Banking’s biggest risk? SEC head says it’s cybersecurity

By Alexandra Lating, Product Marketing Manager

Cybersecurity has become the crucial challenge for the world’s financial system. That opinion comes from none other than the chair of the Securities and Exchange Commission.

Speaking at a financial regulation summit sponsored by Reuters, SEC Chair Mary Jo White said major exchanges have failed to align their cybersecurity defenses (link is external) to the scale of the threats they face.

“What we found, as a general matter so far, is a lot of preparedness, a lot of awareness,” White said, according to a Reuters report on the event, “but also their policies and procedures are not tailored to their particular risks.”

“The banking system relies on trust.”
That quote might not sound like an alarm bell. But security experts are definitely hearing it that way. They’re used to parsing the seemingly dry quotes that emerge from officials like White and Fed Chair Janet Yellen.

Tom Kellermann, CEO of an investment house specializing in cybersecurity and at one time a member of the World Bank’s security squad, did not mince words. He termed it nothing less than “a historic recognition of the systemic risk facing Wall Street.”

Successful attacks call financial system’s trustworthiness into question
The banking industry relies on trust. It works hard to project an image of solidity and engender a belief that its systems are strong. But banking’s reputation for security has taken a beating lately.

Arguably the highest-profile breach came when hackers stole $81 million from Bangladesh Bank. One thing that is clear about the Bangladeshi attackers is that they had stolen proper credentials to initiate the transfers. That’s why many experts say it was at least partially an inside job. A fevered investigation remains underway to identify the culprits. The hackers somehow exploited vulnerabilities in or connected to SWIFT. That’s the giant international cooperative that facilitates the worldwide exchange of a whopping $6 trillion every day (link is external), the Financial Times reported. SWIFT has been careful to declare that its messaging systems were not breached in the theft from the Bangladeshi central bank, nor in similar ones (link is external) targeting banks in Ecuador, the Philippines and Vietnam.

But banking security experts say SWIFT has still fallen short of the mark on cyber defense dispositions.

Gartner analyst Avivah Litan told Bank Info Security (link is external) that SWIFT “didn’t seem to have some of the very basic fraud-detection controls that could have stopped the heists – looking for abnormal payees, looking for remote account takeover, looking for abnormal access. These are all fraud-detection measures that the U.S. regulators have mandated that U.S. banks put in. So it was pretty shocking to me that SWIFT did not have these measures, apparently, and relied so heavily on authentication instead.”

It’s analogous to broader cybersecurity best practices in next-generation endpoint security. While firewalls still play a role by keeping known malware at bay, good cyber defense must detect anomalies and respond to them at machine speed.

Leading EU regulator: Banks should do cyber ‘stress tests’
Remember those “stress tests” U.S. banks were subjected to in the wake of the financial crisis that began in 2008? The top banking regulator in the European Union has called for such tests of cybersecurity at financial institutions (link is external) in the EU’s 28 countries.

“Regulators might raise banks’ capital requirements to cover cyber threats.”
The chairman of the European Banking Authority, Andrea Enria, echoed his American counterpart in saying cybersecurity has become a key issue in the EU, according to remarks he made to Reuters recently in Beijing.

Wade through this bureaucratese from Enria and you’ll see at the end he means business. “Pillar 2” is an EU regulation about banking risk.

“We are developing guidelines on IT risk, which are under the Pillar 2 framework – so how to assess cyber risk and how to assess the mitigating measures that banks are putting into place and, if shortcomings are identified, which types of measures supervisors can take under Pillar 2, including additional capital requirements,” Enria told Reuters.

Yes, he said banks might need to increase capital requirements to withstand the growing risks of cyber attacks.

Knock-on effects: Are financial advisors secure?
If banks themselves have miles to go in locking down their own cybersecurity, sectors affiliated with banks may be even more vulnerable. Tech reporter Robert McGarvey recently examined the security norms of financial advisors. He found that experts find them lacking (link is external).

“Financial advisors are some of the most targeted personnel in the financial space, because so many are small businesses and unable to spend on robust cybersecurity defenses,” Paul Pagnato, founding partner of wealth advisory firm PagnatoKarp, told McGarvey. “And criminals first take the path with least resistance. Thieves are after more than just money, they’re after lucrative client data and account information that can multiply their earnings potential for both direct exploit and/or for sale on the Dark Web.”

If you’ve ever gone to a financial advisor, odds are good that person has logged in to your retirement accounts with you to rebalance your portfolios, for instance. Depending on the advisor’s cybersecurity savvy and willingness to invest in strong endpoint security, an advisee’s credentials might be easy prey.

So while the SEC head’s warnings about cyber vulnerabilities in the banking system get headlines, it’s worth pausing to consider the many places other than banks where financial data might be stolen.


. . . . . . . .

Leave a Reply