Cyber Risk in Banking Sector
Time to Scale up Cyber Security and Combat Cyber Challenges
The banking industry is witnessing a paradigm shift in the way customers interact and transact with their bank with the increase in digitalization of processes and proliferation of digital channels, such as internet , mobile and social media . As technological improvement brings promise and enthusiasm to the banking industry , it may times also brings new opportunities for cyber fraudsters and hackers .Cyber attacks against the financial system are becoming more frequent, more sophisticated and more widespread and therefore unpredictable and are also here to stay. The techniques and technologies used by cyber criminals to target sensitive and confidential banking information are refined and continuously changing. Higher risks of cyber attacks can translate in to financial implication via fraud , penalties and litigation costs and repercussion in the form of reputational damage and loss of customer’s trust . When the attack severity increases, it may be likely that only a resilient and flexible cyber security model can prepare financial services companies to survive the inevitable cyber risks. In June 2016,RBI mandated all banks to immediately put in place a cyber security policy/resilience frame work elucidating the strategy containing an appropriate approach to combat cyber threats, given the level of complexity of business and acceptable levels of risk and ensure adequate cyber security preparedness on a continual basis. RBI points out, the number, frequency, and impact of cyber incidents on Indian banks has increased substantially. Information technology (IT) is now part of banks’ operational strategies, essential for both them and their customers. Like their peers globally, Indian banks are committed to maintaining customer trust, protecting financial assets, and preserving their own brand and reputation as the industry will remain a top target of cybercriminals using increasingly sophisticated methods. Thus, it is urgent that banks continue to improve their cyber defenses. The present RBI’s mandate is considered as timely and essential. This article brings about the cyber threat landscape , the cyber attack and resilience trends , RBI’s Cyber Security Frame works and the bank’s urgent need of put in place a cyber security policy/resilience frame work .
Cyber Threat Landscape
A cyber attack is any type of offensive maneuver employed by individuals or whole organizations that targets computer information systems, infrastructures, computer networks, and/or personal computer devices by various means of malicious acts usually originating from an anonymous source that either steals, alters, or destroys a specified target by hacking into a susceptible system. This access can be directed from within an organization by trusted users or from remote locations by unknown persons using the Internet. Over the past several years, cyber threats have emerged as a growing systemic risk to the banking sector .There are a number of reasons for this:
(i) the role of technology in the provision of financial services has deepened;
(ii) the degree of interdependency and interconnectedness between operators in financial markets is very high and growing; and
(iii) both attackers and their motivations have become more diverse, bringing fresh threats from unexpected sources.
Cyber attackers now include “hacktivists”, who seek merely to disrupt activity; cyber criminals motivated by financial gain; terrorists aiming to cause political and financial instability; and nation state-related actors attempting to interfere with or gain access to sensitive information, or to cause systemic instability. The biggest challenge in making cyber resilient is managing their complexities and interdependencies by proactively addressing failures, adopting effective resilience techniques, and resolving problems through cooperation. It is a risk that is not exclusive in who, what or where it targets.
a)It is a risk that is difficult to clearly define.
b)It is a risk that is constantly evolving.
c)It is a risk that is not limited to one source.
d)It is a risk that is faced by every single financial firm, regardless of size or complexity.
In today’s world , both technologies and threats are evolving. Leveraging new channels of communication are important to better serve customers, but keeping pace with emerging technologies and their associated threats are also key challenges. Mobile devices and applications are primary examples of the balance between greater efficiency and new kinds of cyber risks. The cyber threat landscape is widening day by day and is constantly changing, which makes staying even or ahead of the learning curve difficult.
Nature of cyber crime
1)There are organised criminals who are looking to attack the financial institutions, with a view to siphon away funds, illegally.
2)There are criminals who steal confidential data from financial institutions which may also include customer related information and defraud the banks directly or by enticing the customers to share more information such as passwords and pins where after actual loss takes place.
3) A variation of these attacks is to masquerade as bank officials and extract information from customers, based on random calls to phone numbers obtained from various sources, or even by blind trials which result in at least a few attempts resulting in success.
