The world has witnessed recurrent instances of cyber attacks in the recent past. These cyber attacks have raised eyebrows on the reliability of the Society for Worldwide Interbank Financial Telecommunication (“SWIFT”) messaging network, as most of the cyber attacks occasioned from the infiltration of SWIFT by hackers. Although steps for improving cyber resilience have been taken by jurisdictions across the world, in wake of continuous technological advancement, the cases of cyber attacks are on the rise. Given this, there is an urgent need to evolve a mechanism which can be practically implemented in case of a cyber breach.
WORLDWIDE CYBER ATTACKS IN THE RECENT PAST
In the last few years, there have been several instances of cyber attacks on banks and financial institutions. In February 2013, the Philippines was up against a deadline to amend its Anti-Money Laundering Act and get itself off the ‘grey list’ of a global watchdog. The lawmakers were considering as to whether to include casinos under the legislation. After various rounds of discussion, the senator chairing the meeting agreed to exclude them from the legislation. This gave hackers, a loophole to route money without coming into any scrutiny.
Hackers issued instructions via SWIFT network to steal up to USD 951,000,000 from the Bangladesh central bank’s account with the Federal Reserve Bank of New York between 4th and 5th February 2016, when Bangladesh Bank’s offices were closed. They were successful in stealing USD 101,000,000. Out of these, USD 81,000,000 were found in the Philippines (in five separate accounts with the Rizal Commercial Banking Corporation) and the remaining USD 20,000,000 in Sri Lanka (Shalika Foundation, a Sri Lanka-based company).
In January 2016, HSBC United Kingdom’s website was hacked by hackers. Following this, internet banking was blocked for several hours. However, this incident did not result in loss of customer data.
Activist hacker group “Anonymous”, in January 2016, took the Bank of Greece offline for several minutes. However, the bank’s defences quickly responded to it and there was no compromise of data.
In April 2016, Qatar National Bank was attacked by an unidentified cyber attack which resulted in loss of customer’s data to a tune of up to 1.4 GB. The leaked data included files relating to staff at Al Jazeera, members of Qatar’s ruling al-Thani family, and intelligence and defence officials.
In May 2016, hackers attempted to steal USD 1,100,000 million from Vietnam’s Tien Phong Bank. The attack involved use of instructions via SWIFT network. However, the bank’s cyber defences responded quickly and no loss was caused.
India too has been a victim of cyber breaches during 2016. In one such instance, the hackers had penetrated the network of Hitachi, to which some banks had outsourced their ATM transaction processing. The customers of approximately 3,200,000 debit cards feared that their account details had been compromised as a result of the same. The Reserve Bank of India (“RBI”) had, post the incident, issued a list of dos and don’ts to the concerned banks.
Hitachi had employed a payments security firm to carry out a forensic audit. The results of the audit disclosed that the hackers had created a ‘dummy code book’ within the Hitachi system capturing all possible 4 digit numbers from 0000 to 9999 in an attempt to steal the personal identification numbers of the customers whenever they used their ATM cards.
CYBER SECURITY INITIATIVES IN DIFFERENT JURISDICTIONS
Globally, cyber incidents are increasingly shifting towards targeting of financial institutions instead of individual users. This has made cyber security a global incident as opposed to an isolated incident, affecting merely one industry or country.
The Hong Kong Monetary Authority had, in May 2016, launched a Cyber Security Fortification Initiative (“CFI”). CFI is a risk based framework for authorized institutions to assess their cyber resilience and taking remedial measures, if required. The CFI majorly works on three pillars namely, (i) Cyber Resilience Assessment Framework (“CRAF”); (ii) the Professional Development Programme (“PDP”); and (iii) Cyber Intelligence Sharing Platform (“CISP”). Under the CRAF, authorized institutions evaluate their level of defence against cyber breaches. Under the PDP, the certifications and training of cyber security professionals is done. Under CISP, a platform for sharing of information in relation to threats is shared amongst the authorized institutions so that cyber resilience may be uplifted by way of collaboration.
The European Banking Authority (“EBA”) directed domestic authorities in European Union member states to stress-test their financial institutions for cyber risks. The EBA even cautioned banks that they might require holding extra capital to buffer against such emerging threat. The EBA has further stated that cyber risks will be included under EU’s “Pillar 2 framework”.
The Bank of England’s Financial Policy Committee has also developed a cyber testing program under the name “CBEST”, for identifying weakness in cyber resilience of individual financial firms.
Similarly, the New York State Department of Financial Services (“DFS”) has also proposed a cybersecurity regulation to protect banks, insurance companies and financial services regulated by DFS against cyber threats and leakage of customer data. The regulations will require the above listed entities to establish and maintain a cybersecurity program.
