti-threat mechanisms, making them an easy target for hackers.
In an attempt to improve enterprise systems and better manage IT infrastructure, most financial institutions have resorted to outsourcing more and more IT services from third-party vendors. But it’s an open secret that an institution’s control over a vendor’s cyber resilience measures is limited.
Even though the institution may take steps to ensure that the vendor embraces the latest cybersecurity tools, the vendor is ultimately in charge of its own systems and may not put in place the same level of protection as the institution. This means that attackers may still be able to penetrate the institution’s platform by compromising the vendor’s systems.
In Dec 2020 for instance, hackers managed to infiltrate and insert malware into SolarWinds Orion, an infrastructure monitoring system used by more than 33,000 institutions around the world. Although the financial sector was not the main target, the attackers were able to remain undetected for months.
Data gathered by Advisen – a for-profit data provider – shows that the number of cyber-attacks increased between February 2020 and June 2020. This coincides with the increase in the uptake of WFH arrangements. The finance and insurance sector was the hardest hit, taking about 25.3% of the total number of attacks.
Within this sector, insurers and credit unions bore the brunt of the attacks. These attacks were mainly in form of phishing, suspicious scanning, and cross-site scripting.
The threat actors and attack methods used during the COVID-19 crisis are the same as those used before the crisis. Only the volume and scale of attacks went up. The most-reported attack method involved phishing. In other cases, attackers imitated well-known sources of COVID-19 information (such as the WHO) to get users to open links and files infected with malware.
In response to the cyber threats brought about by COVID-19, Interpol has released some guidelines aimed at making organizations more cyber resilient. National agencies have also issued some guidance. For instance, a joint communication issued by U.K. and U.S. cybersecurity agencies lists practical indicators that have been compromised. Both individuals and organizations have been encouraged to review their cybersecurity tools and make sure that they adopt the latest tools in order to protect themselves from evolving cyber threats.
The following specific measures have been taken:
Cybersecurity authorities have released statements asking people to remain vigilant in light of the increasing level of cyber risk. A few agencies have even gone further to specify the type of threats institutions face as well as measures that should be taken in the context of COVID-19.
In April 2020, for example, the bank of Italy and the Institute for the Supervision of Insurance jointly made a public statement describing how they are addressing cyber risk during the COVID-19 crisis. As per the statement, the two institutions were focused on:
Some authorities have singled out areas where institutions have to build more resilience. The New York State Department of financial services has, for example, released the following guidelines:
A different authority – the Abu Dhabi Global Market’s (ADGM) Financial Services Regulatory Authority (FSRA) (2020) – has emphasized the need for institutions to come up with incident response plans that are commensurate with the nature, scale, and complexity of their business. The goal here is to boost readiness and ensure that any attacks that materialize are neutralized quickly to minimize damage.
To enhance preparedness and incident response mechanisms, authorities have scaled up the exchange of information on COVID-related cyber threats with financial institutions and other trusted parties. Some authorities have gone as far as releasing security bulletins and organizing webinars where participants have been brought up to speed with regard to the attack techniques they are likely to see and how to rebuff them.
The COVID-19 pandemic has heightened the risks of money laundering, cybercrime, and terrorist financing. International and National authorities have put forward a number of measures in an attempt to increase resilience and protect the global financial system from any planned attacks. One of the organizations that has been on the frontline in encouraging institutions to remain vigilant to current money laundering (ML) and terrorist financing (TF) risks is the Financial Action Task Force (FATF).
FATF is an independent inter-governmental body tasked with developing and promoting policies that protect the global financial system against money laundering and financing of terrorism or the proliferation of weapons of mass destruction.
FAFT issued a statement urging institutions to do the following:
In addition, central banks and banking supervisory agencies have issued public statements related to Covid-19 ML and TF threats. Most of them have been keen to highlight the fact that AML/AFT risks are quickly evolving, and countermeasures have to keep up if these threats are to be neutralized.
Authorities have also reiterated that there’s a need for financial institutions to continue providing essential financial services while at the same time seeking to mitigate ML risks by using the various tools at their disposal. Top on the list of such tools is machine learning, which has proved to be quite useful in detecting money laundering schemes.
What’s more, law enforcement agencies have been using the existing channels to share AML/ATF risks related to COVID-19 with financial institutions and other trusted parties. For example, the Hong Kong Monetary Authority (HKMA) is pushing for the creation of a public-private partnership through which ML/TF information linked to COVID-19 can be shared.
Practice Question
The US government acknowledges the need to alert its citizens on emerging threats resulting from the ongoing COVID-19 pandemic and incorporate measures in different sectors. Which of the following identifies cyber resilience measures that the US government is likely to apply?
A. Creating public awareness about the increasing levels of cybercrimes
B. Guiding on the most important cyber resilience areas
C. Promoting information sharing on COVID-19 related threats
D. All of the above
Solution
The correct answer is D.
The US authorities have responded to the increasing cyber-crime levels in the COVID-19 crisis through creating public awareness about cybercrime, providing guidance on the most important cyber resilience areas, and promoting information-sharing on Covid-19-related threats.