4)There are other cyber criminals who steal money by putting through fraudulent transactions, or changing the particulars, so that they are able to take large sums away and vanish. In such cases, customer may not be directly contacted, but his particulars are taken through malware or other means.
5)Yet another vicious cyber-attack, what is categorised as cyber warfare; this is expected to be of organised attacks, sometimes by backing of large terrorist organisations and often with covert state sponsorship, made against enemy country information assets.
The different nature of cyber crimes naturally require responses which are designed to fight each type of threat, with specifically designed tools and practices. Banks are expected to be well prepared to face emerging cyber threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks. Among other things, banks are expected to take necessary preventive and corrective measures in addressing various types of cyber threats including, but not limited to denial of service, distributed denial of services (DDoS), botnets, ransom-ware / crypto ware, malware, mobile malware , business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity theft and identity frauds, memory update frauds, password related frauds, etc.
Cyber Attack Trends
Cyber attacks around the world are occurring at a greater frequency and intensity. Not only individuals but also businesses and governments are being targeted. The profile and motivation of cyber attackers are fast changing. In the recent years, the financial world has been stunned by major cyber attacks on banks. Some of the recent cyber incidents pertaining to the financial world are enumerated hereunder :
a)In late 2015, Vietnam’s Tien Phong Bank intercepted an attempt to use fraudulent messages to initiate transfers viz SWIFT , the same method later employed in the Bangladesh bank case .
b)Then, in January 2016 ,Ecuador’s Banco del Austro SA sent messages over the Swift system instructing Wells Fargo& Co to transfer US$12 million , according to Reuters the bank now believe the transfers were the work of cybercriminals .
- c) In the next month , in February 2016 ,the hackers stuck at Bangladesh Bank .They targeted a customized software , a programme that acts as a liaison between a bank’s systems and the central SWIFT infrastructure .Cyber thieves had issued instructions to transfer US$951 million out of Bangladesh banks account at the New York Federal Reserve .Most were declined , but the attackers could successfully get away with US$81 million.
d)On 2 August 2016, Bitfinex, a Hong Kong exchange for the trading of digital currencies, announced that some of its customer accounts were hacked and bitcoins stolen. The value of the stolen bitcoins has been reported to be approximately US$65 million or more. As a consequence the value of bitcoins came down and the trust on the digital currency shaken.
- e) In January 2016, Europe’s largest financial lender HSBC suffered a DDoS attack, keeping several banking customers unable to access their accounts .The attack took place on Friday, January 29, and services were restored on January 30.
f)Recently, in India too, a similar attempt was made on a commercial bank by generating fraudulent payment instructions on the Nostro accounts and transmitting them over SWIFT messaging system. Though monetary loss could be prevented with proactive follow-up with the concerned paying / intermediary banks, the incident has reinforced the fact that the various stakeholders have not learnt the lessons yet. Banks have also come across instances of fraudulent messages confirming documentary credits being transmitted using SWIFT infrastructure.
- g) In another incident involving shared mobile wallet of a bank, vulnerabilities were observed in the application itself which led to exploitation by the attackers. The originator of the transfer could get the amount reversed back to him without corresponding debit in the recipient’s account in a large number of transactions , amounting to 12 crore. Bank was not performing any real time reconciliation and noticed it only when there was a spike in transactions which led to detection during reconciliation. The vulnerabilities exploited in the incident could have been averted, had the launch of the product not been rushed through.
A report by McAfree projects, the total global cost of business targeted cybercrime in 2015 would be US$ 445 billion .This number is expected to grow US$2 trillion in 2019. In India too , the cyber crime incidents are on the rise. As per ASSOCHAM-PwC joint study ,in India there has been as urge of approximately 350 % in cybercrime cases registered under the IT Act , 2000 from the year 2011 to 2014 .The Indian Computers Emergency Response Team ( CERT-In) has also reported a surge in the number of incidents handled by it with close to 50,000 security incidents in 2015 . Of course, there is no question cyber attacks are on the rise, but what is changing dramatically are the types of attacks and the targets bold fraudsters are focusing on which means businesses and consumers alike will encounter some surprising additions to the cyber risk landscape in the immediate future .Certain cyber security future trends reaching critical mass are discussed hereunder :
Hackers will increasingly target cloud providers
Because more data is shifting outside of enterprises into clouds, growing attempts from cyber criminals to gain direct access to that information can be seen from 2016 and banking sector will continue to see a rise in cyber attacks. The significant difference from previous years, however, will be the types of attacks and the targets that cyber criminals zero in on. That distinction will be primarily due to a massive jump in the migration to mobile and cloud computing.
