According to a very interesting article in the FT – two weeks after hackers broke into Sony Pictures’ computer systems, deleting important company files and exposing embarrassing emails, technology experts at some of the world’s largest financial institutions decided to run an experiment.
They took copies of the “malware” — malicious strands of computer code — used in the Sony attack and watched what it would do if it were unleashed in their own computer systems.
The Sony hack was a sophisticated piece of work. Like a revolver, the malware shot off a
round of code in search of a vulnerability in the network. If that potential weakness had been properly patched by the bank’s tech team, it would trigger another round and go off in search for a different vulnerability. This could go on for seven or eight rounds, according to a bank official.
The results were unnerving. Before seeing the Sony malware at work, a top security officer at a major US bank said he felt successful if he had 95 per cent of his network’s vulnerabilities covered. “That five per cent I’m not sure I’m satisfied with anymore based on what we learned out of Sony,” the official said.
Following the exercise, he says, he was able to convince the bank’s top executives to pump cash into plugging the holes — a job that became its number one security priority.
We’re taking “a fighter’s stance”, says the security officer. “We’re not going to wait to be hit.”
After a wave of increasingly sophisticated cyber attacks, corporations of all types — from entertainment groups like Sony to retailers, insurers and even carmakers — are spending big money to fight back against hackers. But the financial industry is the most frequent target, facing 300 per cent more cyber attacks than any other sector, according to a report from Websense, a cyber security company. Regulators have noted that cyber attacks on banks are an emerging threat that could pose a systemic risk to the sector, according to a May report by the US Financial Stability Oversight Council.
The banking industry has poured hundreds of millions of dollars into securing its networks. They have hired thousands of the brightest tech minds, plucking former intelligence officials from spy agencies and combing the networks of the Chaos Computer Club, Europe’s largest association of hackers, for recruits.
Besides the obvious financial incentives for hacking banks, the sophistication of their security makes them a tempting target. The Financial Times interviewed top security officers at some of the world’s largest banks, but none would speak on the record for fear of prompting reprisals from hackers.
And yet serious breaches happen. An attack on JPMorgan Chase exposed contact information of 76m US households in 2014 — a year when even it spent more than $250m and had about 1,000 people focused on cyber security. To the bank’s embarrassment, hackers were able to penetrate its network because there was no requirement for two-step verification — a procedure used by many free online services such as Gmail.
The bank said no account information, such as user names and passwords, was taken during the breach. Still, it shook customers’ confidence in a system that holds personal financial information about their mortgages, savings and bank accounts.
Banks exist to safeguard money and data, but the risks they face if their systems are breached are not just reputational. They are also responsible for the cost customers incur following a hack of their own networks or those of others — including retailers, who have become frequent targets of criminal groups. The 2013 breach of Target, the US retailer, is estimated to have cost banks more than $200m. Lloyd’s, the UK insurer, has estimated cyber attacks cost all businesses as much as $400bn a year.
The cost of breaches on the financial sector are going up, with the number of companies reporting losses of between $10m to $20m because of hacks going up by 141 per cent in 2014 compared with the previous year, according to PwC. The average number of detected incidents rose from 4,628 in 2013 to almost 5,000 last year.
Unlike other industries, the financial sector is required by US law to protect customer information. US bank regulators have overseen their information technology since 1978, and regulators have been required to issue security standards to safeguard customer information since 1999. Increasingly other regulators — in the US and around the world — have added cyber security to their reviews. A security officer at a large European bank says that in the past 12 months his company has received 70 requests from regulators related to cyber security, with some questionnaires exceeding 300 queries.