PRIMER: banks and cyber security (part 2)

Author: Amélie Labbé | Published: 9 Mar 2018
Email a friend

Please enter a maximum of 5 recipients. Use ; to separate more than one email address.

Have there been any recent development which have affected financial services’ firms cyber security efforts since the publication of the primer on February 8?

The US Securities and Exchange Commission released guidance on February 21 outlining what kind of information public companies need to disclose when it comes to cyber security risks and breaches. It completes and updates initial guidelines released in October 2011.

Companies have to make public any potential vulnerabilities that have yet to be exploited by hackers, in effect creating a new compulsory disclosure category. The new guidance also restricts companies from trading in a firm’s securities if they possess non-public information regarding cyber security attacks. The SEC encouraged companies to consider adopting specific policies restricting executive trading in shares while a hack is being investigated and before it is disclosed.


"Getting your security up to scratch can be very expensive...The difficulty is finding out what level is proportionate to the threats that the organisation faces, training the staff, implementing the systems"


A number of Democrat commissioners have criticised the guidance saying it does not go far enough. Commissioner Kara Stein said it could 'provide investors a false sense of comfort that we, at the Commission, have done something more than we have’.

"Overall, the guidance is likely to be viewed as helpful, but disappointing for those who wanted more consequences and more teeth to the obligation to report," noted a US-based lawyer.

In the EU, things are moving more slowly. Cyber security is an integral part of the bloc’s Fintech Action Plan, released in 2017. The EU Commission is also expected to set up an expert group by mid-2019 to assess the resilience of the EU financial services regulatory framework when it comes to technologies such as distributed ledger, cloud and artificial intelligence.

Are there still specific areas where banks are vulnerable to when it comes to cyber threats?

According to Joe Nocera, PwC US’ cybersecurity & privacy financial services industry leader, as companies continue to move towards greater digitisation and innovation (especially when it comes to cloud and data analytics capabilities), they also increase the attack footprint and points of potential vulnerability. 

"Supply chain risk continues to be a challenge as banks increasingly rely on third party providers and can be exposed to vulnerabilities in their software and hardware," he said.

Another point that makes financial institutions open to cyber security risks is human error rather than system vulnerability. "This particular aspect of cybercrime makes it difficult to control," said Richard Breavington, partner at RPC.

Official data provides insight into why computer crime is so difficult to identify and ultimately to prosecute. There 57 prosecutions under the Computer Misuse Act in 2016, even though over 1.2 million instances of cybercrime were reported. When it comes to data protection, the situation is similar: only 17 fines were issued for breaches in 2016, out of several thousands of notifications sent. The entry into force of the General Data Protection Regulation (GDPR) is however expected to change this as it introduces more severe penalties for misuses of personal data. 

Andrew Moir, global head of Herbert Smith Freehills’ cyber security practice, said there will always be specific areas where banks are vulnerable in relation to cyber threats.

"It’s not because they are doing anything wrong in relation to cyber resilience, but because the threat is continually evolving," he said.

Some of the most significant threats that banks face at the moment come from nation state-backed actors such as North Korea, whose hackers are now looking to raising money as sanctions tighten. It was reported that North Korean government-backed hackers targeted South Korean cryptocurrency exchange customers using security flaws in software and spear phishing attacks.

"There are also threats from organised crime, such as so-called jackpotting malware-as-a-service which is capable of emptying ATMs, or through exploiting previous data breaches such as Equifax to facilitate secondary fraud," he said.

Are smaller banks more vulnerable than their larger counterparts?


"There are also threats from organised crime, such as so-called jackpotting malware-as-a-service which is capable of emptying ATMs, or through exploiting previous data breaches such as Equifax to facilitate secondary fraud"


Different security standards are appropriate for different institutions. IFLR reported recently that when it comes to GDPR, smaller companies still have a way to go before they are fully compliant. EMEA reporter Olly Jackson wrote that those firms that do not have the internal resources necessary or a budget large enough to hire more internal support have realised that compliance will be tough. A February survey by the Federation of Small Businesses has found that less than 10% of small businesses have completed preparations for GDPR and a third have not even started preparing at all.

"Getting your security up to scratch can be very expensive," said Breavington. "The difficulty is finding out what level is proportionate to the threats that the organisation faces, training the staff, implementing the systems etc – some firms don’t have the same level of resources to throw at these issues than their larger counterparts may do."

Click  here for part 1

Please click here for IFLR’s Primer series

See also

IFLR March 2018 cover story: Waking up and cracking down

China’s new cyber law worries market

NYC’s cyber security rules raise concern

 


 

 

close Register today to read IFLR's global coverage

Get unlimited access to IFLR.com for 7 days*, including the latest regulatory developments in the global financial sector, updated daily.

  • Deal Analysis
  • Expert Opinion
  • Best Practice

register

*all IFLR's global coverage published in the last 3 months.

Read IFLR's global coverage whenever and wherever you want for 7 days with IFLR mobile app for iPad and iPhone

"The format of the Review has changed over the years; the high quality of its substantive content has not."
Lee C Buchheit, Cleary Gottlieb

register