Mobile malware and malvertising will cause mayhem.
With more and more services and advertising moving from the desktop to mobile devices, this year will see a massive increase in the frequency of malvertising—the practice of injecting malicious advertisements into legitimate online advertising networks. These and other types of mobile breaches have prompted an overwhelming majority of cyber experts (87 percent) to speculate that mobile payment data breaches will increase over the next 12 months.
Millennials will take a closer look at privacy.
Millennials have traditionally valued privacy less than other age groups, but recent surveys reveal a shift in that generation’s thinking. The change has been spurred by the large number of high-visibility hacks that have exposed the personal data of millions in 2015, as well as Millennials’ high use of non-traditional Internet of things (IoT) devices that are more abundant and more vulnerable to security risks than other devices. These factors will prompt many Millennials to be more proactive with app providers and other businesses to make sure that their private information stays private.
Cyber-extortion will hit wearables, medical devices and gaming systems.
B2B use of the IoT will more than quadruple by 2020, when the worldwide total of connected devices is expected to reach or exceed 26 billion. That means wearables, medical devices, clinical systems, gaming systems, smart home devices and others may be increasingly vulnerable to security risks. Nearly three quarters of IT professionals believe the likelihood of an organization being hacked via an IoT device is medium or high, according to ISACA’s “IT Risk/Reward Barometer” study. Specifically, IoT devices are a convenient target for fraudsters, especially those attempting ransomware (a type of malware that denies access to the victim’s computer and data until the hacker is paid). Since 2012, the number of victimized companies—most of them small businesses, agreeing to make ransomware payments has increased from 2.9 percent to 41 percent.
Cybersecurity will be the “It” job of IT.
A significant threat to national and global economic security is the shortage of cyber-security experts, a gap that will continue to stifle Chief Information Security Officers (CISOs) and Chief Information officers (CIOs) in 2016. More than half of the global cyber-security professionals surveyed by ISACA and the RSA Conference reported that less than a quarter of job applicants are qualified for the cyber-security positions they were seeking.
Cyber Resilience Trends
Globally, the focus has now shifted to cyber security. Cyber security is no longer an isolated incident affecting one industry / one country. Several cyber-attacks in recent times have been designed to achieve political /religious objectives as also for securing funds for promoting terrorism. This has assumed frightening dimensions as it has an important bearing on financial stability. The importance accorded to the issue can be gauged from the fact that global standard setting bodies as well as reputed central banks have been committing extremely large resources to address this menace. Several countries have taken steps to improve their cyber resilience and are highlighted hereunder :
a)Some organizations, such as the European Central Bank (ECB), have already responded to the attacks in Ecuador, Vietnam, and Bangladesh. Banks in the Eurozone will be obliged to notify the ECB about “significant” cyber-attacks. The notifications will be sent through a real-time alert system. The ECB will examine the notifications and provide the banks in the Eurozone with information on how to avoid information security breaches. The ECB may also share the collected data with other central banks, such as the US Federal Reserve and the Bank of England for protecting global banking networks in the future
b)Committee on Payments and Market Infrastructures and Board of the International Organization of Securities Commissions (IOSCO) have issued Guidance on cyber resilience for financial market infrastructures in June 2016 after consultation with stakeholders.
c)Financial Policy Committee (FPC) of the Bank of England launched the CBEST initiative – a Vulnerability Testing Framework. Following their meeting in June 2013, the FPC issued a recommendation requesting that Her Majesty’s Treasury and the regulators work with the core of the UK financial system and its infrastructure to put in place a programme of work to improve and test resilience to cyber-attack. The committee also noted it was important that boards of financial firms and infrastructure providers recognised their responsibility for responding to those attacks.
