Bank chiefs frightened by cyber risks - PwC

Bank chiefs frightened by cyber risks - PwC

The day after reports of a one billion dollar cyber heist at banks around the world, a PwC poll shows bank bosses are growing increasingly concerned about the threats posed by online criminal gangs.

The survey of 175 bank CEOs identified cyber risks as one of the biggest threats to growth prospects over the coming years, second only to over-regulation in the catalogue of banking bugbears.

Interviewed for the report, Beth Mooney, chairman and CEO of US bank KeyCorp described the rising tide of data breaches as "fightening".

"The sources of where these breaches are coming from; it’s no longer two kids in a basement. These are very sophisticated entities doing it for everything from commerce to criminal," she says. "What we are doing to protect data and our clients, in conjunction with other financial institutions and the government, is one of the most important things, because we are into new territory that has significant consequences.”

The PwC poll was released a day after Kaspersky Labs reported that up to a billion dollars may have been plundered from 100 banks worldwide in an unprecedented cyber heist by a gang of unknown hackers.

The attacks, which took place in 30 countries over a two-year timeframe beginning in 2013, were perpetrated by a cybercriminal gang with tentacles in Russia, China and Ukraine.

Kaspersky says at least $300 million has been definitively lost in the spate of attacks, but that number could treble as banks try to pin down a series of $10 million transfers since initiated by the gang.

The crooks used a form of malware dubbed Carbanak, which provided access to bank networks and allowed the gang to overcome internal checks and balances by monitoring bank procedures via video surveillance and keystroke logging.

In some instances, actual customer accounts were artificially inflated and large sums transferred to bogus accounts, while in others the money was dispensed at pre-set times and destinations through cash machines under the control of the hackers.

Comments: (2)

A Finextra member
A Finextra member 17 February, 2015, 23:40Be the first to give this comment the thumbs up 0 likes

Cyber Risks do exist for a long time but in recent years there has been a transformation (from PC to mobile & in the nature of attacks) and the losses reached a level that it can not be tolerated. Clients or Users used to be main target (or weakest link of the chain) but this started to change - now corporations & banks became the core targets - as they have something very valuable called DATA. Digital is the future and cyber crime should not overshadow this. As banker and security specialist I am very disturbed with all these recent digital crime news and prepared a presentation to explain the story from banking perspective. If you would like to see it, it can be accessed at:

I personally believe that every useful information should be shared and it is everyone's right to know how to protect themselves online. I hope you like and find it useful. If so all the effort and time I spent worth it.

Best regards.

Ed Daniel
Ed Daniel - - Europe 18 February, 2015, 05:08Be the first to give this comment the thumbs up 0 likes

I think an appropriate analogy one might care to use could be taken from history... back when we had bank heists one of the key advantages was a) surprise (no change there) and b) speed of getaway.

Lets look at b) first... banks are so slow when it comes to security hardening it's become a farce, when you compare the speed of modern ecommerce sites under a devops culture that can roll out new code across clusters of production servers worldwide effortlessly you get to see why banks are at the mercy of their legacy investments.

In terms of a) you need to check how many banks actually operate real CERT teams rather than pass the buck and outsource this to 3rd parties. More so, the fact they are so used to 'not sharing' they are making the job even easier for criminals by not pooling the knowledge of shared logs to help identify potential APTs.

They have only themselves to blame, though as one person once reminded me regarding the InfoSec challenges in the porn industry with content leakage, they're making so much money they don't really care that much.

This is just brand damage and they will suffer dearly as more innovative bankers launch banks with technology that is up to date and benefitting from the fastest possible managmement and maintenance stragegies possible. Tomorrow, when you choose your bank you will also be choosing your technology as well, you just don't realise it yet.

A good start would be to send all the infra teams to a DevOpsDays conference, a cheap and worthwhile investment to help them 'get' what it means to do configuration management a la InfoSec in today's world. I'd also highly recommend Kris Buytaert and Martin Simons amongst others in our (DevOps) community who have already been advising banks ready to listen and evolve their antiquated practices.