In India too, the RBI had, in June 2016, issued a cyber security framework (“Cyber Security Framework”), to be implemented by all scheduled commercial banks. Some key features of the Cyber Security Framework are as under:
- Distinct (and specific) board approved cyber security policy.
- Banks to classify risks in four categories, namely low, moderate, high and very high, and mandatorily report any unusual behavior in their servers/networks to RBI.
- Banks to set up a Security Operations Centre (“SOC”) for performing continuous surveillance and remain updated about cyber threats.
- The IT architecture, which shall facilitate smooth functioning of such policy, should be reviewed continuously.
- RBI has further directed banks to evolve a Cyber Crisis Management Plan (“CCMP”). The CCMP should address four aspects namely, (i) Detection; (ii) Response; (iii) Recovery; and (iv) Containment. To audit the adequacy of cyber resilience framework, certain indicators shall be developed and tested by independent qualified professionals. In addition, banks have also been directed to create awareness about cyber security amongst all the stakeholders.
- Certain minimum cyber security and resilience requirements and guidelines for setting up and operating of the SOC have been specified.
In addition to the above, Indian Computer Emergence Response Team (CERT-In) has also been established to monitor Indian cyberspace and coordinate alerts and warning of imminent attacks and detection of malicious attacks among in the country. Banks / financial institutions have been identified as critical infrastructure for the purpose. A National Cyber Coordination Centre has also been established.
FAILURES!
Although steps and initiatives have been taken by countries all over the globe to curb cyber attacks, the results of the same have not been fruitful. With advancement in technology, hackers are finding innovative ways of attacking servers of banks and financial institutions. Last year, while India witnessed debit card data compromise in mid May, it was not until September that the banking system became aware of it.
Bitfinex, the Hong Kong exchange for the trading of digital currencies had also announced that some of its customer accounts were hacked and bitcoins stolen. The value of the stolen bitcoins has been reported to be approximately USD 65,000,000 or more. Consequently, the value of bitcoins came down and the trust on the digital currency was shaken.
The website of National Security Depository Limited was also hacked by a group of hackers. The attack in itself did not result in major data loss, however, its reporting to the Securities and Exchange Board of India was done 9 days after the occurrence of the incident.
Reports of approximately 188 cyber attacks over various organisations in United Kingdom have also been doing the rounds. These incidents occurred in a span of 3 months and the reasons behind these cyber attacks has been attributed to high degree of sophistication. This has posed threat not only to the United Kingdom’s financial sector but also to its national security.
CONCLUSION: NEED FOR AN ADVANCED REGULATION
Having a law in place that takes into consideration the needs of the future is the need of the hour! Effectiveness of any law depends upon how better it can serve the needs of the future without overprotecting the requirements of the present. The same principle applies to establishing a robust cyber security mechanism. These must be formulated in a manner that they also take into consideration the rapid pace of technological advancement. Some of the considerations in achieving an advanced regulation / policy vis-à-vis cyber security are as follows:
- Statistics suggest that it, on an average takes about 6 months to detect cyber-attacks by outsiders and longer in cases where attacks are by insiders. Hence, continuous surveillance and regular audits of servers and data systems is vital.
- Synchronization of cyber security policy with the business policy of an organisation. To achieve this, the board of directors or advisory board in an organisation should also include personnel’s who have expertise in technology related areas.
- Recruiting cyber experts rather than appointing independent vendors for configuring devices across institutions. This will help diminish the exposure of such devices to cyber threats.
- Practices such as sharing of passwords should be done away with.
- Systems that mandate bars on unfenced access of information to the users should be put in place. Information must be accessible to only those who need it.
- Implementing robust cyber regulations and a quick restoration plan with a responsive and advanced cyber security regulations, would result in decline of cyber threats. Organisations must proactively work towards detecting cyber threats and in employing a mechanism that enables taking of quick actions to minimise the impairment arising out of such attacks.
- Cyber criminals are also increasingly exploiting the vulnerabilities in the smart phone software by infecting the operating systems with malware. The banks which provide mobile banking as a service delivery tool must also look to guard against this emerging risk.
- The role of the Chief Information Security Officer (“CISO”) assumes great significance. CISO plays a vital role in supporting and focussing on IT governance, information security audits, customer communication, fraud management and legal aspects. CISO’s role needs to be enhanced from an operational level to strategic level. Banks should use the CISO forum, established under the aegis of the Institute for Development and Research in Banking Technology, to exchange information of cyber incidents.
By Ankit Sinha and Harshit Dusad
Source:http://barandbench.com