d)Recently, in May 2016, Hong Kong Monetary Authority launched a Cyber security Fortification Initiative(CFI). The CFI mainly comprises following three pillars:
(i) Cyber Resilience Assessment Framework;
(ii) Professional Development Programme; and
(iii) Cyber Intelligence Sharing Platform.
e)In India too, Government and RBI have been working on strengthening the defence against cybercrimes. Government of India has taken several steps to tackle the menace of cyber-attacks and important institutional arrangements have been made. Indian Computer Emergence Response Team (CERT-In) has been established which monitors Indian cyberspace and coordinates alerts and warning of imminent attacks and detection of malicious attacks among public and private cyber users and organisations in the country. Banks / Financial Institutions have been identified as critical infrastructure for the purpose. A National Cyber Coordination Centre has also been established. CERT-In also have come out with National Cyber Crisis Management Plan and Cyber Security Assessment Framework.
- f) RBI has set up an Expert Panel on IT Examination and Cyber Security drawing representatives from the industry as members. The Panel is providing assistance in IT examination/cyber security initiatives of banks, review examination reports and suggest actionable items.
g)RBI also launched a detailed IT examination programme in October 2015. This is proposed to be extended to more than 30 major banks during 2016-17 and to cover all banks by 2017-18.
h)RBI also proposes to set up a Cyber Security Lab, which will assist IT examiners in conducting analysis of cyber security of banks. RBI is also in the process of operationalizing its IT subsidiary viz the Reserve Bank Information Technology (ReBIT) Pvt Ltd. The mandate for ReBIT, among others, is to focus on issues around IT systems and cyber security (including related research) of the financial sector and to also assist in the audit and assessment of the entities regulated by the Reserve Bank.
- i) RBI has recently on June 2 , 2016 issued instructions on cyber security framework in banks. Among others, the circular expects banks to put in place a board approved cyber-security policy, to prepare a cyber-crisis management plan, to make arrangement for continuous surveillance, to reckon the security aspects while procuring / connecting / implementing hardware, software, network devices etc., to ensure protection of consumer information, to share unusual cyber security incidents with RBI, to assess the gaps in cyber security preparedness on the basis of baseline requirements articulated in the circular and to set up a Cyber Security Operations Centre.
RBI’s Cyber Security Frame works
Reserve Bank of India in it’s recent communication to Banks in India, pointed out that the number, frequency and impact of cyber incidents/attacks have increased manifold, underlining the urgent need to put in place a robust cyber security/resilience framework in banks and to ensure adequate cyber security preparedness among banks on a continuous basis. In June 2016, RBI mandated all banks to immediately put in place a cyber security policy/resilience frame work elucidating the strategy containing an appropriate approach to combat cyber threats given the level of complexity of business and acceptable levels of risk, duly approved by their Board. Banks have to send a confirmation in this regard to RBI at the earliest, and in any case not later than September 30, 2016. As per guidelines , Banks are required to ensure that the strategy deals with the following broad aspects:
Cyber Security Policy to be distinct from the broader IT policy / IS Security Policy of a bank
In order to address the need for the entire bank to contribute to a cyber-safe environment, the Cyber Security Policy should be distinct and separate from the broader IT policy / IS Security policy so that it can highlight the risks from cyber threats and the measures to address / mitigate these risks. The size, systems, technological complexity, digital products, stakeholders and threat perception vary from bank to bank and hence it is important to identify the inherent risks and the controls in place to adopt appropriate cyber-security framework. While identifying and assessing the inherent risks, banks are required to reckon the technologies adopted, alignment with business and regulatory requirements, connections established, delivery channels, online / mobile products, technology services, organisational culture and internal & external threats. While evaluating the controls, Board oversight, policies, processes, cyber risk management architecture including experienced and qualified resources, training and culture, threat intelligence gathering arrangements, monitoring and analysing the threat intelligence received vis-à-vis the situation obtaining in banks, information sharing arrangements among peer banks, with IDRBT/RBI/CERT-In, preventive, detective and corrective cyber security controls, vendor management and incident management & response are to be outlined.
