Top 10 op risks 2019: IT disruption

Cyber attacks conjure images of masked figures gaining access to the IT network of a company or government and making away with millions, yet the reality is often more prosaic. Malware designed merely for nuisance value can cripple firms’ operations, while the origin of attack is often not rogue criminal but state entity: the WannaCry and NotPetya ransomware events of 2017 were widely attributed to state-sponsored sources.

“Hackers are more organised and some countries have malicious, not criminal intent,” says an operational risk consultant. “They might not get anything out of it apart from bringing systems down and causing disruption.”

The past year has not seen many high-profile disruptive cyber attacks, which may go some way to explaining why IT disruption slips to second place in Risk.net’s 2019 survey.

However, risk experts still see cyber attacks as an ever-present menace.

Distributed denial of service (DDoS) is one of the most common forms of attack. DDoS data from two security specialists provides a conflicting picture: Kaspersky Lab reports a decline in overall attacks by 13% from 2017 to 2018. Corero says that among its customers, the number of events in 2018 was up 16% year on year.

Banks remain vulnerable, even the largest. In April 2018, it was revealed that co-ordinated DDoS attack had disrupted services at seven major UK lenders, including RBS, Lloyds, HSBC and Barclays. The National Crime Agency and international partners responded by shutting down a website linked to the attacks that offered DDoS services for a small fee.

More conventional hacking “break-ins”, to steal valuable data or cash, also pose a threat to firms. In the case of Banco de Chile, attackers infected company computers and servers with a virus as a distraction, allowing them to access the bank’s Swift accounts and make off with $10 million. The ensuing chaos resulted in branch closures, and is part of a repeat pattern of hackers targeting banks in emerging markets to tap into the international Swift payment network.

Some banks are responding to the cyber threat by better integrating their risk and IT departments, and treating cyber security as an integral part of effective risk management. For example, Goldman Sachs’s chief information security officer was recently chosen to head up operational risk, bringing several techies with him.

One operational risk expert at an insurer says his firm has recently overlaid a dedicated risk management team across the IT department to more effectively tackle cyber risk, as well as deal with weaknesses in the insurer’s ageing tech infrastructure.

As banks shift more of their retail and commercial activity online, a growing fear is that a widespread cyber event could cripple an institution’s activity. Dwindling branch networks are reducing the “hard” infrastructure that lenders could previously rely on to maintain essential services.

“Banks may be taking channels offline as firms move away from the high street and close their branches,” says the head of operational risk at a bank. “So one route they have which offers them a certain type of resilience may not be there in a few years’ time and they may be wholly dependent on the digital side.”

Operational resilience is the focus of a subcommittee recently set up within the Basel Committee for Banking Supervision, as the global standard-setter looks to take stock of cyber best practice and, possibly, propose measures to address gaps in policy.

In the US, central counterparties, which are important circuit breakers in financial markets, have upped spending to fend off cyber attacks. Since many CCPs guarantee millions of trades across asset classes, an attack that puts them out of action could be particularly devastating for markets. As middlemen, CCPs also store trade data that could be valuable for malicious entities.

One route [banks] have which offers them a certain type of resilience may not be there in a few years’ time and they may be wholly dependent on the digital side

Head of operational risk at a bank

Executives from the Options Clearing Corporation, Nasdaq and DTCC have all emphasised the importance of tending to cyber risk, with the OCC allocating a greater increase in spend to this area than any other.

But in Europe, a parliamentarian has expressed fears that CCPs have not invested sufficiently in non-default risks like cyber, calling for more intelligent cyber stress-testing. European legislators are currently preoccupied with legislation that primarily deals with default losses, including cross-jurisdictional regulatory oversight and recovery rules.

In building their defences, bank risk managers have come up with proactive methods to boost resilience and prepare themselves for inevitable cyber attacks. Barclays is inviting red teams to break into buildings and hack their systems to test their resilience. Maybank employs so-called “ethical hackers” who delve into the dark web to discover new threats and prepare the bank’s defences appropriately.  

This more proactive approach may be what’s required to deal with new risk areas. At institutions that allow employees to “bring your own device”, laptops, phones and smartwatches are vulnerable. The so-called internet of things, which links everyday devices such as printers, thermostats, even coffee machines, opens up a new frontier in cyber risk. Any device capable of transmitting data can be mobilised to perform devastating DDoS attacks.

Return to index