The banking sector’s cyber risk awareness is growing as recent attacks and industry body initiatives are putting the hacking threat back in the spotlight.
A new report published jointly by lobbying organisation TheCityUK and insurer Marsh today is pushing for urgent, industry-wide action on cyber risk. Presenting Cyber and the City this morning, Iain Lobban, former head of government communication headquarters, said the risk was “about when, not if”, with 90% of large UK organisation reporting breaches in 2015.
The report adds that 2.5 million cyber-crimes were reported in the UK last year, most of which were fraud, with the financial loss borne by the financial sector.
John McFarlane, chairman of TheCityUK and of Barclays, talked about “a war on a new front, with a hidden enemy”, and reminded the audience that no major hacking group has been prosecuted as of yet.
According to a survey by Marsh, only 30% of large firms have it as a top 10 risk, only 39% have quantified the risk and just 30% have a response plan to a breach occurring.
The report comes at an opportune time, with a recent cyber-attack on Vietnam’s Tien Phong Bank (TP Bank) which continues to make headlines, and the US$81mn theft from the Bangladesh central bank in February. In TP Bank’s case, which actually took place at the end of 2015, attackers used fraudulent Swift messages to request the transfer of more than €1mn of funds, but the Vietnamese bank was able to block them and incurred no losses.
TP Bank released a statement late on Sunday saying the transfers were made using infrastructure belonging to an outside vendor hired to connect it to the Swift bank messaging system. It is believed the infrastructure targeted was a PDF reader.
This type of breach would require attackers to know which PDF reader the bank was using, and to feed all of the bank’s information into the malware, which sources suggest could imply insider involvement. According to Cyber and the City, 95% of all cyber incidents involve human error, and at the launch in London, McFarlane added that the “greatest threat” was that of “collusion from inside”.
As a response to the growing cyber threat, the report recommends that boards should hold management responsible for cyber risks instead of their IT departments, and provides 10 questions management should consider in order to better protect firms.
It also urges the creation of a London city-wide cyber forum to promote collaboration across all firms within the financial and related professional services industry.
Chris Cummings, chief executive of TheCityUK, says: “Cyber-crime isn’t a problem of the future, it’s a very real threat today. There is no silver-bullet to manage it, but there are practical steps the industry, and the customers we serve, can take to ensure we’re well protected against attack. Cyber hygiene should be as commonplace as locking the windows and doors when you leave the house. It is essential for the industry and the continued attractiveness of the UK as a safe place to do business that we tackle this issue head on and make the UK a centre of excellence for cyber security.”
Mark Weil, CEO, Marsh UK & Ireland, adds that “financial services are a high-value target for cyber-crime given their criticality to the economy”.
Additional reporting: Finbarr Bermingham