Top 10 op risks: IT sabotage

Internet-based or cyber attacks have crossed the line from being a relatively minor institution-level threat to a significant danger to the stability of the financial system. A year which saw a growing chorus of warnings of the systemic dangers of cyber attack culminated in a speech by Atlanta Federal Reserve Bank president David Lockhart in late November: “In the last few months, the United States has experienced an escalating incidence of distributed denial of service attacks aimed at our largest banks,” Lockhart said.

He added: “Recent attacks involved unprecedented volumes of traffic – up to 20 times more than in previous attacks... The increasing incidence and heightened magnitude of attacks suggests to me the need to update our thinking. What was previously classified as an unlikely but very damaging event affecting one or a few institutions should now probably be thought of as a persistent threat with potential systemic implications.”

The threat covers state-sponsored and non-state (or “hacktivist”) attacks as well as criminally motivated threats. In fact, Dominique Benz, a New York-based director in Citi’s operations and technology risk management group, says: “Criminals are not now the primary issue on our radar.” Marina Roesler, head of the group, adds: “There are different ways to deal with all three: activists, nations and criminals. The state attacks are particularly interesting, because I think that’s where the next wars are going to be fought.”

A few recent high-profile attacks have highlighted the damage that can be done by state-sponsored cyber warfare. Denial-of-service attacks on Saudi and US banks in September were linked to Iran; the Stuxnet software which damaged Iranian nuclear centrifuges in 2011, and the related Flame software, were linked to Israel and the US; and it’s reasonable to expect that a tool which is demonstrably cheap, easy to use and effective will be used more and more frequently, either for destructive or information-gathering purposes.

Banks and other financial institutions need to prepare for the indirect effects of an attack aimed elsewhere – and should treat this as a business continuity scenario rather than a threat which can be completely defeated, Lockhart continued. “Even broad adoption of preventive measures may not thwart all attacks. Collaborative efforts should be oriented to building industry resilience. Resilience measures would be similar to those put in place in the banking industry to maintain operations in a natural disaster – multiple backup sites and redundant computer systems, for example,” he warned.

Collaboration between threatened companies and public-sector organisations has grown. Late in 2012 the UK government’s communications intelligence agency, GCHQ, announced it would act as a threat clearing house for UK companies under threat and approved security providers, as well as offering advice and training on computer security – and the US Department of Homeland Security has been vocal in encouraging US banks to work together and exchange information on threats and defensive responses.

Roesler comments that this could go further: “I expect we will see more and more banks starting to co-operate to block threats to the system – there may also be opportunities to disrupt the threat before they get attacked,” she says.

As cyber attack has grown as a business continuity threat, there has been an increasing tendency for critical infrastructure – critical not only to the financial sector but to the country as a whole – to be moved online. Banks would not be immune to the widespread destructive effects of an attack on national infrastructure. Paul Simmonds, co-founder of information security site The Jericho Forum, told a London security conference in November: “I’m worried we’re rushing headlong into connecting parts of critical infrastructure items to the internet. Whether it’s smart meters or embedded Scada [industrial process control] systems, because of convenience and cost savings we’re just saying we’re going to connect it to the internet because we can’t afford to put a man there.”

Paul Davis, director for Europe at IT security provider FireEye, agrees: “When it comes to critical infrastructure, extreme vigilance is needed when taking the leap of faith into the online world,” he says. “Data loss and fraud are terrible outcomes of a breach, [but] an intrusion on our control systems could have significantly more devastating consequences.”

Top 10 operational risks 2013: Back to introduction

IT sabotage

NEXT: Reputational damage

Incentives and compensation

I expect we will see more and more banks starting to co-operate to block threats to the system

Fraud and customer data abuse

Epidemic disease

Political intervention

Sanctions and AML compliance

Emerging market operating risks

Business continuity and disaster recovery

Failure to enforce internal controls

Operational risk best practice will be discussed at OpRisk Europe on June 11-14 in London. For more information and details about attending visit opriskeurope.com