Apps are making the banking sector more vulnerable to cyber-attack, say European regulators, who recommend that firms hold capital as insurance against such an event. The ‘Joint Committee Report on risks and vulnerabilities in the EU Financial System’ is
just as applicable to financial institutions elsewhere in the world, providing an assessment of the challenges that they face in delivering innovation, under intense scrutiny from regulators and predatory criminals. If read alongside the reports from last
year’s cyber-attack scenarios in the UK and US (Waking Shark 2 and Quantum Dawn 2), it is clear that vulnerabilities are opening up while an industry-wide consciousness of the risks that an attack poses are relatively nascent.
Q: Do regulators think that iPhones are going to bring down the markets?
A: The report, produced by the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA) and the Joint Committee of European Supervisory Authorities, says, “Pressure
to get products to markets, particularly in the mobile space, is also a source of risk as sufficient time to test before go-live dates is squeezed.” So really they are warning that competitive pressures might lead to shortcuts. They note that outsourcing and
cloud computing should be carefully supervised in the same vein.
Q: Budgets are tight and profits are a bit wobbly…
A: Exactly. So taking risk is the only way to try and keep ones head above water. Or rigging the markets, but no-one would do that.
Q: Haven’t banks passed their annual ‘Virus and hackers’ exam?
A: In the UK and US they underwent tests last year to see if they could weather attacks, however certain banks in the UK (and elsewhere) have seen their websites taken out of action by denial-of-service attacks and a reliance on legacy systems across the
industry means that there are a few weak spots which could be vulnerable. Besides, an attack on an app might not want to take a bank out – it might want to keep it alive so it can feed off of its customers’ accounts.
Q: A financial mosquito?
A: Quite. The test showed that it would be hard to take out the whole capital markets infrastructure, even with a lot of aggression (the US event included a sell-off in target stocks using stolen administrator accounts; counterfeit and malicious telecommunication
equipment to hamper the investigation into the sell-off; fraudulent press releases on target stocks; a distributed denial of service attack; corruption of the source code of an equity market application; a phishing scam; and a custom virus attacking post-trade
processing). Most financial infrastructure firms were hit by cyber-attacks in 2012, goodness knows how much the banks are getting hit for.
Q: So what do regulators recommend?
A: Put more in the IT budget and don’t think of it as a flexible cost – “it is important to ensure that IT systems and related internal controls are safeguarded against adverse budgetary implications.”
They also warn against the use of outdated legacy kit, noting that, “interaction with legacy or heterogeneous IT systems deserves heightened attention, as particular weaknesses, such as inability to cope with volume of use, can be identified here… even the
maintenance of existing infrastructures is not sufficiently addressed in some cases, and needs to rapidly adapt to new threats which are not always fully provisioned within existent budgets.”
Q: So buy more technology?
A: Stop using steam engine-run mainframes.