For me, 2013 has pretty much been the year of the cybercriminal, in that every month I’ve written about, or had discussions on, something to do with cybercrime. It’s a big phrase, and it’s not entirely fleshed out yet, but recently it seems as if the financial services industry, or more accurately, the financial-markets side, is doing something about it.
You’d be forgiven for thinking otherwise, though. From my experiences as a reporter trying to cover the story, nobody wants to talk about it. Most major exchanges reply with “I don’t think we want to be discussing that, James”, and most banks say “We don’t want to draw attention to ourselves.” Presumably because they’re comfortable with a bank’s natural under-the-radar profile. But the discussions are going on, as are the attacks, and the penetrations, and the activity we don’t hear about in the mainstream press.
The World Federation of Exchanges (WFE) announced the formation of a cybersecurity committee last week, featuring most of the big names of the global exchange landscape, and headed up by Nasdaq’s CISO.
But, the sense of forward motion is building. The World Federation of Exchanges (WFE) announced the formation of a cybersecurity committee last week, featuring most of the big names of the global exchange landscape, and headed up by Nasdaq’s CISO─or chief information security officer. Further simulations akin to Global Dawn II, held by the Securities Industry and Financial Markets Association earlier this year, have been employed with success.
The theft of money through cyberattack is one thing, but at the end of the day, money can be replaced. Reputation is something much harder to quantify in dollars and cents, and in the new era of online, the security and integrity of an institution (therefore an individual’s money) is probably the overriding contributor to that reputation. Confidence is king, and damaging confidence damages the institution, and in a wider sense, the real economy and political world as well.
So, therefore, cybercrime will naturally become a matter for regulation, probably in the not-too-distant future. Those regulations, I’m told, will be minimum standards though, and firms will be expected to go above and beyond that, and essentially do whatever it takes to keep their systems secure.
It’s a good thing, then, that the industry is getting together and collaborating on best practice. But no defense, particularly in the cyber arena, can be fool proof. As one ex-FBI cyber agent told me a few months ago (in a more dramatic metaphor than this): if somebody wants to do something, they’ll do it. There will always be a ladder tall enough to get over the wall, or an insider disgruntled enough to leave the drawbridge down and the portcullis up.
Taking this in mind, mitigation becomes crucially important, if total prevention is impossible. But it’s such an overwhelmingly complex topic area that it’s hard for many institutions to adequately put protections in place. Cybercrime can be taught from a legal perspective, but from a practical perspective, it’s impossible to keep up to speed with the latest threat vectors, delivery mechanisms, and assault methodology in a classroom. For the financial services industry, tough times are ahead.