Fiona van Echelpoel, deputy director general, ECB, explains to the panel titled ‘Covid-19: Open-season for cyber hackers?’ that as characterised in a recent ECB report, cyber risk bears three key features that when combined, are fundamentally different from other sources of operational risk.

First, the speed of propagation of cyber incidents means there is a potential to infiltrate the financial system at a much faster pace than other risks. Second, the scale of propagation of cyber incidents is a key feature as attacks and attackers are not constrained by geographical boundaries. Third, the intent of threat actors has the potential to vary greatly.

The fact that the financial sector is reaching unprecedented levels of digitalisation - particularly because of Covid-19 pressures means that the risks as outlined by the ECB above are only being exacerbated and in greater need of attention.

Mike Brookes, head of cyber intelligence, Barclays, speaks to the issue of having to learn to reduce risk as an organisation when the entire workforce is not in the same room. He explains that a trend that has clearly emerged during the crisis is that of attackers targeting third parties across the Barclays supply chain and shifting to a “big game hunting” style of ransomware.

At the Bank of England, Jonathan Pagett, acting CISO observes that while the central bank already had strong remote access solutions in place including soft laptops or phones, the challenge has been a shift in reliance on those core systems. Naturally, given the much greater reliance on this infrastructure the bank has been obliged to enhance monitoring for disruptive attacks to these core systems as the impact of a failure can be debilitating in this context.

On a particularly worrying note, Pagett adds that there is the potential for an erosion of strong security culture whereby established systems and protocols may not be adhered to as they should, now that people are working remotely.

He mentions the risk of people using unsanctioned shadow IT and raises the concern that people who are typically used to working in secure environments may become too comfortable at home and apathetic to the awareness and caution needed when managing highly sensitive information.

Where are the vulnerabilities?

Echelpoel notes that while financial management institutions have been able to pivot to the new mode of remote work at a large scale, the cyber security risk profile of these firms has altered quite dramatically.

Naturally, exposure for attack has increased given the greater device and system surface areas, but it is the idea that these attacks have evolved into more sophisticated threats which is of concern.

Wendi Whitmore, vice president of IBM X-Force Threat Intelligence, IBM, explains that between March and April this year they saw a 6,000% increase in spam attacks using phishing lures related to Covid-19 content. Since May however, there has been a significant shift in two areas.

First, toward theft of intellectual property within the supply chain of organisations working on a Covid-19 vaccine or research and second, toward large-scale ransomware attacks particularly targeting critical infrastructure and financial services, such as that which (temporarily) brought down the New Zealand Stock Exchange.

This professionalisation of cyber-crime, or as Whitmore helpfully puts it (in fintech-speak) “Ransomware-as-a-Service” is also just a reflection of the progress and innovation financial services is making in its own right. A bittersweet reality we must face is that as the industry rapidly evolves, crime has to work in lockstep to match the innovation of the market.