British banks keep cyber
attacks under wraps to protect image
Send a link to a friend
[October 14, 2016]
By Lawrence White
LONDON
(Reuters) - Britain's banks are not reporting the full extent of cyber
attacks to regulators for fear of punishment or bad publicity, bank
executives and providers of security systems say.
Reported attacks on financial institutions in Britain have risen from
just 5 in 2014 to 75 so far this year, data from Britain's Financial
Conduct Authority (FCA) show.
However, bankers and experts in cyber-security say many more attacks are
taking place. In fact, banks are under almost constant attack, Shlomo
Touboul, Chief Executive of Israeli-based cyber security firm Illusive
Networks said.
Touboul cites the example of one large global financial institution he
works with which experiences more than two billion such "events" a
month, ranging from an employee receiving a malicious email to user or
system-generated alerts of attacks or glitches.
Machine defenses filter those down to 200,000, before a human team cuts
that to 200 "real" events a month, he added.
Banks are not obliged to reveal every such instance as cyber attacks
fall under the FCA's provision for companies to report any event that
could have a material impact, unlike in the U.S. where forced disclosure
makes reporting more consistent.
"There is a gray area...Banks are in general fulfilling their legal
obligations but there is also a moral requirement to warn customers of
potential losses and to share information with the industry,” Ryan
Rubin, UK Managing Director, Security & Privacy at consultant Protiviti,
said.
SWIFT ACTION
Banks are not alone in their reluctance to disclose every cyber attack.
Of the five million fraud and 2.5 million cyber-related crimes occurring
annually in the UK, only 250,000 are being reported, government data
show.
But while saving them from bad publicity or worried customers, failure
to report more serious incidents, even when they are unsuccessful,
deprives regulators of information that could help prevent further
attacks, the sources said.
A report published in May by Marsh and industry lobby group TheCityUK
concluded that Britain’s financial sector should create a cyber forum
comprising bank board members and risk officers to promote better
information sharing.
Security experts said that while reporting all low level attacks such as
email "phishing" attempts would overload authorities with unnecessary
information, some banks are not sharing data on more harmful intrusions
because of concerns about regulatory action or damage to their brand.
The most serious recent known attack was on the global SWIFT messaging
network in February, but staff from five firms that provide cyber
security products and advice to banks in Britain told Reuters they have
seen first-hand examples of banks choosing not to report breaches,
despite the FCA making public pleas for them to do so, the most recent
in September.
"When I moved from law enforcement to banking and saw what banks knew,
the amount of information at their disposal, I thought 'wow', I never
had that before," Troels Oerting, Group Chief Information Security
Officer at Barclays and former head of Europol's Cyber Crime Unit, said.
Oerting, who joined Barclays in February last year, said since then
banks' sharing of information with authorities has improved dramatically
and Barclays shares all its relevant information on attacks with
regulators.
Staff from five firms that provide cyber security products and advice to
banks in Britain told Reuters they have seen first-hand examples of
banks choosing not to report breaches.
"Banks are dramatically under-reporting attacks, they do what's legally
required but out of embarrassment or fear of punishment they aren't
giving the whole picture," one of the sources, who declined to be named
because he did not want to be identified criticizing his firm's
customers, said.
[to top of second column] |
A man types on a computer keyboard in this illustration picture
February 28, 2013. REUTERS/Kacper Pempel/Illustration/File Photo
Apart from Barclays, the other major British banks all declined to
comment on their disclosures.
The Bank of England declined to comment and the FCA did not respond to
requests for comment.
KEEPING SECRETS
Companies that use external security systems also do not always inform
them of attacks, the sources said.
"Our customers sometimes detect attacks but don't tell us," Touboul,
whose firm helps protect banks' SWIFT payment networks by luring
attackers to decoy systems, said.
Hackers used the bank messaging system that helps transmit billions of
dollars around the world every day to steal $81 million in one of the
largest reported cyber-heists.
Targeted attacks, in which organized criminals penetrate bank systems
and then lurk for months to identify and profile key executives and
accounts, are becoming more common, David Ferbrache, technical director
Cybersecurity at KPMG and former head of cyber and space at the UK
Ministry of Defended, said.
"The lesson of the SWIFT attack is that the global banking system is
heavily interconnected and dependent on the trust and security of
component members, so more diligence in controls and more information
sharing is vital," Ferbrache said.
"Big banks are spending enormous amounts of money, $400-500 million a
year, but there are still vulnerabilities in their supply chains and in
executives' home networks, and organized crime groups are shifting their
focus accordingly," Yuri Frayman, CEO of Los Angeles-based cyber
security provider Zenedge, said.
BRAND DAMAGE
Banks are increasingly sensitive to the brand damage caused by IT
failings, perceiving customers to care just as deeply about security and
stable service as loan or deposit rates.
Former RBS Chief Executive Stephen Hester waived his bonus in 2012 over
a failed software update which caused chaos for thousands of bank
customers.
And HSBC issued multiple apologies to customers after its UK personal
banking websites were shuttered by a distributed denial of service (DDoS)
attack, following earlier unrelated IT glitches.
"People don't care about a 0.1 percent interest rate change but 'will
this bank do the utmost to keep my money and information safe?'" Oerting
said.
(Editing by Sinead Cruise and Alexander Smith)
[© 2016 Thomson Reuters. All rights
reserved.] Copyright 2016 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
|