Riffing on the risks involved with thriving in a hyper-connected world, Sibos 2019 in London explores the dangers of cyber attacks and how they can have a contagion effect across broader financial systems and impact financial stability.
Opening the day’s sessions, Andrew Gray, group chief risk officer at DTCC joined Dr Daniela Peterhoff, co-head of EMEA corporate and institutional banking and global head of market infrastructure at Oliver Wyman on stage to discuss how critical financial infrastructures are preparing to respond and recover to strengthen industry-wide coordination.
Cyber risk is consistently ranked as the number one risk facing the global financial system and the nature of attacks are being increasing sophisticated, despite a third of infiltrations being insider hacks, according to Dr Peterhoff.
She continues to say that the world is becoming more digitised, seamless and interconnected because the pace of innovation is becoming faster, but this and partnerships with fintechs mean that systems are more vulnerable to cyber threat. “New ways of handling data will further make a crucial development. The role of FMIs is evolving and they can contribute to reducing the impact on systems,” Dr Peterhoff says.
Gray adds that in Systemic Risk surveys DTCC have conducted, cyber risk has come out as a top five systemic risk seven out of nine times. “We are not going to change our focus, especially as the cost of cybercrime has increased by a factor of 10. It is more of an issue in financial services in comparison to other industries and this has increased because of the interconnected industry.”
He goes on to mention that the risk of propagation is higher because of technologies such as the cloud, API-based services, the Internet of Things, mobile technology and social media. “The risk of social media account takeover is much higher in financial services than in other industries. This trend will continue,” Gray says.
After Dame Stella Rimington, former director general of MI5, provided her view from the top, exploring how the process of a threat remains unchanged as people continue to be manipulated, the conversation turns to whether new business models have created a perfect cybersecurity storm.
Standard Chartered’s Cheri McGuire spoke a little on open banking and how these new environments have added new complexities, despite creating more opportunities. “There is an API issue around how we’re connecting to technology as it is still susceptible to the same attacks, so it is really even more critical that we have proper configurations.
“This also presents an opportunity for financial institutions, as well as tech providers and fintechs, to ensure we have the right standard in place to build in privacy and security when adopting APIs.” JP Morgan Chase’s JF Legault adds that whether APIs are mandated or implemented as part of voluntary partnerships, security with the third parties that have access must be maintained.
“Understanding the targets early on is important. There was an uptick in wholesale payment attacks in 2016 and how this was resolved was an increase in knowledge of how to prevent cyber attacks and then, building out threat model. There should also be a solid understanding of the specific adversaries that would impact this process; we must look at the likelihoods and map them out against our existing controls,” he says.
Returning to the idea of cyber risks as serial killers, Microsoft’s Sian John MBE surmises that the implementation of emerging technology for financial crime prevention is almost always transferred on to on-premise systems, which is not consistent with the openness and attitude towards sharing and control that new financial entrants are operating with. “Financial services is the biggest place where we see this issue because of the industry’s maturity,” she says.
Later in the session, John also says that “proper threat management” must be put in place, such as two factor authentication. “This is basic hygiene. Phishing will continue to happen because people will continue to click on links. It will always succeed because it’s social engineering created by people who know how to manipulate people,” alluding to Dame Stella Rimington’s session.