Bankers, this is the price of lacklustre cybersecurity (Part 2)

The global economy could lose over US$120b.

In the first part of this two-part series, we discussed the current cyberthreat landscape looming over banks and financial services. Now, the industry experts uncover the damaging aftermath of attacks, including long-lasting repercussions for both organisations and their clients should they be victimised by threat actors.

Logic dictates that cyberdefence strategies need to constantly improve if the figures previously discussed are to remain modest. But what if banks and financial institutions go willy-nilly in protecting themselves? What are some of the backlash they can expect from half-baked security measures?

“FSIs risk irrevocable brand and fiscal damage when customers’ Personal Identifiable Information (PII) data is involved,” said Elad Ben-Meir, CyberInt VP. He also enumerated reputation loss, clients jumping ship, and regulatory burdens as some of the worst case scenarios for institutions lacking proper data defence.

Financial consequences

Mohan Veloo, F5 Networks Asia Pacific chief technology officer, noted that if banking, financial services and insurance firms do not implement adequate security measures, then the global economy could stand to lose over US$120b—as much as the damage done by Hurricane Katrina in 2005. On average, a single data breach in the BFSI industry can cost over US$6m or US$245 per account breached. On top of this, organisations also face regulatory fines which can go up to the millions.

Just in March last year, hackers stole US$101m from Bangladesh’s central bank, which would have been over a billion dollars had there not been a typo by the thieves. In August 2016, Bitfinex also lost around US$72m worth of bitcoins.

Sometimes, the financial consequences can be more direct, as is the case with ransomware. Jonathan Tan, A10 Networks vice president for ASEAN and Pakistan, explained, “Ransomware is also a huge threat. Once cybercriminals succeed in locking files, they can threaten to release sensitive information, and organisations will have no choice but to offer a huge sum of money to keep the situation quiet and regain their networks.”

Scott Register, vice president of product management, cloud, and security for Ixia, said credit monitoring services for affected customers and costs of dealing with identity theft, amongst others, further ramp up the bill. Meanwhile, Tony Jarvis, chief strategist, threat prevention, APAC, Middle East, and Africa (AMA) of Check Point Software Technologies, added that fraudulent charges, reimbursing suppliers, and penalties from class action lawsuits, as well as other disaster recovery expenses will also result in additional losses.

“For customers, years of legal fees, torturous dispute resolution, and financial ruin loom large. A family can easily have its life savings wiped out, credit ruined, and careers imperilled by a single breach. And between punitive damages and loss of customers, an FSI could be driven to bankruptcy—and in some cases, responsible parties sued and even imprisoned for criminal negligence,” warned Register.

Data and identity theft

Perhaps worse than directly losing money is losing valuable personally identifiable information and credentials. We don’t even have to look far into the past as just this September, two well-known organisations—AXA Insurance and Equifax—experienced truly worrisome data breaches.

AXA Insurance saw the loss of 5,400 records of both their past and current customers, whilst Equifax had the records of up to 143 million individuals affected by the breach, including their names, addresses, birth dates, and Social Security numbers. “Now, they’re perpetually at risk of identity theft and credit fraud,” said Tan.

Losing identity data allows hackers to easily assume the identity of a bank’s customers and negatively impact their finances. “Customers will no longer trust the bank and take their business elsewhere. FSIs also open themselves up to the possibility of lawsuits when they inadequately protect customer information,” said Tim Liu, CTO of Hillstone Networks.

One of the most worrisome effects of being a victim of information theft is the fact that criminals can use the information whenever they want, even long after the matter is already a stale topic. As criminals bide their time in taking out loans and making purchases under an assumed identity, innocent victims are further opened up to the possibility of false arrests and prosecutions.

But don’t think that high level executives are safe. CyberInt’s Ben-Meir said they are the ripest targets, adding that compromised upper management accounts could be used to search for “…other information which could lead to the “crown jewels” of the organisation being compromised, costing the organisation severe fiscal damage.”

Moreover, criminals can sell any stolen information on underground forums, with credit cards being the most popular merchandise. Bank accounts, on the other hand, are priced according to their amount. A US$1,000 account could go for as little as US$10, with the selling price soaring higher the wealthier the victim is. Some of the most common illegal criminal marketplaces include CP Black Sites, Red Rooms, and Silk Road. In such places, payoffs happen quicker than ransoming for the accounts.

