(The Street) — Data breaches at eBay (EBAY), JPMorgan Chase (JPM) and Home Depot (HD) coupled with cyber-attacks on U.S. government agencies show the risks posed by hackers will only increase, regulators warn, and finance companies are finding themselves on the front lines.
A case in point is the recent warning from the Financial Industry Regulatory Authority, or Finra, that a hacker group known as DD4BC has threatened denial-of-service attacks on its members unless they pay a ransom in the digital currency Bitcoin.
The group typically gives the targeted firm a warning that sets a price to avoid the attack, Finra said. The next step is a “demonstration attack” accompanied by a demand for payment within 24 hours. Ransom demands for large firms have ranged from several thousand to several hundred thousand dollars, Finra said. Firms in New Zealand and Australia have been targeted, too, and the Swiss government sounded an alarm about DD4BC earlier this year.
“In many ways, it is a showdown year,” said Kevin Petrasic, a partner in the banking and payment systems division at law firm Paul Hastings, which has offices in New York, Europe and Asia. “There are various reasons for this that have largely coalesced into a sort of ‘cybersecurity perfect storm.’ In effect, our connectedness is creating greater, and in some cases, easier targets for financial theft via cybercrimes, and the remoteness of cybercriminals’ activities similarly promotes these risks.”
A variety of government agencies are urging companies to ramp up cyber-security systems to protect both their own businesses and their customers’ data. The Federal Trade Commission released a guide in June that outlined 10 preventive measures based on agency settlements with 50 companies over lapses in data security. Among the recommended steps are: Not collecting unnecessary personal information from customers, destroying the data once it’s no longer needed; restricting data access to only the employees who need it; requiring complex and unique passwords and shutting down user credentials after a certain number of unsuccessful login attempts.
“Threats to data may transform over time, but the fundamentals of sound security remain constant,” the agency said.
Financial companies have traditionally been front-line targets, U.S. Securities & Exchange Commissioner Luis Aguilar said in a June speech in New York, and the potential profits for cyber-criminals there are tremendous. The market for stolen credit cards alone is estimated to be $114 billion, topping the estimated global market for cocaine by about $29 billion, he said.
“The Internet has become an integral part of our professional and personal lives,” Aguilar said. “And while the benefits have been enormous, so, too, have the risks.”
Agencies including the FBI and the SEC have urged companies to develop good working relationships with them in advance of a a potential attack, but businesses also worry about exposing too much of their inner workings to the government.
“It is an extremely delicate balance that all financial firms — big and small — are struggling to manage given that the stakes are extremely high both from a security perspective and a competitive standpoint,” Petrasic said. “For many consumers, an overriding concern in choosing a financial services provider is account protections and controls that minimize potential privacy risks and exposure of sensitive information.”
That’s a concern companies such as Goldman Sachs (GS) and Morgan Stanley (MS) are well aware of.
“We have developed and implemented a framework of principles, policies and technology to protect the information provided to us by our clients and that of the firm from cyber attacks,” Goldman said in a recent regulatory filing. “Safeguards are applied to maintain the confidentiality, integrity and availability of information.”
Morgan Stanley outlined similar systems, but cautioned that no security measures are foolproof.
“Like other financial services firms, we and our third-party providers continue to be the subject of attempted unauthorized access, mishandling or misuse of information, computer viruses or malware, cyber attacks designed to obtain confidential information” and other forms of cyber-crime, the New York-based bank said in a regulatory filing. Increasing use of smartphones, tablets and other mobile devices as well as cloud computing may heighten the risks, the bank warned.
The bottom line is that firms will have to make some tough choices — and devote more time, money and effort to insulating themselves from cyber-attacks, experts said.
“There are no easy answers for developing comprehensive solutions that do not involve some form of government participation,” Petrasic said. “Ultimately, we have to give up some ground to government involvement to gain greater protections in terms of protections from cybercrimes.”
Source: The Street