Protecting Critical Infrastructure from Cyber Attacks: Banking and Finance

Way back in the mid-90’s, President Clinton signed EO 13010 Critical Infrastructure Protection. The purpose of this was to develop and implement a strategy for the consistent review of several industries, labeled as critical infrastructures, in order to prevent damage to them from physical and cyber threats. Since then, the number of critical infrastructures have grown to include:

1. Chemical
2. Commercial Facilities
3. Communications
4. Critical Manufacturing
5. Dams
6. Defense Industrial Base
7. Emergency Service
8. Energy
9. Food and Agriculture
10. Financial Services
11. Government Facilities
12. Healthcare and Public Heath
13. Information Technology
14. Nuclear Reactors, Materials and Waste
15. Transportation
16. Water and Wastewater Systems

This post will be one of many reviewing our nation’s critical infrastructures, the threats they face on a daily basis, and the processes in place to protect them.

Finance and Banking: Critical Infrastructure #10

This sector is comprised of over 18,000 FDIC insured institutions with trillions of dollars of combined assets. This industry is responsible for allowing individuals and organizations to deposit funds, make payments and investments. They also provide customers with credit, liquidity and transferring financial risks between customers.

Financial institutions are a common target among hackers because quite simply, they have easy access to what the hacker wants: money and customer PII.

In the past, cyber criminals orchestrated sophisticated attacks causing money to dispense from ATMs at perfect times in order to be collected by criminals and to electronically transfer from a bank’s account to theirs all with the click of a button. These attacks can often go on for months before being detected. Experts estimate that losses from a single attack can cost upwards of $1 billion. To make matters worse, due to the reputational damage a hack imposes on a financial institution, many of these attacks often go unreported.

The total damage caused to the US and global economies will never be fully realized and, in the case of small businesses, never fully returned. In a study by the American Banker’s Association, financial institutions only receive the following reimbursements after an attack (data based on attacks from 2009-2014):

• Companies less than $1B in assets receive 25% reimbursement
• Companies between $1-10B receive 51% reimbursement
• Companies between $10-50B receive 65% reimbursement
• Companies greater than $50B are reimbursement the full amount

The acceleration in the number of cyber attacks and the severity at which they occur caused the banking and finance industry to fall under constant scrutiny by law enforcement and subjected them to a number of financial regulations. The losses continue to force the industry to concentrate on building up their cyber security defensive and offensive measures to prevent and mitigate such financial devastation.

Top Cyber Threats to the Financial Services Industry

All cyber threats a financial  institution faces can be placed in one of two big category pools: targeted or untargeted. Most of the untargeted attacks are those that you face on a daily basis and while they are still a threat, they aren’t as powerful of a threat to a financial institution as a targeted attack.  Targeted attacks include:

• Spear phishing
• DDoS
• Sabotaging supply chains and more

Additionally, some attacks may not even be that sophisticated. Financial institutions have streamlined the banking process to provide a more customer-friendly experience, but such changes have opened the opportunity for hackers to easily manipulate the entry points for their benefit without ever truly hacking the system. These lower level front end hacks combined with the more advanced targeted attacks have created a steady stream of cyber breaches that the U.S. financial services sector is forced to deal with.

Finance’s Cyber Plan for 2015

In order to regain control of financial cyberspace, the industry as a whole is responding with several initiatives to promote greater awareness and accountability, greater communication and ultimately develop and recruit a better team of cyber players.

Awareness and Accountability

Part of the finance industry’s struggle with cyber is to due lack of awareness of issues wasn’t pushed until after uncovered attacks became public. To put an end to this, boards will involve themselves more in the cyber landscape as a whole. They will position part of their agenda to closely examine and understand what vulnerabilities exist within an institution.

Additionally, board members will also play a more active role in overseeing the development of cyber infrastructure and protocols. Their involvement in an institution’s current and projected cyber landscape stands as a greater priority for the reminder of 2015 and into the coming years.

Communication

The Cybersecurity Information Sharing Act of 2015 (first introduced in 2014) plays a big role in promoting greater communication not just in the financial services industry, but in cyber security related incidents in general. This act helps to make communication with government and across the industry easier, thus allowing vital information related to cyber incidents to flow seamlessly.

In addition, groups such as the Financial Services Information Sharing and Analysis Center FS-ISAC also facilitate the cyber conversation for the financial services industry and make it easier for groups to collaborate all over the world. Their mission is simply to stand as the “global financial industry’s go-to resource for cyber and physical threat intelligence analysis and sharing.”

Recruiting the Cyber Team

Another concentration of the financial services industry is on attracting and retaining top cyber talent. They are looking to military and government to find highly qualified and trained cyber warriors. Financial institutions are desperately searching for cyber pros versed in offensive and defensive tactics throughout 2015 and beyond to truly combat cyber crimes either before or as they take place.

Finally, these institutions are hoping to adopt new collaboration methods for teams to hone their skills together. One form of exercise to promote this is war games. The U.S. and UK announced collaborative events to test each other’s sectors for critical security weaknesses and then their team’s abilities to defend their networks. One of these targets is the financial sector with attacks aimed at the Bank of England and Wall Street.