Cyber Attacks: The “New Normal” For Financial Services Industry - Booz Allen

Eliane Chavagnon

6 December 2013

Five years ago, boards of directors and senior executives at financial services firms will probably have cited liquidity, regulatory compliance or “bad debt” among their toughest risk management issues.

But there are now “acute concerns” about cyber security risk management in what describes as today’s “new normal” of persistent threats in its list of Top Financial Services Cyber Security Trends for 2014.

Only yesterday, for example, did Singapore’s financial regulator raise the alarm about cyber security breaches at financial organizations after it emerged that 647 client account statements at the private bank of UK-listed Standard Chartered had been stolen. Meanwhile, JP Morgan yesterday warned some 465,000 holders of pre-paid cash cards issued by the bank that their personal information may have been accessed by hackers, Reuters reported.

While the issues of data protection and security are arguably the most important facing the wealth management industry today, that is, of course, not to say that the other above-mentioned challenges are not still very much significant areas of focus.

The new trend, though, is that executives have seen how “distributed denial-of-service” attacks - in which a multitude of systems attack a single target - can destroy data and reputations, Booz Allen said. “They learned that cyber threats attack a bank wherever it does business, not just where it is headquartered. And they witnessed the critical benefits of public-private information sharing.”

The findings are in line with those stemming from the 2013 FOX Family Office Benchmarking: Technology in the Family Office study, which found that security worries, which apply both to data itself and how it is communicated, are now mentioned just as often as the issue of technology integration. Meanwhile, according to industry executives, rising risk, complexity and internet exposure are prompting wealthy families and family offices to pay more attention to their insurance coverage this year (see feature here).

Some of next year’s trends, according to Booz Allen:

Threats that take advantage of weaknesses in mobile device platforms when information is sent to a hacker who then “owns” the device;

Developing countries with growing liquidity will see more attacks on their local banks. The firm noted that while countries across the Middle East, Latin America and Asia-Pacific are modernizing their economic infrastructures, this puts them on the radars of more “sophisticated” attackers;
Attackers, the firm also said, are moving from large-size banks to regional and mid-tier, due to their perceived lack of security;
Cyber “hygiene” challenges of today can no longer be a responsibility solely owned by IT. Booz Allen said banks need to develop multi-disciplinary teams that include IT, human resources, internal communications, marketing and legal to inform staff about the importance of being cyber risk aware and knowing what to do when a concern arises;
The National Institute of Standards and Technology effectively makes private sector enterprises liable in the event of cyber breaches in which personally identifiable information or other data is destroyed or taken over by attackers. “While this creates liability risk for banks, it also opens the window for the insurance industry to offer policies that help firms offset this liability,” the firm said; and

As operational data is moved to “the cloud,” stringent security controls are crucial. This gives financial institutions the opportunity to upgrade security architectures and enhance controls.

“As financial institutions increasingly deploy mobile and cloud technologies and integrate their partners, suppliers and customers, their data perimeters are becoming much harder to define,” said Bill Stewart, senior vice president and head of Booz Allen’s commercial finance program. “As a result, some are essentially redefining the concept of a network perimeter.”