Some experts expect a large international bank to go under on the back of a cyber-attack within the next five years. Melodie Michel investigates the scale of the cyber-threat in trade finance.
The days of positive connotations of the word “cyber” are over. What used to spark feelings of innovation and excitement is now associated with threats, attacks, crime and theft. It’s been a long time coming, but the number and sophistication of high-profile hacks that happened in 2014 alone – think eBay, Target, Home Depot or the very publicised Sony leak scandal – have prompted an acceleration of cyber-security efforts among corporates and governments.
Financial institutions in particular have seen that risk heightened: a February 2015 Kaspersky report, sensationally titled The Great Bank Robbery, uncovered the US$1bn theft committed by cyber-gang Carbanak on a total of 100 banks over the course of two years. Though, once broken down, the amounts stolen from each institution are not much higher than what gets lost in credit card fraud every year, the report made headlines across the globe, and was a good reminder of what hackers are capable of.
“I predict that a major Western bank will go under within five years because of a cyber-attack – the odds are just so stacked against them. My only hope is that I’m proved wrong in five years, but it’s based on common sense,” says Professor Richard Benham, who founded the first national MBA in cyber-security at Coventry University in 2014.
In 2013, the New York Department of Financial Services (NYDFS) conducted a survey of 154 financial institutions, assessing their vulnerability to attacks and their approach to cyber-security.
The findings, released in May 2014, are staggering. They revealed that most institutions, irrespective of size, experienced intrusions or attempted intrusions into their IT systems over the previous three years – the most common methods being malicious software, phishing, pharming (redirecting a website’s traffic to another, fake site) and botnets or zombies (infecting a number of computers so they unknowingly perform automated tasks on the internet). The larger the institution, the more likely it appeared to experience malware and phishing attempts.
Types of threat
The motivations behind these attacks are varied, but can usually be split into three categories: nation-state breaches to collect intelligence or intellectual property (Sony’s The Interview leak, allegedly perpetrated by North Korea), hacktivists wanting to make political statement (US military’s Twitter account takeover by Islamic State backers), or organised cyber-gangs looking to steal funds (Carbanak).
“As the cost of technology decreases, the barriers to entry for cybercrime drop, making it easier and cheaper for criminals of all types to seek out new ways to perpetrate cyber-fraud. A growing black market for breached data serves to encourage wrongdoers further,” says the NYDFS.
Though the second type presents high reputational risk for financial institutions, it is definitely the third – organised theft – that can do the most damage to banks.
Sasi Mudigonda, a product manager at software solutions provider Oracle, explains: “The cyber-threat for financial institutions is broadly classified into two separate areas: the first one is directly organised attacks on the networks of the banks, essentially trying to gain access to the systems behind the bank’s firewall. The typical modus operandi for that type of attack is for the cybercriminal to launch an open general denial-of-service attack on the bank’s overall system, and while it is trying to respond to that attack, to sneak into some other, less secure areas of the bank.
“The second type of cyber-threat is a hack or an attack on a retail institution, which generally have older systems and are considered more vulnerable to this type of attack. They steal the card information and then try to commit fraud on the stolen card information. The bank only sees it when the transaction happens on the stolen card. Even though it’s not directly on the financial institution – they don’t have control over the retailers’ networks – they are exposed to this
sort of cyber-activity.”
According to the NYDFS survey, the most frequent types of activity resulting from a cyber-intrusion reported by institutions were account takeovers (46%), identity theft (18%), telecommunication network disruptions (15%), and data integrity breaches (9.3%). Third-party payment processor breaches were also reported by 18% and 15% of small and large institutions, respectively.
Banks also have to deal with a new type of threat, related to the use of mobile and cloud technologies in the workplace.
“Organisations are facing the reality of blurred or disappearing cyber-security perimeters as their data is increasingly exposed through new channels, such as cloud computing, social media, corporate bring-your-own-device policies and big data. Cloud computing introduces yet another set of issues. Firms may unknowingly share platforms with competitors through remote and virtual data storage,” says Stella Tse, head of financial and professional liability, Asia, at Marsh.
Here again, the NYDFS survey brings some interesting insight: while most financial institutions already have procedures in place to mitigate the risk associated with mobile devices, fewer than 27% of them have implemented policies to deal with the risks related to cloud computing, though 35% of the ones without policies plan to introduce them in the next three years.
Danger looms for trade finance
As opposed to retail banking, trade finance hasn’t yet been the centre of any high-profile hacking scandal, but according to Mudigonda, the risk is very present. Oracle monitors trade finance transactions, documents submitted as part of them, and related Swift payments, but hasn’t so far looked at trade finance portal activity or cyber-threat specifically. Still, Mudigonda mentions a few cases where money has been wired to wrong accounts, many of which are from geographies in Ukraine or Eastern Europe. “I can sense that this is happening, and from our system we did detect it, but I don’t have exact tools to know if the financial institutions are detecting it.”
