How should financial services firms future proof their systems against cyber security threats, in light of new FCA regulations? asks Chris Underhill, CTO at data services firm Equiniti (EQ) Data.
The Financial Conduct Authority (FCA) has announced that as of August 2018, all high street lenders offering business or current accounts will be forced to publish details of major operational and security incidents. The move by the UK banking regulator is designed to provide consumers with more transparency, enabling them to easily compare services offered by Financial Services (FS) providers and to drive greater competition in the marketplace.
The report published by the FCA does not specify how much detail FS providers will be forced to go into. However, a major incident is classed as one that prevents customers from using banking services. In January 2017 Lloyds Banking Group suffered a 48-hour online cyberattack which saw hackers send millions of fake requests to the Groups’ servers in order to grind systems to a complete halt. The ‘denial of service’ (DOS) attack was ‘geo-blocked’ by Lloyds IT security experts effectively blocking access to the server. However, this also blocked legitimate requests from consumers. The information that FS organisations hold is hugely sensitive, and therefore when an attack like this happens they are held to a higher account by consumers than other organisations.
The incident came just months after the Tesco Bank cyberattack that saw an unprecedented loss of £2.5m from 9,000 accounts. The threat to the UK’s financial infrastructure has meant that FS is under scrutiny, with a higher need for accountability directed at them from consumers whose trust has inarguably been eroded.
While the majority of companies are already aware that cyber vulnerabilities pose a major threat to their organisation, a concerning percentage of these are still not implementing the proper precautions until disaster has struck. There is much media noise around the need for cyber security, and the aftermath for businesses who fail to heed the warnings. What is missing is the conversation around what businesses can and should be doing to prevent cyber threats gaining a foothold in an organisation?
Outdated legacy software is allowing cyber criminals to target everyone – from the C-Suite to everyday consumers in their own homes. Legacy programming language is not being taught to today’s engineers with middle and back office systems only able to report transaction failures and risk triggers after the fact.
The lack of transparency within organisations is also an issue. This has meant that the C-suite cannot see the build-up of risky positions or business practices, simply because they are either not aware or do not understand it.
This, coupled with the fact that Business Email Compromise (BEC) targets specific individuals within companies impersonating C-level exec emails, rather than a mass phishing approach, means that it’s far harder to differentiate between the real messages and the fake ones, meaning that scams are more likely to be successful and are far harder to prevent.
The ‘internal threat’ or rather the internal infrastructure and the employees, are the biggest problem within organisations whose security controls are not sophisticated enough to match the threat. With legacy or simply ‘poor’ coding in place, as well as merged technology adding to the complexity of decaying infrastructure, less sophisticated threats like SLQ injection and XXS are still able to get through.
However, with regulations such as Sarbannes-Oxley and GDPR in place, the onus is now very much at board level. In recent years the rise of the Chief Information Security Officer (CISO) has emerged as an integral one for FS, both in terms of performance and consumer trust. More than just a technical IT role, the CISO has become a ‘digital vanguard’ for organisations by understanding the risks associated with the commercial impact of systems, people and processes, from the top down – breaking down silos across FS data portfolios.
As cyber security attacks in FS increase and with safeguarding regulations becoming more stringent, the key to success is ensuring that IT security is depicted properly across the organisation. The previously isolated role, offered purely technical and practical support and whereas there still is a need for this, the role of the CISO should be far reaching across an organisation, where they are increasingly operating in a dynamic digital environment with the growth of online processing and cloud services.
Ahead of the FCA deadline, assessing operationally resilience will be key, and FS companies need to understand its assets and be constantly evaluating where they are vulnerable through rigorous testing.
Red and blue team testing, as favoured by military and government organisations, uses role-play testing to simulate dummy cyber-attacks in order to allow FS organisations where its weaknesses lie and where to neutralise threats. With each IT team playing the role of attacker and defender, they get to practise both how to identify an attack and how to deal with it.
Having a response prepared ahead of a cyber-attack is also critical and using software analytics and forensic techniques such as reverse malware engineering, host-based intrusion and detection and network analysis, helps to define the breach vector and how it took place. This information will in turn help the CISO determine the aims and impact on FS and report back at board level.
FS has no choice but to consider the people behind the data because once the FCA rules are enforced, any FS found wanting will find that its customers will be doing the talking with their feet. It is time for a change in the tone of conversation around cyber security. Scaremongering is no longer necessary with organisations well-aware of the fallout from a cyber-attack, and arguably this mentality is failing to help Financial Services organisations prepare, because it offers no practical advice on the solutions needed. Routine system updating, highlighting the ‘internal threat’ to employees, regular dummy testing and utilising advanced software analytics are all precautions which help to minimise risk in the first instance and raise cyber awareness at each level of the organisation.
About the author
Chris Underhill A.Inst.ISP is Chief Technology Officer at Equiniti Cyber Security, a division of Equiniti Data, responsible for their product research and development of cyber security solutions. Chris has experience in software and security having worked with Microsoft, Virgin, O2, and the BBC.
