Top 10 op risks: IT sabotage
IT sabotage: top 10 operational risks for 2013
Internet-based or cyber attacks have crossed the line from being a relatively minor institution-level threat to a significant danger to the stability of the financial system. A year which saw a growing chorus of warnings of the systemic dangers of cyber attack culminated in a speech by Atlanta Federal Reserve Bank president David Lockhart in late November: “In the last few months, the United States has experienced an escalating incidence of distributed denial of service attacks aimed at our largest banks,” Lockhart said.
He added: “Recent attacks involved unprecedented volumes of traffic – up to 20 times more than in previous attacks... The increasing incidence and heightened magnitude of attacks suggests to me the need to update our thinking. What was previously classified as an unlikely but very damaging event affecting one or a few institutions should now probably be thought of as a persistent threat with potential systemic implications.”
The threat covers state-sponsored and non-state (or “hacktivist”) attacks as well as criminally motivated threats. In fact, Dominique Benz, a New York-based director in Citi’s operations and technology risk management group, says: “Criminals are not now the primary issue on our radar.” Marina Roesler, head of the group, adds: “There are different ways to deal with all three: activists, nations and criminals. The state attacks are particularly interesting, because I think that’s where the next wars are going to be fought.”
A few recent high-profile attacks have highlighted the damage that can be done by state-sponsored cyber warfare. Denial-of-service attacks on Saudi and US banks in September were linked to Iran; the Stuxnet software which damaged Iranian nuclear centrifuges in 2011, and the related Flame software, were linked to Israel and the US; and it’s reasonable to expect that a tool which is demonstrably cheap, easy to use and effective will be used more and more frequently, either for destructive or information-gathering purposes.
Banks and other financial institutions need to prepare for the indirect effects of an attack aimed elsewhere – and should treat this as a business continuity scenario rather than a threat which can be completely defeated, Lockhart continued. “Even broad adoption of preventive measures may not thwart all attacks. Collaborative efforts should be oriented to building industry resilience. Resilience measures would be similar to those put in place in the banking industry to maintain operations in a natural disaster – multiple backup sites and redundant computer systems, for example,” he warned.
Collaboration between threatened companies and public-sector organisations has grown. Late in 2012 the UK government’s communications intelligence agency, GCHQ, announced it would act as a threat clearing house for UK companies under threat and approved security providers, as well as offering advice and training on computer security – and the US Department of Homeland Security has been vocal in encouraging US banks to work together and exchange information on threats and defensive responses.
Roesler comments that this could go further: “I expect we will see more and more banks starting to co-operate to block threats to the system – there may also be opportunities to disrupt the threat before they get attacked,” she says.
As cyber attack has grown as a business continuity threat, there has been an increasing tendency for critical infrastructure – critical not only to the financial sector but to the country as a whole – to be moved online. Banks would not be immune to the widespread destructive effects of an attack on national infrastructure. Paul Simmonds, co-founder of information security site The Jericho Forum, told a London security conference in November: “I’m worried we’re rushing headlong into connecting parts of critical infrastructure items to the internet. Whether it’s smart meters or embedded Scada [industrial process control] systems, because of convenience and cost savings we’re just saying we’re going to connect it to the internet because we can’t afford to put a man there.”
Paul Davis, director for Europe at IT security provider FireEye, agrees: “When it comes to critical infrastructure, extreme vigilance is needed when taking the leap of faith into the online world,” he says. “Data loss and fraud are terrible outcomes of a breach, [but] an intrusion on our control systems could have significantly more devastating consequences.”
Top 10 operational risks 2013: Back to introduction
IT sabotage
I expect we will see more and more banks starting to co-operate to block threats to the system
Emerging market operating risks
Business continuity and disaster recovery
Failure to enforce internal controls
Operational risk best practice will be discussed at OpRisk Europe on June 11-14 in London. For more information and details about attending visit opriskeurope.com
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@risk.net
More on Operational risk
Integrated GRC solutions 2024: market update and vendor landscape
In the face of persistent digitisation challenges and the attendant transformation in business practices, many firms have been struggling to maintain governance and business continuity
Vendor spotlight: Dixtior AML transaction monitoring solutions
The Chartis Research report, AML transaction monitoring solutions, considers how, by working together, financial institutions, vendors and regulators can create more effective anti-money laundering (AML) systems.
Financial crime and compliance50 2024
The detailed analysis for the Financial crime and compliance50 considers firms’ technological advances and strategic direction to provide a complete view of how market leaders are driving transformation in this sector
Automating regulatory compliance and reporting
Flaws in the regulation of the banking sector have been addressed initially by Basel III, implemented last year. Financial institutions can comply with capital and liquidity requirements in a natively integrated yet modular environment by utilising…
Investment banks: the future of risk control
This Risk.net survey report explores the current state of risk controls in investment banks, the challenges of effective engagement across the three lines of defence, and the opportunity to develop a more dynamic approach to first-line risk control
Op risk outlook 2022: the legal perspective
Christoph Kurth, partner of the global financial institutions leadership team at Baker McKenzie, discusses the key themes emerging from Risk.net’s Top 10 op risks 2022 survey and how financial firms can better manage and mitigate the impact of…
Emerging trends in op risk
Karen Man, partner and member of the global financial institutions leadership team at Baker McKenzie, discusses emerging op risks in the wake of the Covid‑19 pandemic, a rise in cyber attacks, concerns around conduct and culture, and the complexities of…
Moving targets: the new rules of conduct risk
How are capital markets firms adapting their approaches to monitoring and managing conduct risk following the Covid‑19 pandemic? In a Risk.net webinar in association with NICE Actimize, the panel discusses changing regulatory requirements, the essentials…