The threat of a cyber attack has moved up the agenda at financial institutions (FIs) after a number of high profile attacks involving data breaches, ransom demands, distributed denial of service (DDoS) attacks and other hacks. Examples include the Carbanak gang that stole $1bn from 100 banks across 30 countries and the JP Morgan Chase data breach in the US and the latest $101m Bangladesh incident.
This report examines best practices for managing the risks of cyber attacks, the threat vectors as technology advances, and what FIs can do to protect themselves and their supply chain partners. Expenditure trends, and the regulatory, reputational and technology drivers are examined. Chartis gathered feedback from 105 institutions, involving 32 qualitative face-to-face interviews with FIs and vendors, and 73 participants in the Chartis Cyber Risk Management Global Survey. Conclusions include:
- The regulators are closing in. Cyber security has been embedded in regulations for years, but there is an increasing focus on more specific compliance requirements. Some of these regulations carry potentially firm-destroying consequences, such as the European General Data Protection regulation in which firms may be penalized 4% of global turnover for non-compliance. In addition, more firms outside of financial services are being fined for cyber breaches or security failures, from telecom companies to hotel chains. FIs have escaped significant regulatory censure thus far, but when the precedent for fining FIs for breaches is established, the floodgates will open.
- With respect to breaches, the question is not “if” but “when.” Only a small minority (5%) of respondents reported a decrease in cyber security incidents last year. 37% reported a double figure increase, with 11% experiencing a rise of between 25-50%. Beyond this, the delivery vectors for cyber crime have increased with mobile and online banking, and soon the “internet of things.” In addition, there is an increasing commoditization of cyber crime tools in the black markets, and emerging complex persistent threats from organized crime and nation states. Firms expecting that they will not be breached are not merely optimistic, but unrealistic.
- Investment is increasing. 68% of respondents report a double figure increase in cyber risk management expenditure for 2015-16. 24% are increasing their budget by 15% or more. The cyber risk management technology market for financial services is now worth $1.9bn. Cyber risk management is the fastest growing segment in the financial crime risk management (FCRM) technology sector.
- Cyber security is not enough. High expenditure is being driven by more investment in technology and staff as FIs seek to protect their intellectual property (IP), data, customers, systems and ecosystems. However, expenditure is frequently tactical, and aligned to a mixture of external standards and siloed internal functions.
- Firms should begin the move from cyber security to cyber risk management. It is no longer enough to only try to protect assets, and potential breaches must be analyzed within the context of both probability and impact. Thus, cyber security should be established as a tactical subset of an enterprise-wide strategic risk management framework. Key to this is the quantification of cyber risks.
The quantification of cyber risks can inform capital allocations and enable insurance against cyber attacks, as well as providing justifications for business decisions to the regulators who will increasingly be testing and fining firms. However, this is one of the final goals in a journey which most FIs are barely starting. Low-hanging fruit at the start of the journey include establishing clear lines of communication between chief risk officers (CROs) and those who have the responsibility for cyber security such as the Chief Information Officer (CIO) and Chief Security Officer (CSO), and establishing processes for delivering cyber security information (numbers of breaches, specific vulnerabilities) up to the board level.