The Cyber Threat Has Changed. Have Banks?

An article in Tech Monitor warns that the cyberattack “threat environment has changed rapidly in recent years” and many banks may not be appropriately prepared. Rogue nations and “cybercrime cartels” are increasingly sophisticated and “on the lookout for juicy targets,” the piece says. And banks fit the bill.

Buck Rogers, the former chief information security officer at the Bank of England, suggests governments should consider financial infrastructure “critical” and “approach it as we would gas and electric,” because if something goes seriously wrong it could sap confidence in the entire financial system.

But a recent IMF survey of 51 financial jurisdictions found more than half have no national cyber strategy for the financial sector. And 64% lack mandatory cybersecurity testing (or guidance on what banks should do if they are hacked).

Banks do their own stress testing for cyberattacks and are well aware of the risks. A Bank of England survey of banking executives showed that three quarters consider cyberattacks their top threat. But, Rogers says, some “executives don’t fully understand the advice they’re being given on how best to prevent them.”

Some takeaways from the story:

Stress test the right things. Many war games focus on the wrong kind of cyber threats, specifically denial-of-service attacks. That’s not enough anymore. The article warned of so-called watering hole attacks, where cyber crooks target specific groups of users by infecting websites they commonly visit.

Know your partners. Banks may need to pay more attention to potential threats posed by the systems they outsource to third parties. An attack on a managed service provider could “paralyze operations at multiple financial institutions overnight.” Third-party testing needs to reach “further down into the supply chain than ever before.”

Defend from within. Banks may no longer be able to assume they will be able to successfully defend themselves from all cyberattacks and keep all hackers out of their systems. “Intrusion suppression” should be a focus.

Talent is paramount. Security decisions should be made by security staffers. If the global IT security skills shortage makes it hard for banks to find the right internal personnel, “hire a managed detection and response firm specializing in financial cybersecurity.”

Want more content like this? Subscribe to the RMA Insider newsletter.