Cyber-security awareness among stakeholders / Top Management / Board
Managing cyber risk requires the commitment of the entire organization to create a cyber-safe environment. This will require a high level of awareness among staff at all levels. Banks need to proactively promote, among their customers, vendors, service providers and other relevant stakeholders an understanding of the bank’s cyber resilience objectives, and require and ensure appropriate action to support their synchronised implementation and testing. The stakeholders’ awareness ,including customers, employees, partners and vendors about the potential impact of cyber-attacks helps in cyber-security preparedness of banks. Banks are required to take suitable steps in building this awareness. Concurrently, there is an urgent need to bring the Board of Directors and Top Management in banks up to speed on cyber-security related aspects, where necessary.
IT architecture should be conducive to security
The IT architecture should be designed in such a manner that it takes care of facilitating the security measures to be in place at all times. The same needs to be reviewed by the IT Sub Committee of the Board and upgraded, if required, as per their risk assessment in a phased manner. The risk cost/potential cost trade off decisions which a bank may take should be recorded in writing to enable an appropriate supervisory assessment subsequently.
Arrangement for continuous surveillance
Testing for vulnerabilities at reasonable intervals of time is very important. The nature of cyber-attacks are such that they can occur at any time and in a manner that may not have been anticipated. Hence, it is mandated that a SOC (Security Operations Centre) be set up at the earliest, if not yet been done. It is also essential that this Centre ensures continuous surveillance and keeps itself regularly updated on the latest nature of emerging cyber threats.
Comprehensively address network and database security
Recent incidents have highlighted the need to thoroughly review network security in every bank. In addition, it has been observed that many times connections to networks/databases are allowed for a specified period of time to facilitate some business or operational requirement. However, the same do not get closed due to oversight making the network/database vulnerable to cyber-attacks. It is essential that unauthorized access to networks and databases is not allowed and wherever permitted, these are through well-defined processes which are invariably followed. Responsibility over such networks and databases should be clearly elucidated and should invariably rest with the officials of the bank.
Ensuring Protection of customer information
Banks depend on technology very heavily not only in their smooth functioning but also in providing cutting-edge digital products to their consumers and in the process collect various personal and sensitive information. Banks, as owners of such data, should take appropriate steps in preserving the Confidentiality, Integrity and Availability of the same, irrespective of whether the data is stored/in transit within themselves or with customers or with the third party vendors; the confidentiality of such custodial information should not be compromised at any situation and to this end, suitable systems and processes across the data/information lifecycle need to be put in place by banks.
Cyber Crisis Management Plan
A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy. CCMP should address the following four aspects: (i) Detection (ii) Response (iii) Recovery and (iv) Containment. Banks need to take effective measures to prevent cyber-attacks and to promptly detect any cyber-intrusions so as to respond / recover / contain the fall out.
Cyber security preparedness indicators
The adequacy of and adherence to cyber resilience framework should be assessed and measured through development of indicators to assess the level of risk/preparedness. These indicators should be used for comprehensive testing through independent compliance checks and audits carried out by qualified and competent professionals. The awareness among the stakeholders including employees may also form a part of this assessment.
Sharing of information on cyber-security incidents with RBI
RBI observed that banks are hesitant to share cyber-incidents faced by them. However, the experience gained globally indicates that collaboration among entities in sharing the cyber-incidents and the best practices would facilitate timely measures in containing cyber-risks. It is reiterated that banks need to report all unusual cyber-security incidents whether they were successful or were attempts which did not fructify to RBI. Banks are also encouraged to actively participate in the activities of their CISO’s Forum coordinated by IDRBT and promptly report the incidents to Indian Banks – Center for Analysis of Risks and Threats (IB-CART) set up by IDRBT. Such collaborative efforts will help the banks in obtaining collective threat intelligence, timely alerts and adopting proactive cyber security measures.
Supervisory Reporting framework
It has been decided to collect both summary level information as well as details on information security incidents including cyber-incidents. Banks are required to report promptly the incidents, in the prescribed format .
