Several UK banks have suffered actual financial losses as a result of cyber-attacks in the last six months, according to a Bank of England study.
The Bank of England’s latest Financial Stability Report, published on Thursday, reiterates warnings about the risk posed by hacking attacks made six months ago when Andrew Haldane, the BofE's director of financial stability, testified before parliament's Treasury Select Committee.
Haldane was passing on the view from representatives of Britain's top banks that computer security was their biggest operational risk.
The latest report (PDF) from the central bank contains a small section, titled "Operational risks, including from cyber attack, remain a concern" that riffs further on this theme.
The June Report also highlighted potential operational risks related to financial institutions’ information technology (IT) systems. A quarter of respondents to the Bank of England’s 2013 H2 Systemic Risk Survey highlighted operational risk as one of the main risks to UK financial stability.
Over half of these responses cited risks from cyber attack — where an individual or group seeks to exploit vulnerabilities in IT systems for financial gain or to disrupt services. Cyber attack has continued to threaten to disrupt the financial system. In the past six months, several UK banks and financial market infrastructures have experienced cyber attacks, some of which have disrupted services.
While losses have been small relative to UK banks’ operational risk capital requirements, they have revealed vulnerabilities. If these vulnerabilities were exploited to disrupt services, then the cost to the financial system could be significant and borne by a large number of institutions.
Concerns that high-volume DDoS attacks of the type that interrupted the operations of US banks last year might easily be deployed against Britain banks to similar effect have fortunately proved groundless. Reported operational problems in UK banks (such as recent incidents at Barclays and HSBC) have come as a result of system failure, rather than hostile attacks.
An April attack that led to arrests in September after crooks allegedly planted remote-control hardware in a computer at a Barclays bank branch, which was linked with the alleged theft of £1.3m, is a cause for concern – but no great worry on the grander scheme of things.
A far more tangible existential risk comes from something like an ATM cash-out scam, which cost two Middle Eastern banks $45m last year after hackers broke into a database of prepaid debit cards.
Many operational problems would, of course, be known to the Bank of England without reaching the press. And banks are stepping up their readiness to deal with attacks. For example, financial firms and banks across London took placed in a cyber-war game earlier this month, code-named Waking Shark II.
Banks have focused on credit, market and liquidity risk over the past five years because of financial sector upheavals, caused first by the sub-prime mortgage crisis and banking bailouts of 2008, followed by the ongoing eurozone crisis and a general recession across the EU. The vast majority of the Bank of England's report focuses on these types of risks rather than anything posed by computing attacks, which, nonetheless, still pose a risk that cannot be ignored. Security vendors not unsurprising focused on cybersecurity in commenting on the report.
Peter Armstrong, director of cyber security at Thales UK, said banks need to move towards more integrated cyber defences.
“The combination of high interconnectedness, reliance on centralised market infrastructure and complex legacy IT systems are leaving our banks vulnerable to cyber attacks," Armstrong said. "A holistic approach that is designed to tightly integrate cyber-defences with processes, people and physical measures is crucial to ensure financial organisations are protected against the latest evolution of threat and attack vectors."
Armstrong placed a particular emphasis of re-training staff and sharing threat intelligence among financial institutions as important tactics in the never-ending fight against cyber attacks.
"Banks must make more effort to retrain or re-skill their employees," he said. "Much more emphasis should be placed on retention of soft skills, IP, organisational culture, the evolution of internal security policies and knowledge of legacy systems."
"Greater collaboration on cyber issues should also lead to an improvement in cyber awareness and continuous policy evaluation and adaptation, particularly as external attacks multiply faster than legacy IT security solutions can currently keep up with," he added.
Chris McIntosh, chief exec at security and communications company ViaSat UK, said the cyber threat warning from the central bank comes as little surprise because the financial sector is routinely targeted by state-sponsored and organised crime elements.
"Rather than waiting for the next data breach to occur, the UK’s banks need to realise that they have likely already been compromised and need to work back on this basis… The financial sector is the custodian of millions of customer details and the gateway to billions of pounds. Unless this sector takes the right action, we will see attacks become more refined and sophisticated with massive repercussions for this sector and the wider economy,” he concluded.
A extensive catalogue of the documents released at part of the central bank's Financial Stability Report, November 2013 can be found on the BofE website here. ®