UK Financial Sector Must Build Operational Resilience To Counter Cyber Threats

Lorna Fimia

In a 2018 report by McAfee and the Centre for Strategic & International Studies (CSIS), it was found that cyber-crime has a global impact of $600 billion every year on businesses, through everything from losses due to system closures to reputation damage. This has affected many companies, with an attack now being a very real possibility for a lot of organizations. Robert Wainwright, Head of Europol in 2017, said that the remorseless growth of cyber-crime is leading to 4,000 ransom attacks a day, and gangs’ technological ability now threatens critical parts of the financial sector.

With cyber warfare becoming a growing threat, it’s crucial for all sectors to ensure they are protected. The financial sector is no exception; this year it’s already been hit with multiple DDoS and ransomware attacks. These are more dangerous, more diverse and more sophisticated than ever before.

In the Bank of England’s 2018 discussion paper on Building the UK financial sector’s operational resilience, it highlights the nature of the current threat landscape and sets out new guidelines that cover best practices, such as frequent cyber resilience testing and response plans for an attack.

Alongside the digital transformation in the industry which is seeing most businesses moving fully online, resilient security solutions are critical in preventing your business from coming under attack. A report by IDC, 2018, predicted that by 2021 IT spend by financial services will reach $500 billion, and despite this figure financial systems are still being compromised. Something needs to change for the sake of our privacy.

Building the UK financial sector's operational resilience
The cyber stakes are high for the UK financial sector

Last year saw an attack on 7 large banks, including Santander and the Royal Bank of Scotland, which forced entire systems to reduce operations or completely shut down. The financial sector has already been hit this year with DDoS and phishing campaigns, such as credential stealing malware, ransomware, and destructive malware. The WannaCry attacks of May 2017 which affected computers across the world using a Microsoft Windows operating system involved ransomware that encrypted data and demanded a ransom, in Bitcoin, from the victim to release it.

“Our traditional defences are no longer adequate to protect ourselves as shared industry systems, companies or individuals. This is war, and needs wartime, not peacetime, urgency.” John McFarlane, Chairman of TheCityUK and Barclays.

Why is it getting worse for the financial sector?

The importance and value of the financial sector mean it is an attractive target for criminals to attack. Their systems are complex and have numerous branches, making protection a necessity that cannot be ignored. There is currently a disproportionate focus being placed on systems visible to the customer, for example, the public website, online banking etc. It is the internal systems and trading data that is truly at risk, as its protection is widely being neglected.

In a 2018 survey conducted by VMWare of 201 UK IT professionals in the financial sector, 71% said their website security is at the expense of other systems. This same survey revealed that 90% of those questioned make compromises on their security measures; a frightening statistic for our data security.

“Make no bones about it, cyber-crime is a clear and present danger, not only to our current way of life, but to society as a whole.” John McFarlane, Chairman of TheCityUK and Barclays.

Although DDoS mitigation has been around for some time, many cannot withstand the large-scale attacks that are around today. The evolving threat landscape means that organizations need to use sophisticated solutions to protect their complex online infrastructure, such as cloud-based, AI-driven systems. Effective mitigation is needed to prohibit malicious, illegitimate IP traffic from causing large-scale DDoS attacks.

In April 2018, the site Webstressor was shut down by authorities, as it was used by cyber-criminals to launch DDoS attacks on unsuspecting companies. The National Crime Agency claimed these attacks cost banks hundreds of thousands of pounds, whereas from one of these ‘DDoS-for-hire’ sites it would have cost the perpetrator as little as £11. These sites are most definitely still out there, making it even easier for criminals to launch DDoS attacks themselves.

What can we do to stop a financial collapse?

“Mitigating the systemic consequences of the increasing threat of large-scale cyber-attacks on the financial system is matter of national and international security. In what is arguably a global cyber arms race, it is clear that major players need to be prepared, connected and coordinated in order to effectively respond to and rapidly recover from a large-scale cyber-attack.” Paul Mee, Partner and Co-Author, Oliver Wyman Report – Large Scale Cyber-attacks on the Financial System.

In the Annual Fraud Update 2017, UK Finance reported that some measures have already been put in place and have worked; the Banking Protocol scheme prevented £13.3 million in fraud by allowing banks’ branch staff to alert police and trading standards immediately to any suspected frauds. UK Finance plans to raise awareness through the Take Five to Stop Fraud campaign, offering straightforward and impartial advice on how best to stay protected.

Bank of England: Building the UK financial sector’s operational resilience

In July 2018, The Bank of England teamed up with the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) for a Discussion Paper (DP) on resilience in the UK financial sector. Their Discussion Paper on “Building the UK financial sector’s operational resilience” introduces enhanced cyber resilience expectations for boards and senior management, with an emphasis on incident recovery and highlighting the regulators’ focus on being able to resume critical business services after an attack.

The DP goes on to report that elements of the regulatory framework must be strengthened to improve the resilience of the UK financial system. These include introducing baseline expectations of security standards, regular testing by firms, and having clear and tested arrangements for a cyber-attack response. The new approach will push firms to prioritise and invest in recovery systems, and further their mitigation and testing solutions to help maintain continuity of service throughout.

The Financial Protection Committee (FPC) is establishing its tolerance for the length of any period of disruption to the delivery of vital services the financial system provides to the economy in the context of cyber, as set out in its June 2018 Financial Stability Report (FSR):

Financial stability is the consistent supply of the vital services that the real economy demands from the financial system. A severe operational incident, such as an IT failure or a cyber incident, can impair processes and data supporting these services, and therefore put financial stability at risk.The FPC set out the elements of the framework of regulation to strengthen the resilience of the UK financial system to cyber risk in the June 2017 Report:

i) clear baseline expectations for firms’ resilience that reflect their importance for the financial system;

ii) regular testing of resilience by firms and supervisors;

iii) identification of firms that are outside the financial regulatory perimeter, but which may be important for regulated firms; and

iv) clear and tested arrangements to respond to cyber attacks when they occur.

We urge all stakeholders to respond to the Bank of England Discussion Paper on Building the UK financial sector’s operational resilience, by the published deadline of Monday 8th October 2018.

A recent study from KPMG says that to address the risks, we must increase collaboration between businesses. By changing to a community-based approach and sharing good practice and insights, improvement will be continuous and a breach will be harder to achieve.  Integrating the public and private sector can also cause a disruption in the business models of the cyber-criminals.

The National Cyber Security Centre (NCSC) is part of the answer to reducing cybercrime in the financial sector, by helping to protect critical services from cyber-attacks. Ciaran Martin, CEO of the NCSC UK, understands the risks, saying that it is a matter of when, not if, and another category 1 (C1) attack is on the horizon.

Mike Revell, Managing Director at activereach, states we must stop compromising on our Internet security:

“Cyber-attacks are becoming a more frequent reality for many, and with hundreds of companies having access to an individual’s personally identifiable information (PII) this means a greater risk. With the financial sector storing sensitive information such as bank account and credit card credentials, it is imperative they review their current solutions, and adapt them to mitigate the wide variety of threats we now face.”

By looking at advice from KPMG, the FCA and the Bank of England, it is apparent that mitigation for cyber-attacks is essential to safely operate your business. This calls for an increase of stress testing (DDoS and Pen tests) to continually maintain your systems’ security and build operational resilience.

activereach provides DDoS mitigation for many financial services institutions, including banks, bulding societies, insurance houses and financial traders. We always recommend DDoS testing to ensure any DDoS protection in-house or at the ISP-level works successfully. To find out if your DDoS mitigation is resilient to DDoS attacks, please see our page on DDoS testing here.