An immediate assessment of gaps in preparedness to be reported to RBI
The material gaps in controls may be identified early and appropriate remedial action under the active guidance and oversight of the IT Sub Committee of the Board as well as by the Board may be initiated immediately. The identified gaps, proposed measures/controls and their expected effectiveness, milestones with timelines for implementing the proposed controls/measures and measurement criteria for assessing their effectiveness including the risk assessment and risk management methodology followed by the bank/proposed by the bank, as per their self-assessment, may be submitted to the Cyber Security and Information Technology Examination (CSITE) Cell of Department of Banking Supervision, Central Office not later than July 31, 2016 by the CISO .
Banks should review the organisational arrangements so that the security concerns are appreciated, receive adequate attention and get escalated to appropriate levels in the hierarchy to enable quick action.
The guidance’s baseline cyber security and resilience requirements are helpful. They include recommendations to meet many of the goals laid out above, such as a requirement to have advanced real time threat defense and management. However, as RBI notes, the list is indicative and not exhaustive. As they seek to manage their ever evolving risks, it is critical that banks retain the flexibility to ascertain and deploy the most advanced technologies and processes to ensure the best possible protection of client data and financial assets.
Over the years cybercrime has grown in leaps and bounds causing losses to the tune of billions and is very potent threat for banks and financial institutions. The banking and financial services sector continues to be a top target for cyber attacks which continue to rise every year, a survey by consulting firm KPMG revealed. Future cyber threats are no less than seen in sci-fi movie and hackers are using 21st century technology to defeat 20th century systems. It is a time to scale up cyber security and combat cyber challenges. Cyber security in a furiously changing world is fast paced and rising in global importance. The cyber domain is constantly evolving, providing both new opportunities and challenges for financial services institutions. The threats will be many and varied , but these threats will be a huge opportunities as well .A bank with better cyber security offered to its customers and a stake holders will attract many customers and retain existing ones .Hence, banks will have to build a holistic ,integrated approach to cyber security integrating fraud management , cyber security ,IT team , physical security etc to boost cyber intelligence and response .It is incumbent on them to invest in smart , intelligent and multi faceted solutions that can tackle cybercrime threats by preempting suspicious activity across a customer’s journey through several touch points. Further , the cyber risk can not be brought down to zero and hence a quick restoration plan with least damage post breach is also crucial. In sum, Financial services institutions should consider raising their level of preparedness and evolve into a new cyber risk management paradigm that strives to achieve fundamental qualities viz
1) Being secure against known threats through risk driven investment in foundational, preventive controls, and policies
2) Being vigilant by improving the ability to detect emerging threats and anomalous patterns amid the highly complex and data saturated environment; and
3) Being resilient to enable the organization to recover from attacks as quickly as possible and minimize both direct and indirect damages.
The future may be daunting and challenging , but certainly exciting and those banks that are well prepared and ready to handle the uncertain future head–on would certainly emerge the winner.
1)RBI’s Notification – Cyber Security Framework in Banks dated June 2, 2016
2) Information Technology & Cyber Risk in Banking Sector – The Emerging Fault lines-
Keynote Address by Shri S. S. Mundra, Deputy Governor, RBI at the ‘International Seminar on Cyber Risk and Mitigation for banks’ organized by CAFRAL in Mumbai on September 7, 2016
3)Targeted Attacks: Protection of Critical Infrastructure of the Country & Capacity Building (Shri R. Gandhi, Deputy Governor – 29th July 2016 – in Hotel Hyatt, Bhikaji Cama Place, New Delhi)
4) Press Reports
M.Ramamoorthy, Faculty, Union Bank of India ,Staff College , Bannerghatta Road,
Bangalore-560083 email ID : [email protected]
- 5 Years working experience in Industry before Joining the Bank in 1986
- Approved Valuer for Machinery & Plant
- Corporate life Member (Fellow ) -Institution of Valuers , New Delhi
- Life Member of IIBF, Mumbai
- Banking Articles are published in the magazine of “Vinimaya (NIBM)”, “Banking Finance” and “The Indian Banker ( IBA)”