What’s the scale of the
Banks make attractive targets for cyber criminals because
the bulk, if not all, of their activities – managing
flows of funds and related data - is carried out online. But
even though banks are some of the most regulated entities in
the world, not all of them are confident they would be able to
deal effectively with a breach and its long-term effects,
according to a study from Accenture.
"Cyber security has become a board level issue, which is
crucial," said Mark Camillo, head of cyber, EMEA at AIG. "But
even though banks are some of the most mature entities when it
comes to incident preparedness, and they have spent quite a bit
on this over the years, they are still susceptible to
No financial institution or region has been spared by
digital criminals, from Bangladesh Bank to JPMorgan, HSBC,
Ecuadorian Banco del Austro and South Korea’s
Shinhan Bank. At the end of January, Dutch banks ABN Amro and
ING fell victim to a distributed denial of service attack,
causing their servers to become overloaded with traffic and
resulted in a temporary shutdown.
A few figures and facts show the scale of the issue:
- Over one-third of all cyber attacks have succeeded in
- Cybercrime is estimated to cost the financial sector $18
billion every year, in front of energy ($17 billion) and
defence ($14 billion).
- JP Morgan, Bank of America, Citibank And Wells Fargo
spend a combined $1.5 billion on cyber defence every
Do banks have specific cyber security
Yes, but they are not set in stone. Only a few jurisdictions
have rules that concern banking cyber security specifically,
including Hong Kong, Singapore, the UK, the EU and the US
(including nearly 40 individual states). This is probably
because they are major global financial centres, with financial
institutions critical to the functioning and stability of the
According to Andrew Beckett, managing director and EMEA
leader for Kroll's cyber security and investigations
practice, banks need to understand the nuance of geographical
requirements, which can sometimes make compliance very
For instance, New York’s Department of
Financial Services (NYDFS) mandates the use of encryption and
multi-factor authentication, and the nomination of a chief
information security officer (CISO). In contrast, the General
Data Protection Regulation (GDPR) only asks businesses to
consider using these, and does not legally require the hire of
"One thing that is holding back big business is the lack of
coordination globally and ever-increasing standards," said
Beckett. "It’s also a delicate balancing act:
businesses have to weigh up the cost of complying, the
potential fines and the loss of a business licence –
on a global scale - with the level of risk that they face."
For instance, banks in Singapore are expected to be subject
to a proposed new law that will require them to increase their
cyber defences, Monetary Authority of Singapore managing
director Ravi Menon
told the media in November. Singapore also has a
Cybersecurity Bill in place since the summer of 2017, which
mandates companies to notify regulators of any data breaches,
share threats and best practice information, and conduct
regular system audits of their systems.
The EU’s 2016 Network and Information Security
Directive (NISD) also has a very general scope. Clearing houses
and banks officially fall within the definition of critical
infrastructure, though the UK has exempted them from complying
with NISD and will instead implement separate rules for them
ahead of the May 2018 implementation deadline. These will also
apply to banks and other financial services institutions.
The European Central Bank requires banks to submit cyber
threat data in real-time, and has been monitoring some of the
EU’s largest banks since 2016.
"Under the US Sheltered
Harbour initiative, if a cyber attack takes down a
participating bank or clearing house, another takes
The US framework for improving critical infrastructure
cybersecurity, developed by the National Institute of Standards
and Technology (NIST), encourages the public sector and private
sector companies to share details of threats and best
practices. The NYDFS has very similar rules in place for banks,
as does California.
One of the major issues with cyber security regulations
globally is their lack of a definition on what constitutes a
good level of preparedness, and what systems/controls are
effective. The focus has historically been on best
"Because of the lack of prescriptive frameworks - threats
are so fast-evolving - banks tend to follow ISO standards
[ISO 27001 is the international standard for
best practice information security management systems] to
address cyber security," said Camillo.
Given how quickly digital threats evolve, this is
unsurprising, and each organisation has to determine their risk
profile and take what they believe are the adequate steps.
But this can prove difficult. The UK government recognises
ISO 27001 as the best practice standard, and uses it as a
baseline for data protection. It does concede however that
additional controls are needed where there is a higher level of
security required. In comparison, NIST uses 20 mandatory
controls as a best practice standards, which are similar but
not the same as the UK’s. NISD in the EU uses
What are Sheltered Harbour and Quantum
Because the digital landscape changes constantly –
as do the threats banks face – there is no single fail
proof way of staying safe. Financial institutions have focused
on improving the market’s resiliency and
readiness, with initiatives such as Quantum Dawn and Sheltered
Harbour. These have the backing of governments and defence
The first is a cyber war exercise which Sifma has held since
2011. In 2016, some 80 financial institutions took part in a
simulation to improve incident readiness in areas including
domain name hacks, customer data theft, malware in clearing
systems, loss of connection and ransomware.
Under the US Sheltered Harbour initiative, if a cyber attack
takes down a participating bank or clearing house, another
takes over. Customer and transaction data is saved and deployed
securely in a new duplicate financial institution.
"The coordination and information sharing they we have seen
around threat intelligence, sector wide incident readiness and
systemic resiliency are all leading practices that other
industries could model," said Joe Nocera, PwC US, cybersecurity
& privacy financial services industry leader.
"One thing that is holding
back big business is the lack of coordination globally
and ever-increasing standards"
Can banks be held accountable anyway?
Yes, they can. A number of regulations have implemented
fines and, in some cases, prison sentences for organisations
found to have insufficient processes in place to protect data
and/or systems, and have failed to report that a breach has
Under Singapore’s Cybersecurity Bill, any
organisation that doesn’t comply is liable to a
fine of up to $100,000 or a jail term of up to 10 years. The
UK is also contemplating penalties of up to £17 million
(around $24 million) or four percent of global turnover for
companies in essential services (which includes financial
services) in its own version of NISD. Covered entities under
the NYDFS Cybersecurity Regulations will also be subject to
But there is one piece of legislation that is putting
increasing pressure on financial services entities to comply:
the EU’s GDPR. This landmark legislation
introduces a fine of €20 million ($25 million) or four
percent of annual turnover for the most serious offences of
failing to comply with the data breach notification rules.
GDPR primer, last August, noted that these fines are much
larger than the current £0.5 million penalty that the
UK’s Information Commissioner’s
Office (ICO) can currently use. It’s important
to remember that individual member states are required to
implement it nationally, which will inevitably lead to
different levels of compliance.
"Banks are worried about getting this wrong and
being hit with larger fines than we have seen recently,"
Simmons & Simmons partner Alex Brown told IFLR.
Part 2 of this Primer will focus on areas that banks
still need to improve on to be fully prepared for cyber
for IFLR’s Primer series
PRIMER: the General Data Protection
China’s new cyber law worries
NYC’s cyber rules raise