Jason Harrell, DTCC Head of Business and Government Cybersecurity Partnerships.
The sophistication of cyber threats and threat actors1 has increased significantly, and firms are expending considerable bandwidth and resources in terms of people, processes and technology to address the risks that these threats and threat actors may bring to bear on the global financial system. Gone are the days when a virus would simply take down corporate email services or make your documents behave in peculiar ways. Historically, these impacts, while measurable, did not reach a “material” threshold, and were seen as a cost of doing business.
If we fast forward to current day, the cyber threat landscape is no longer made up of people in their parents’ basement launching small scale cyber-attacks. It includes sophisticated, well-funded adversaries with an acute understanding of different market segments and an advanced level of motivation to cause harm. For the financial services sector (Sector), this evolution gave rise to numerous, successful cyber incidents from nefarious threat actors looking for financial gain or the ability to cause large-scale disruptions to the marketplace to erode the safety and soundness of the Sector or cause material consumer harm.
Because of the Sector’s interconnectivity, we should keep in mind that cyber security risk isn’t a national problem; it is a global problem with national implications, which requires a coordinated response across national borders. That’s a topic for another column. Here, I’ll discuss how the geopolitical environment, the proliferation of new technology solutions and the expansion of the supply chain have all contributed to the increased risks that the Sector experiences.
The financial system today is a truly global system. While this evolution has provided significant global benefits, such as greater access to liquidity and financial products and the continued growth of developing markets, this interconnectedness has also created a system that extends across geographies and national boundaries.
Political shifts between and within nation states and changes to domestic and foreign policy have led to sanctions, conflicts, civil outbreaks and warfare. Cyber-attacks have demonstrated the ability to cause extreme impacts to firms, financial market infrastructures, entire market segments and critical infrastructures, with the potential to cripple multiple nation state economies and erode the public trust in the financial marketplace. Therefore, cyber-attacks against the financial system provide yet another vehicle for nation states and other well-funded threat actors to respond to the political shifts and policy changes.
Cyber-attacks may also provide some degree of anonymity to the perpetrator of the attack. The inability to provide attribution for certain cyber-attacks may lead to these attacks becoming more prevalent when other more diplomatic measures fail to produce the desired results. Nation States continue to increase the funding dedicated to offensive and defensive cyber weapons while world leaders try to determine what type of cyber-attacks could be viewed as an ‘act of war’.
The speed of technological advancements continues to drive innovation within the Sector. Cloud technology, robotics, block chain and other technologies are seen as vehicles to lower operational costs, improve products and product delivery, and increase risk management opportunities.
New technology also continues to shape the consumer experience and the speed with which firms can deploy new technology solutions impacts a firm’s ability to attain significant client adoption. This speed of implementation and adoption introduces risk that must be understood and managed to ensure that vulnerabilities are not inadvertently created that could later be exploited.
For example, when a new technology is introduced, it is normally designed to address a set of functional requirements from which an end user or consumer would find benefit. Functional design decisions may not include all security considerations. In addition, the deployment strategies (e.g., internal- vs. external-managed solutions) may be incomplete. The combination of the value provided by speed to market and the lack of clarity on how the technology will be used could lead to control gaps that impede the discovery of potential vulnerabilities that could be exploited by a sophisticated threat actor.
Expansion of the Supply Chain
Firms have increased their use of third-party service providers by outsourcing certain operational functions or by using a third party to develop products and services for the firm, which means that these third-party providers have some level of access and trust to the firm or may provide software for its use. The expansion of the supply chain allows firms to optimize costs and provides them with the opportunity to introduce new innovative solutions into the marketplace. For these reasons, the third-parties themselves may also use vendors and other service providers (“fourth party providers”) to deliver its services. These fourth party providers have a relationship with the firm’s third party, which gives the firm less oversight of the controls in place and impedes the firm’s ability to understand the extent to which the surface area of their risks has increased through the third-party selection process. In other words, this supply chain expansion increases the surface area for potential threat actors to gain access to a firm and infiltrate the Sector.
Considerable attention has been given to third parties that provide critical services to the Sector. There are numerous supervisors, regulators and standard setting bodies that have developed guidance or rule-making designed to instruct firms on the proper management of these third parties. While the increased scrutiny of these third parties is warranted, there remains considerable risks to any organization with a connection to a firm’s environment. More recently, there have been demonstrable information security exploits that have taken advantage of third parties that may have been considered non-critical.
These threats and the potential impacts that could be brought to bear on the Sector has led to a multi-pronged approach by supervisors and regulators, financial firms and financial market infrastructures, standard setting bodies, government officials and agencies, and trade associations to manage these threats.
In March 2018, DTCC and Oliver Wyman published a white paper calling for cross-industry coordination around response and recovery mechanisms to mitigate the systemic consequences of a large-scale attack. This comprehensive, global coordination is designed to make markets more resilient to cyber and other operational incidents to promote the safe and orderly function of the markets and the limitation of consumer harm.
1As described in the Financial Stability Board, Cybersecurity Lexicon as an individual, group, or organization believed to be operating with malicious intent.