UK banks are under-reporting cyber attacks, according to a recent report. Unfortunately, that just makes it more likely attacks will be successful.
Given their business, financial services firms are an obvious target for cyber criminals. As more and more financial transactions have moved online, the threat has grown rapidly. In 2014, the Financial Conduct Authority received five reports of attacks on financial institutions. This year, so far, it has received 75.
As the FCA’s director of specialist supervision Nausicaa Delfas recently said: “Our view of the cyber landscape is that risks and threats are ever evolving and ever increasing – we need to remain vigilant and agile to combat them. It is an asymmetric threat – easier to perpetrate than to defend against…
“This increase in incidents, considered alongside the regular reports from security specialists, suggests our challenge is only getting greater.”
Cyber: A systemic risk to finance?
The risks have become more widespread, but also in more serious. The theft of $81 billion from the Bangladesh Central Bank’s account at the US Federal Reserve earlier this year was notable not just for its scale, but also for targeting the SWIFT payments system.
As one commentator explained: “Central banks have been looking at cyber crime, first at their banking sector and more recently with regard to their own websites. But real-time gross settlement systems and Swift are in a different league. You are not just talking about big money, but the money. Swift is the nervous system of international payments.”
It’s not surprising, then, that some have questioned whether cyber represents a systemic risk to the finance sector.
A hard target?
Even now, though, we risk underestimating the risks. Reports to date significantly understate the risks to financial firms from cyber attacks, according to some. Banks are, in fact, under “almost constant attack”, they say, and are “dramatically under-reporting” attacks to protect their reputations and public confidence.
“[T]hey do what’s legally required but out of embarrassment or fear of punishment they aren’t giving the whole picture,” one expert told Reuters.
This obviously raises the risk that the banking sector’s reputation as a difficult, well-defended target may not be based on a complete picture of the evidence. The bigger danger, though, is that this reticence to discuss attacks itself undermines the security of the sector.
As experts in the Reuters report point out, the silence of banks about the threats they face deprives regulators of information that could help prevent further attacks; and it deprives other banks of information that could inform their cyber security strategies.
As the threats facing finance groups continue to evolve, increasing the willingness of the sector to share information about attacks will be increasingly important to improving its resilience against them.