A real time cyber-attack alert system has been created by the European Central Bank and is expected to be piloted this year in order to minimise the risk of digital theft. 130 banks will be required to inform regulators about their most significant cyber-attacks using this service by 2017, which should decrease the risk of attack that has unfortunately risen in recent times.
Deputy director-general for bank supervision at the ECB, François-Louis Michaud, highlighted that the world has changed dramatically over the past few years, according to the Financial Times. “With banks reaching out to new customers using new technology, they are completely transforming their operating models. For some of that they know what they are doing but in part of it the guys have difficulty keeping up with what risks they are taking.”
Alongside this, the ECB has been compiling data on the most prominent cyber incidents at 18 of the largest banks since February, around the same time that the Bangladesh central bank was attacked and resulted in a theft of $81 million. Natasha Deteran, spokeswoman for SWIFT, the global financial network over which the hack took place, reassured customers that the organisation would provide updates when they were available.
“Whilst we keep all our interface products under continual review and recommend that other vendors do the same, the key defense against such attack scenarios is that users implement appropriate security measures in their local environments to safeguard their systems.” This questions whether a general safeguarding of systems is enough; it is apparent that the ECB do not think so.
Since the JPMorgan Chase data theft in 2014, it is safe to say that there have been some concerns around whether or not state-sponsored attacks on financial systems have intensified. Because banks are still using old technology, safeguarding could be described as an impossible task, especially when new systems are built on top in order to keep up with digital change.
Mark Earl, ex-Managing Director & Global Head of GT Production at Deutsche Bank, explored how the complexity of back end systems is an issue moving forward. “With many thousands of interfaces, the complexity is such that people cannot understand the process in their heads anymore,” Earl said. He added that most of the work that banking developers are doing now is changing the applications that are 10, 20 or 30 years old, but “there is a major knowledge deficit and major legacy systems, which is a difficult dichotomy as they are all trying to chase the same maturity.”
“There is an awful lot of papering over the cracks going on,” Earl said, as the people that created the code decades ago, do not work at the organisation anymore and they are more than likely retired by now. He continued to say that education about risk needs to be put in place at all levels of an organisation. “We need a common language to understand risk properly and this should be imposed by the regulators, maybe.”
Perhaps the real time cyber-attack alert system is the common language, or the technology that is necessary for the current environment that we are living in. ECB risk analysis expert, Gregoire Issenmann, believes that the multi-faceted quality of cyber risk is something that banks cannot handle and can only do so if information is shared.
“We want to kick-start some reflections at banks and signal our intent on this issue. We need to do this, otherwise we are in the dark and can’t really help the banks,” Issenmann said. The US Federal Reserve and the Bank of England will both be asked to share the data it collects with other central banks.
With senior banking executives saying that cyber-attacks are keeping them up at night, it questions why action has not been taken already. According to the FT, the Bank of England has been carrying out ethical hacking exercises and is stress testing the bigger banks in the UK. Alongside this, the UK central bank has started to simulate the impact of a larger attack on the financial system on both sides of the Atlantic.