BDO’s ‘Cyber Threat Insights’ quarterly reports that since 2015, banks and financial institutions experienced 154 publicly reported data breaches that compromised nearly 150 million records, a figure roughly equivalent to the population of Russia. BDO’s new report reveals that cyber criminals after January’s cryptocurrency crash abandoned cryptocurrency targets and turned back to ransomware and business email schemes - but armed with increased funds, new tools and improved experience.
BDO warns that financial institutions in particular make for lucrative cyberattack targets, also because of cyber criminal’s preference for operating on bank holidays. BDO further cautions against letting cyber security attitude turn from watchful into complacent.
3 Characteristics which make global financial institutions lucrative targets for cyberattacks:
- The sector houses a wealth of sensitive client information
- The liquidity of their assets
- Their potential to manipulate or disrupt markets, which interests state actors
BDO’s tips for financial services companies ahead of the holiday season:
- Exercise increased vigilance during bank holidays - As the holiday seasons starts, banks and financial institutions enter a period when their enterprises are typically more vulnerable to cyberattacks. Attacks can occur while banks are closed, which allows the cyber criminals to go undetected for a longer period of time, to install back doors, to
re-sell breach information to other hackers, to organise additional attacks and to transfer stolen funds.
- Costs don’t cease with the breach - When the breach is resolved, the financial hits could keep coming. International regulatory bodies are holding financial institutions accountable for cyber negligence more frequently. The U.K.’s Financial Conduct Authority (FCA) issued their first fine for a cyber failing just this year. Among the cases analysed in BDO’s Cyber Threat Insights is the FCA’s levy of a £16.4 million fine on Tesco Bank in early October 2018, for a 2016 breach that exploited a cyber weakness the regulatory agency had previously warned the bank about.
- Insured does not mean covered - Read the fine print of your cyber insurance policy. In one case detailed in BDO’s Cyber Threat Insights, a national bank was left with a larger cyber liability than expected, due to differing interpretations of insurance policy clauses.
Watchful cyber security attitude has turned into complacency
BDO’s Cyber Threat Insights warns that basic info-sec behaviour amongst individuals, companies and organisations shows signs of erosion. A state of general cyber security fatigue is finding ground among both individuals and corporates due to cynical net-neutrality law, the consolidation of personal data among a handful of companies, growing dependency on interconnected devices, and the constant barrage of online threats and data breaches.
BDO’s cyber security leadership cautions that companies engaged in a cost-benefit analysis on whether to adopt stronger user-privacy controls or other enhanced security, often opt to do nothing — as long as the potential fines or remediation costs are in a tolerable range.
The report also points to a trend where individuals give up on obtaining full control of their digital presence, accepting ‘transparency’ in return for convenience. Beyond the ethical privacy concerns, consequences are that malicious actors increasingly leverage the complacency of employees and organisations to execute seemingly basic attacks with potentially severe outcomes.
Recommendations for 2019
BDO recommends that financial services turn their view on cyber security around and adopt a threat-based cyber security model in 2019. The financial industry concentrates cyber security investments on what they consider to be their most valuable assets. The problem is that this often differs from criminals prime target, hence BDO’s advice to make cyber security ‘threat based’.
CFOs as stewards of banks’ finances, should directly engage in identifying those assets and investing in the means necessary to secure the institution. Financial institutions must further extend info-sec engagement and require banks’ full C-suite and board to have an integral role in protecting the institution’s security, BDO recommends.