Your correspondent recently attended a conference hosted by industry group PIMFA, which hosted panel discussions surrounding cyber-crime and its potential impact on the wealth management sector.
Cyber-crime is evolving.
No longer are digital threats confined to computers and systems connected to the internet. The reality is that the number of hacks and data breaches occurring on the back of physical infiltrations is rising, and this poses a serious threat to private banks and wealth managers.
Criminals rob banks “because that's where the money is,” infamous US bank robber Willie Sutton once said in response to a reporter's question of motives.
If bank robbers follow the money, then an obvious target might be an institution storing swathes of personal data tied to potentially trillions of dollars of assets globally.
“It really is the crime of our time,” Terry Wilson, a director at the Global Cyber Alliance, a non-profit organisation set up by the New York County District Attorney, City of London Police and the Center for Internet Security, told the audience of PIMFA's Fintech Conference. “You can wrap as much protection around your company as possible, but you could still have a rogue body [working] inside. A significant amount of people in banking have deliberately got themselves recruited to create back doors to allow for the exfiltration of information or to steal money.”
He explained that aside from rogue employees, private banks also risk falling victim to physical invasions by hackers acting under the guise of workers from legitimate companies purportedly sent to carry out maintenance on servers. In such cases hackers are able to physically steal or replicate hundreds of gigabytes of data, right under banks' noses.
Attacks are variable: they can be sophisticated and complex, like this one, or they can be as simple as a fake email.
“If [a private bank] has a fire or a flood, you can see the building burning or the water rising, but with cyber-crime, you don't necessarily know exactly what's happening,” said Giles Taylor, Lloyds Bank's head of data and cyber security, who was also on the panel. “It will change and move direction.”
Because it is often difficult to pinpoint hackers' entry routes, cyber-crime is no longer just a concern for banks' IT departments; it is an “organisational security issue,” Wilson said.
As of next May, sweeping new European legislation overhauling the Data Protection Directive of 1995 will require all organisations to report all data breaches within 72 hours of their uncovering. Failure to comply with the rules of the General Data Protection Regulation, or GDPR, could result in a fine of €20 million or 4 per cent of annual turnover - whichever is higher - being levied. For some businesses, this could be fatal.
“The minute you silo [cyber security], it becomes the responsibility of one area of the organisation. But cyber security should be across the whole organisation,” Wilson said, explaining that every member of staff working in a private bank or wealth manager must be vigilant.
“Training [for] staff awareness [about cyber-crime] has to be on everyone’s agenda,” said panellist Martin Camp, divisional director at Lark, a firm that provides business insurance against cyber attacks. “The biggest challenge is the people side of things.”
It is inherently difficult for institutions to stay steps ahead of the hackers hunting them as it is unknown what form the next attack will take. In many cases, the panellists explained, hackers will exploit a weak point in a company’s cyber defence, carving out a permanent entry point if left unattended. Once a firm realises its systems have been breached, the relevant person will typically perform what is known as a “patch”. This is a quick, cost-effective fix that like repairing a broken link in a chain instead of replacing it means leaks can be plugged without firms having to revamp their entire systems.
But the results of patching can be crippling.
Not only does patching contribute to the pressing issue of legacy systems - when a bank’s digital foundations are rotten because old software has been piled on top of over years - it can also be a drawn-out process, Wilson said.
“I have seen some firms with a 14-day procurement policy to implement a patch,” he said. “I find that incredible. Would you leave your building open for 14 days? If you were a wealth manager, would you leave your client’s account open for 14 days? That’s exactly what organisations are doing in terms of their IT systems. Hackers think: ‘they deserve it’.”
Not Paying The Price
One of the driving forces behind cyber-crime is the fact that “the risk to cyber criminals is very low, yet the financial yield is very high,” Wilson suggested.
One supporter of legislation against cyber-crime, Lamar Smith, once said: “Our mouse can be just as dangerous as a bullet or a bomb.”
The longest jail sentence ever handed to a cyber criminal was 27 years, after a Russian hacker was earlier this year found guilty of stealing millions of payment card details. The severity of this sentence, however, is extremely rare and most prison terms will not exceed 10 years.
“It is a huge attack on the legal system,” Wilson said. “We need to raise the risk level for criminals.”
At a time when data is considered a valuable commodity, collaboration is key to making headway, the panellists agreed.
“Information, best practice and intelligence should be shared, and organisations should work with law enforcement to pursue criminals,” Wilson said.