With the onset of rapid technological advancement, the UK retail banking sector is harnessing the power of the latest technology trends to provide a range of new channels for service delivery and products. However along with the obvious competitive advantage this provides comes a greater risk of fraud and criminal behavior.
Recently there have been several highly publicised data breaches reported by the media. This whitepaper discusses cybersecurity, vulnerabilities, and implications, highlighting the changing nature of the cyber security attacks and perpetrators of the crimes.
Digital products and services have challenged the traditional business model of banks, delivering new innovative services to their customers, and streamlining internal processes. The move towards digital has led to several vulnerabilities being exploited and has introduced several significant risks to banking services. Nonetheless, it has also opened new opportunities to leverage the value of technology and maximise revenue.
According to Bouveret ,Banks, account for the majority of cyberattacks with 91 % being targeted against the banking sector. Of this 91%, retail banking accounts for 39% of the targeted attacks.
The impact of these attacks is beginning to become more significant, with increased fines being levied to businesses, significant reputational damage being incurred and impact on operations being felt by customers and stakeholders.
The impact of these attacks is also having an adverse consequence on trust, with the public becoming ever more concerned with security and privacy. It can be said that the nature of cyberattacks is evolving and becoming more complex, with several new “actors” emerging on the stage.
Nature and impact of cybersecurity threats in the sector
It would appear, according to the media that Cybersecurity attacks in the UK have seen a significant increase, however there are conflicting views. It is difficult to confirm the frequency of cyber-attacks due to a lack of regulatory reporting requirements. The FCA findings point towards a lack of regulation and standards in the reporting of cyber-attacks.
Cyber criminals have morphed from individuals instigating attacks for monetary gains to “hacktivists” (ethical hackers) wanting to impact the behaviours of whole organisations. Sophisticated groups to rogue states are becoming embroiled in trying to influence and disrupt political outcomes. In 2009/10 a gang with links to eastern Europe was prosecuted for a cyber-attack that saw log in details being stolen to hack 600 UK banks accounts. Downing, 2011.
In 2010 hacktivists, “the Anonymous collective” attacked several banks that refused to process donations to Wikileaks. Dupont,2019
The complexity of cyber-attacks is commensurate with advancements in technology. Banking organisations have seen a proliferation of endpoints emerging, therefore becoming reliant on systems and processes outside of their control. The Sinowal trojan quoted as being one of the most complex and advanced viruses stole details of approximately 500,000 online bank accounts. Shiels, 2008
Mobile malware attacks have also increased with mobile devices being used to access services more widely. Malware for android phones has increased considerably year on year. Jang-Jaccard,J , Nepal,S, 2014.
In 2018 Tesco’s banking arm was fined by the FCA, a total of £16.4 million for a cyber-attack it suffered in 2016. The breach resulted in a £2.3 million attack on Tesco’s UK bank accounts. Press Association, Guardian Newspaper, 2018.
The financial impact is not limited to fines but the resulting impact from operations being obstructed leading to revenue loss, denial of service attacks leading to access problems and the cost of clean-up operations after a virus attack. In 2017 Lloyds bank customers were unable to access their bank accounts to check statements and balances due to a DDos attack. Collinson,2017.
Reputational impact as a result of a publicised cyber-attack can be detrimental to an organisation. Disruption to services will leave unhappy customers and can lead to brand damage. This could also lead to a loss in key senior leaders to placate shareholders, customers, and suppliers.
Loss of business intelligence and intellectual property via a cyber-attack can hinder growth and innovation for an organisation. UK banks are constantly developing new channels for service delivery and leveraging technological advancements to maintain a competitive edge.
Not all the impacts are negative as outlined above, there are positive impacts as a result of cyber-attacks. The aftermath of a cyber-attack will heighten awareness within the organisation and usually but not always lead to better security standards. An ethical hack can lead to a change of policy and direction.
Key vulnerabilities and risks
Vulnerabilities associated with technology and its implementation are key areas for exploitation. A problem with migration of its IT systems produced several phishing attacks against TSB customers. Flinders, 2019
The most significant vulnerability is people related. Policies, procedures, and training can only go so far in protecting a company’s assets. Information security must be enforced at the highest level and regular testing such as test emails sent to audit compliance.
Social engineering attacks utilise personal information from social media accounts e.g. to hack online bank accounts.
Network configuration is becoming more difficult to pin down with the proliferation of endpoints. Banks not only have to secure their LANS, but now must also secure their WANS. There is a move towards public cloud vendors to transfer risk , however this can lead to a loss of ownership and ambiguity if a cyberattack occurs.
With the onset of AI and RPA, it can be difficult for a bank to ascertain the occurrence of an attack and at which point the attack has taken place due to the automated procedures.
As the banking sector expands its portfolio of services and geographical spread, governance structures are becoming more complex. There is a risk that cyber security is not being adequately managed or being accounted for and that internal controls are weak.
There are a wide range of organisations, tasks groups and standards all looking to provide a coherent and structured approach to dealing with cyber security attacks. However, PWC have suggested moving towards adopting ISO 27001(part of the ISO 2700 family) as a global standard ,especially as cybercrime is seen more as a global threat with nation states increasingly instigating cyber-attacks. PWC, BBA, 2014. However, on the flip side there has been a low uptake of the ISO 27001 standard with global organisations preferring the ISO 9000 standard. Dupont, 2019].
Within the UK specifically, the FCA regulates the UK banking/financial sector. In July 2018, the FCA launched a consultation to assess the current state of cyber resilience. The FCA is taking a more prominent role in regulating the financial sector with a recent fine being levied on Tesco Bank for not having basic standards of cyber security in place. The Bank of England is looking to set baseline requirements for financial institutions to ensure cyber security measures are in place. Dupont, 2019
The economic impact of cyber security attacks on organisations is hard to assess as a total cost. Fines levied against banking institutions have been significant and well publicised. However, the total cost including but not limited to, loss of business intelligence and intellectual property, loss of revenue along with operational downtime is difficult to accurately ascertain. Brand damage impact can amount to between 1-5% off share values. Watkins, 2014.
A loss of trust from customers may not initially be seen as a significant economic impact of a cyber-attack, but the consequences could potentially be disastrous. Although not experienced by the UK banking sector a cyber-attack led to a total of 10% of bank deposits being withdrawn by customers, due to an email phishing incident, Bouveret, 2018.
Data breaches do not appear to be increasing in frequency but in complexity. As the banking sector utilises more advanced technology and an increased number of end points to maintain their competitive edge, the risk of a cyber-attack increases. New global sophisticated actors are exploiting vulnerabilities. Suppliers have failed to produce adequate guides for customers to educate themselves and to secure their products from potential cyber-attacks.
The FCA and other regulatory bodies are now concentrating on holding the banking sector to account, with major fines being levied, this will lead to an upward trend in fines being imposed. In addition, the media are highlighting and raising awareness of data breaches to hold organisations to account. This in turn is promoting a higher level of awareness with customers.
With a plethora of standards, policies, task groups and governments trying to implement standards and regulations there is a danger that development and adoption of these standards and regulations will be haphazard and inconsistent leaving UK banks exposed to an increased level of cyber-attack in the future.
However, with Brexit and a possible no deal scenario it remains to be seen how effective cyber intelligence sharing will remain across the EU and UK, which could lead to issues with standardizing cyber security requirements.