In a period when tensions are heating up globally, the threats of war are becoming clearer, with a potential cyberwar still highly likely. In a cyberwar that is supported and, to an extent, headed by governments – would banks be safe?
According to Dave Harvey – head of Cybersecurity, UK for FTI Consulting – banks can be a primary target for nation-state-backed cyberattacks, especially in times of heightened global tensions, “In the current international climate, this risk is very real and can look different to each business depending on where they fit on the geopolitical spectrum.
Harvey remarked that a successful cyberattack on a bank can be highly lucrative given the direct access to funds and cryptocurrency, which can be especially valuable to a country experiencing sanctions or seeing a significant decrease in the value of their national currency. He also remarked that in addition to the financial risk, an attack of this form could cause mass disruption and reputational damage due to the highly sensitive personal data at stake.
Alongside a bank being a lucrative target for threat actors and political criminals alike, they also offer a status and a springboard to achieve objectives on a global scale. This is due to their size, clout and presence on global markets. Harvey believes this last point – linked to interconnectedness – can cause huge ripples.
He remarked, “A motive for nation-state actors is to infiltrate the networks of critical national infrastructure, such as banks, in order to achieve strategic objectives on a world stage. The interconnectedness of banks means the initial target of a cyberattack can be irrelevant – an attack intended for a specific bank could easily cross borders and harm innocent bystanders in other global locations.”
The potential challenges banks would face in a cyberwar are not hypothetical – with Russian state-backed hacker group Sandworm just one example of the real possibilities of government-backed cyber warfare.
In the eyes of Harvey, cyber warfare – and the protection from it – requires wide-ranging input, “Government-backed cyber warfare is an operational risk requiring input from all areas. It is paramount that governments and business leaders cooperate to align global cyber regulations to safeguard any data in jeopardy.
“We are seeing this happen with bank regulations becoming more interventionist and prescriptive than previously issued guidelines. For example, the EU’s Digital Operational Resilience Act (DORA) aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks. While DORA can be viewed as a milestone in defending against the evolving cyber threat, it can also create uncertainty for organisations trying to be compliant. “
One of the most worrying findings by Harvey is that when viewed through the regulatory lens, it is become clear that the lines between nation-state-backed cyberattacks and criminality are blurred. He commented that this can add a level of confusion around sanction risk in cyber incidents, such as in ransomware scenarios where attribution is key to understanding whether payment to the hacker(s) would contravene sanctions.
How can banks improve cyber resilience? Harvey remarked, “Banks should begin by performing cybersecurity program assessments to identify vulnerabilities and ensure proper protections are implemented. This includes ensuring business continuity via policies, procedures and staff gap analysis. Such an assessment will also help determine if compliance requirements are being met.”
In addition, he believes that IT security teams must develop and test incident preparedness and response plans, ensuring that all stakeholders in the company are aware of their role, including C-level executives. Meanwhile, at a company-wide level, they should execute crisis simulation and table-top exercises to build employee awareness.
Harvey concluded, “Lastly, if a breach occurs, banks should conduct a forensic incident response investigation and activate crisis management and strategic communications support immediately.”
Denial of service risks
When it comes to the particular kinds of attacks possible by state-sponsored attackers, Simon Eyre – chief information security officer and managing director, Europe of Drawbridge – believes a key one is distributed denial of service attacks.
He said, “Availability of Services to the public and to businesses is a critical part of today’s modern online banking systems. Denial of Service attacks can cause significant outages of web portals and communications across the Internet for services like banks. During a conflict, causing disruption will often be more impactful than ransomware type attacks and will be the focus of state attackers.”
How can banks prepare for such an event? Eyre provided examples such as the Bank of England, who organise cyber resilience tests or cyber ‘wargames’ in order to simulate the types of attacks that are most likely to occur.
Eyre commented, “These allow financial organisations the chance to test out their resiliency against attacks and put their Incident Response Plans through their paces. There will be countries without the preparedness of wargames or tabletop exercises and those will remain susceptible to attacks.”
Sanction compliance risk
Alongside the risk of attacks and the kinds of attacks that could hit banks, there is also another challenge of remaining compliant with rapidly imposed financial sanctions.
Alex Richter – head of PassFort – said, ”Alongside the cyber risk is that of staying abreast of the fast-changing regulatory and compliance landscape with quickly imposed financial sanctions. A recent statement by the FCA warned of the dangers faced and the consequences of failings in a bank’s financial crimes systems. All financial institutions must ensure they are screening every financial transaction with the sanctioned individual list and go further to capture any indirect links.
“Failing to take appropriate action could be seriously damaging reputationally for a bank or financial institution.”