A major cyber-attack on TalkTalk has brought the issue of online security into sharp relief once more.
The telecom firm’s shares plunged after it reported a “significant and sustained cyber-attack” during which hackers accessed its databases to steal customers’ personal information and bank details.
TalkTalk admits it has no idea how many of its 4 million customers are affected by the data theft, but some customers have already reported that fraudsters have taken money from their bank accounts.
Cybercrime is on the rise, with a number of high profile hacks making headlines. JPMorgan Chase suffered a major data breach following a cyber-attack towards the end of last year, and investigators report that hackers also tried to infiltrate nine other financial firms including Fidelity Investments, Citigroup and HSBC.
Cybercrime, as the name suggests, is crime committed via the web, and can include infecting companies’ servers with viruses, bombarding websites with huge amounts of traffic in order to crash them, ‘phishing’ for data by sending bogus emails, or ‘pharming’, which involves redirecting a website’s traffic to a fake site and then stealing users’ details.
It accounted for 39% of economic crime experienced by the financial services sector in 2014, compared to 17% in other industries, according to PwC. However, it suggested the real figure could be much higher, noting the percentage of respondents looked “alarmingly low”. “Our experience has shown that a clear majority of FS organizations (especially retail banks) suffered cybercrime during the survey period,” the report said.
Because financial services firms are more vulnerable than other firms to cyber-attacks, it is not surprising that financial regulators have been paying close attention to this worrying trend. A recent briefing from law firm Clifford Chance noted that, in September, the US’s Securities and Exchange Commission (SEC) issued a ‘risk alert’, urging firms to pay closer attention to a number of areas including governance and risk assessment, data loss prevention, employee training and incident response planning.
It also imposed its first fine in the cyber arena, hitting investment advisory firm RT Jones with a $75,000 fine for inadequate cyber security measures following a 2013 hack which left clients vulnerable to theft.
The Hong Kong Monetary Authority wrote to regulated firms in its jurisdiction the same month to encourage them to heighten their response to a rise in “the frequency, stealth, sophistication and potential impact of cyber-attacks.”
It wants to see financial firms introduce new risk management measures to deal with the growing threat, including frequent tests and independent evaluations of their systems, industry collaboration and intelligence sharing, and contingency planning.
S&P considers cyber-security in bank credit ratings
Standard & Poor’s recently said it could even downgrade banks with weak cyber-security. They put together a list of 16 questions to ask an asset manager how prepared they are to deal with cyber-attacks:
- How do you measure the exposure and report on cyber-risk?
- Do you have a robust, well-documented program to monitor cyber-risks?
- How many times was the business the target of a high-level attack during the past year, and how far did it reach in the system?
- What areas does the bank feel are still vulnerable to attack?
- Does the bank have any third-party vendor oversight? If so, what kind and how much?
- What is the bank’s readiness with respect to the NIST framework?
- How does the bank ward off phishing and diminish the likelihood of having data compromised from an internal breach?
- What’s the internal phishing success rate?
- How long has it typically taken to detect a cyber-attack?
- What containment procedures are in place if the bank is breached?
- Are emergency scenarios test-run?
- What software or other techniques are used to monitor attacks?
- What kind of expertise about cyber-attacks exists on the board of directors?
- How much does the bank spend on cybersecurity, and what resources does it devote? What is the total tech budget this year versus last?
- What are the bank’s capabilities versus peers, and how are they assessed? Is there information shared with peers?
- Does the bank have any insurance to compensate for a cyber-attack?
Sadly, cybercrime is an indelible feature of the new digital landscape FS firms are navigating. While trying to create innovative online solutions for their customers, they face the additional challenge of guarding their clients’ assets and information from increasingly ingenious criminals. This is a huge financial burden, especially for small firms, but seems unavoidable. The cost (financially and reputational) of a successful hack would be much higher than a robust prevention strategy.