As cyberthreats grow in intensity and sophistication, their opaque nature has particularly vexed financial firms.
But even as regulators have stepped in to address that opacity through helpful guidance, war-gaming, and warnings, the governments they represent are in some cases engaging in cyberwarfare that raises the risk of reprisals targeting the finance sector.
A British criminology professor posing as a hacker on the dark web recently discovered hacking toolkits for sale designed to steal the login credentials of customers at banks including BAML. List of passwords and PINs of Qatar National Bank customers were also on offer.
The professor’s research found finance to be the dark web’s most targeted sector, representing roughly 35% of hacking toolkits for sale. Some postings sought employees willing to sell access to company networks. Others offered “bespoke corporate espionage services” for fees in the low thousands of dollars.
Amid such sophisticated and diverse threats, CFOs are grappling with how much to spend on cybersecurity. Firms are increasingly cobbling together internal bands of cybersecurity experts to evaluate risks and advise on defensive measures.
Still, the opacity of cyberthreats and the unprofitability of cybersecurity have conspired to keep the field below the radar, creating an acute shortage of cybersecurity professionals.
With financial firms lacking a cybersecurity blueprint, regulators have stepped into the breach to provide guidance, with recent efforts urging information sharing and collaboration between organizations.
Asia-Pacific regulators are asking banks to “share more intelligence on the nature of the cyber threats they face” for the good of the industry. That proposition has unsettled lenders fearful of fines for security lapses or legal liabilities over breaching data protection laws, however.
In the US, regulators are working on a cross-agency approach that would subject banks to more strenuous testing of their cyberdefenses starting later this year. The approach aims to streamline tests for banks while giving regulators a more holistic view of banks’ exposure to cyberthreats.
Banks have indirectly sanctioned at least part of that effort, joining forces to publish their own proposal for an industry-standard assessment that would pare the number of questions banks must answer annually from 2,300 to 277.
Coordination has also extended beyond the inter-agency realm into the international sphere. In May, 23 financial authorities from the G-7 nations arranged a war-gaming exercise to simulate a cyberattack that cripples a large international bank for days.
But those examples of enhanced coordination among regulators belie a broader reality: States may be doing as much to exacerbate cyberthreats as they are to thwart them. North Korean hackers, for instance, have pilfered hundreds of millions of dollars in funds from financial institutions globally.
In April, the Trump administration dropped its demand that China “halt alleged instances of commercial cybertheft,” instead signaling its willingness to accept a watered-down commitment from Beijing in a bid to seal a trade deal.
For years, Washington has alleged Beijing was “‘using its intelligence services and their tradecraft to target our private sector’s intellectual property.’” The climb-down could open the door for continued state-sponsored hacks of US commercial networks.
Perhaps most significantly, mounting US-Iran tensions could see cyber risks escalate in the weeks and months ahead. Last month, US Cyber Command launched online attacks against an Iranian intelligence group following an attack on oil tankers near the Strait of Hormuz.
The escalation could put the US financial sector in the line of fire. After the operations, the US Department of Homeland Security warned financial firms of potential Iranian retaliatory cyberattacks.
With cyberattacks and economic sanctions figuring prominently in states’ prosecution of shadow wars, the finance sector has arguably assumed the role of a 21st-century geopolitical battleground. That state of affairs ratchets up the stakes for banks’ cybersecurity initiatives beyond the already formidable menace of cybertheft.