Cyber related threats are not a new concept to the financial sector but the threat landscape has changed radically in recent years and months. What was adequate before is simply not good enough now.
The reality of cyber threats is, their guise is in many forms. These include APT’s (Advanced Persistent Threats) in basic terms are strategic, stealthy, remotely controlled reconnaissance type vectors sponsored by actors who objective may be as much geopolitical as financial.
Destructive attacks in the guise of “Ransomware” appearing to be pedestrian cybercrime but designed to ultimately destroy the availability and integrity of data. One of the biggest game changers is the threat actor landscape itself, the motivation, origin and objective of these attacks is aligned with the eclectic mix of malefactors. These are powerful forces which involve state sponsored attacks with geopolitical motivation, criminal syndicates offering “crime as a service” to lower end criminal entities and all this makes for significant challenge for FMI’s (Financial Market Infrastructure) across Europe and throughout the Globe to deal with.
“Cybercrime is a serious threat not only to individual market actors but also to the overall operational network.” ECB European Central Bank
We are almost desensitised to the media reports of high profile destructive and global cyber attacks and heists. Of course these reports only represent a fraction of the attacks and breaches that occur on a daily basis.
Due to the nature of these attacks, the “reality check” is that traditional security controls are now increasingly inadequate.
Why is conventional cyber security becoming inadequate?
Traditional “Prevention” techniques such as black listing/white listing is not good enough anymore. Verification is an imperative. Prevention is only one part of the solution. Breaches are inevitable and having an adequate capability to be able to detect, respond and recover are now baseline requirements.
Your Network Perimeter is Dissolving. Your customers, staff, business partners and vendors need access to everything, anytime from anywhere on any device. The cloud, mobile, remote access, multiple jurisdictions are the reality of the foundation of the extended enterprise.
Cyber Skills are Scarce! There are over 40,000 open IT security related positions in Ireland alone. Over 2,500 open Global CISO roles in the US and a recent survey reported the average salary for a UK CISO (FinSec) is £1m. There are simply not enough “real deal” experienced and qualified people to meet the demand. It is not simply a case of outsourcing as professional service firms face the same challenges of finding “Cyber Skilled” resources.
Your business ecosystem and vendor dependency is one of the biggest cyber challenges facing your organisation. Security is only as strong as the weakest link and with the increased sanctions in legislation such as the GDPR, not alone will we see litigation between business partners but all organisations in the supply chain are open to being sued post breach by those affected for pecuniary or non-pecuniary damages (i.e. distress). The “Blame for Claim” rush is on its way. Establishing trust and gaining assurance is a key challenge in the financial service ecosystem.
A final point to note is in relation to IoT, the “Internet of Things”. Security is very low on the agenda of manufacturers. These devices are being increasingly networked and this has introduced unprecedented security hazards. Recent massive global large scale DDoS attacks have been based on cybercriminals being able to create compromised networks of hundreds and thousands of these devices around the world and use them to essentially attack a target. One of the highest profile attacks was during the US elections and involved a massive Internet outage across the US.
There is an alphabet soup of laws, legislation, regulations, guidance, frameworks, standards and authorities. Over 400 of them comprising of over 10,000 overlapping and often conflicting controls, originating from 175 legal jurisdictions. It is a challenge even to know where to begin.
European related legislation is key, the NIS (Network Information Systems) Directive, the GDPR (General Data Protection Regulation) are part of your “must do” list.
This is not instead of but to compliment and support initiatives such as PSD2 and SIP. The IOSCO (International Organization of Securities Commissions) – CPMI (Committee on Payments and Market Infrastructure) has released some excellent guidance in relation to cyber resilience.
However, let me point you to what I feel is one of the best guidance documents available. The G7 cyber expert group have published the “Fundamental Elements of Cyber Security for the Financial Sector” and this advice is being echoed by the Eurosystem, ECB and local regulators across Europe.
The elements underline that cyber risk must be met by a collective and united effort by the financial industry and the public authorities, both within and across borders.
This means cyber resilience of the financial ecosystem is a joint effort of institutions, infrastructures and regulators. Of course this means banking supervisors and financial market infrastructure overseers will be naturally increase focus on ensuring cyber resilience. The bottom line, first responsibility is and stays with the financial institutions.
Contact Us if you’re interested in organising a briefing: +353 (0)1 905 3260