Attackers can also engage in data sabotage, manipulating and compromising the integrity of any accessible critical data—including stock market information.

Loss of business ideas and strategies

Another means for cybercriminals to gain a profit from stolen data is by selling the information to a rival company; a sort of corporate espionage if you will. Armed with business plans, research results, and customer databases, competitors can then roll out better products and services, in the process hurting the bottom line and market share of the victim company.

This brings even more pressure to retail bankers as they compete not only with other banks, but also fintechs and tech industry giants such as Facebook. “With the amount of funding being invested into these areas increasing, customers are enjoying options they have never had access to previously,” said Jarvis.

Trust issues

But more than the immediate financial implications of data breaches, BFSIs also risk losing the integrity and trustworthiness they have fostered for many years. In fact, nothing even needs to be stolen for clients to lose confidence in their chosen bank.

Take UK’S Lloyd Banking Group for instance. During January this year, they suffered a DDoS attack which rendered their online services inaccessible. Edwin Lim, NEC Asia Pacific director of cybersecurity, said, “Whilst nothing was stolen, the confidence level of the customers dropped significantly and damaged their reputation.”

Along with losing customer trust, a breached bank also stands to lose investor and market confidence. Publicised attacks will see stock and share prices take a dive, and leadership changes will likely come in quick succession. Even Equifax’s former CEO Richard Smith’s departure was linked to the company’s titanic data breach. Combined with the loss of customers and finances, a data breach can be something a bank may never be able to recuperate from.

Seeing as the whole industry is built on trust, the shortcoming of one is the shortcoming of every organisation. “If there is strong customer support and the situation is handled carefully, the fallout may be minimised. For smaller companies, any loss in customer confidence can be potentially devastating,” Jarvis said.

Stricter regulatory burden

Lastly, legal ramifications also await lacklustre cyberdefence strategies. Breaches continually pave the way for stricter and harsher regulatory sanctions that are imposed industry-wide.

Dr. Steven Wong, president of the Association of Information Security Professionals (AiSP), cited Singapore’s upcoming Cybersecurity Bill and the Personal Data Protection Act (PDPA), as well as the European Union’s General Data Protection Regulation (GDPR) as examples. “Thus, not only do FSIs face the possibility of great financial loss for not putting in place adequate cybersecurity measures to protect their customers, key individuals within the organisations might also face legal prosecution,” said Wong.

If the above mentioned breaches happened after these regulatory measures have been implemented, companies can stand to lose around US$24m on fines alone. This is in addition to probes and countless investigations, of which Equifax and AXA Insurance are (again) the most recent examples.

Unless organisations can come up with robust and comprehensive ways to govern data, protect user privacy, and ensure market and regulatory confidence, BFSIs will always be put under the microscope. Lim also added, “The risk of potential suspension from business operations could be a real possibility from steeper penalties if they fail to adhere to the regulation requirements.”

Silver lining

Attacks—both successful and prevented ones—challenge BFSIs to assess their cybersecurity technologies, practices, strategies, and policies, improving them if the situation calls for it. Upgrades are by no means cheap, and IDC estimates that cybersecurity spending will grow from around US$74b this year to US$102b by 2020.

“FSIs and enterprises need to stop thinking of cybersecurity as a business inhibitor—something that is a cost center, and slows down velocity. Instead, they should view it more as an enabler,” commented F5 Networks’ Veloo. He likened cybersecurity to brakes in a car; necessary to keep the business safe and make it more manoeuvrable. It allows organisations to meet market demand and bring forth innovations without worry.

Meanwhile, Sean Duca, Palo Alto Networks vice president and regional chief security office for Asia Pacific, commended BFSIs in the region for recognising the need for improved cybersecurity measures. “Our recent survey on the state of cybersecurity in Asia Pacific indicated that 72% of FSIs have received additional budgets, whilst 52% have adopted big data analytics to detect security breaches and fraud. However, it’s not all about spending more, rather it is about getting one’s priorities right and adopting the right mindset.”

“Failure to do so not only exposes FSIs to financial losses, but also tarnish their reputation and ultimately, erode clients’ trust,” Duca concluded.