In his mind, trade finance is mostly vulnerable to cyber-attacks in the form of identity theft committed on large corporate accounts. “I can see cyber-criminals attacking the corporate entity, say a particular big corporation that has an account with a bank managing its supply chain and using it for trade finance. They could do that using traditional phishing attacks: for example, asking a corporate to change its password, and then ship a bunch of things or wire a bunch of money into their own account.”
Compared with low-amount, high-volume credit card fraud, criminals wouldn’t need to conduct many trade finance cyber-attacks to steal millions, and the related costs in terms of lost revenue, investigation, possible fines and reputational damage would quickly add up.
Regulators are playing catch-up to provide a legal framework for cyber-related claims, pushed by industry bodies calling for harmonised rules. The EU is set to update its Data Protection Directive within the next two years, to provide more uniform laws around the member states as to how they can deal with data privacy issues.
Additionally, the US is moving away from swipe-and-pay and towards chip-and-pin payments at the initiative of credit card issuers, which have announced a fraud liability shift towards merchants that don’t have a chip system in place from October 2015.
Governments are also collaborating to improve their banks’ cyber-security systems, with the US and UK due to hold their first joint ‘cyber-war games’, including a large-scale attack simulation, this year.
But the regulatory framework around cybercrime is still in its infancy, and it remains unclear who – between the bank, its software provider and the corporate – would be held liable in the event of a trade finance cyber-attack.
James Cooper, a Clyde & Co partner specialising in handling financial institutions claims, tells GTR: “There’s no regulation, so you have to look at the common law and the account opening contract. Ultimately, if the bank is responsible for its client, it would then look to pass that responsibility onto the technology provider because it’s unlikely that the bank itself is directly at fault. But what we have seen in the past is that the technology provider doesn’t have enough money, so the bank is left holding the bag even though it should be able to pass this responsibility on.”
In the trade finance sphere, banks would have more chance of passing the responsibility onto the corporate involved if the latter’s network was at fault, explains Mudigonda.
He recommends doing the appropriate due diligence on technology providers to check their level of security and make sure they can cope with these types of claims. “I see banks and the corporations working with banks fighting over liability with each other in this case. In the area of trade finance, the liability and regulations are still evolving, so they will go after each other and say: ‘Your security is not good enough and you enabled this breach so I am not able to pay you that money.’ There will be a conflict there, especially because in trade finance the entities are corporations, not individuals, so the banks can absolve themselves of the responsibility.”
This emphasises the need for proper due diligence in the cyber-security arena – something which, according to another NYDFS survey, is not yet as widespread as it should be. In a report released on April 9, 2015, the department highlighted “significant potential cyber-security vulnerabilities with banks’ third-party vendors” ranging from law firms to heating and ventilation providers. Indeed, nearly one in three of the 40 large banks surveyed do not require their third-party vendors to notify them of cyber-security breaches, fewer than half conduct on-site assessments of their vendors, and one in five do not require third-party vendors to prove that they have established minimum information security requirements.
NYDFS superintendent of financial services Benjamin Lawsky said in the report: “A bank’s cyber-security is often only as good as the cyber-security of its vendors. Unfortunately, those third-party firms can provide a backdoor entrance to hackers who are seeking to steal sensitive bank customer data.”
As a result, the department is expected to issue regulations strengthening cyber-security standards for banks’ third-party vendors, including potential measures related to the representations and warranties banks receive about the cyber-security protections in place at those firms, in the coming weeks.
There may be a long way to go, but banks are on the case: over three-quarters of them increased their information security budget in the past three years, and 79% expect to increase it further in the next three years.
Demand for cyber-insurance products is also on the rise. “With the heightened level of attention in the boardroom, over the past 12 months we have seen a doubling of the volume of enquiries from clients who are keen to find out more about cyber-insurance as part of their evaluation of their corporate readiness for such risks,” says Tse at Marsh.
Insurance solutions range from basic cover for out-of-pocket expenses incurred in the wake of a data security breach, to business income loss coverage in case a computer network is shut down for an extended period of time, to third-party coverage for losses incurred by the insured’s customer – but most are customised to each organisation’s needs.
However, Oracle’s Mudigonda expresses reservations on the efficiency of such products: “This is all evolving at a very fast pace so I have seen many examples where the financial institutions have said that the insurance contract itself was full of loopholes and did not really cover any liability.”
Banks are very aware of the need for innovation in the cyber-security space, and some are creating incentives to bolster it: in March this year, RBS launched a competition to find the start-up with the best proposal for authentication systems to increase security for banks, finance organisations and their customers – the reward being a share of £175,000 of funding and a partnership to make the product commercially viable.
“My impression is that most banks are taking it more seriously as each month goes by, but they’re usually one step behind the hackers, because the bank has many different things that it needs to be doing other than IT platforms, while hackers only have one goal in life and that is to hack into banks and make money, so it’s very difficult for banks to keep ahead,” says Clyde & Co’s Cooper.
In any case, financial institutions’ best bet is to move corporate governance around cyber-security issues from the current IT-centred structure to board level and increase awareness throughout their organisation. More importantly, banks need to let go of their competition fears and take inspiration from the hackers themselves, whose strength lies in their ability and desire to share information. When it comes to cybercrime, strength lies in unity.