Top 10 op risks: IT sabotage

IT sabotage: top 10 operational risks for 2013

iran-reactor
The Bushehr nuclear power plant in southern Iran: the Stuxnet computer virus damaged Iran’s nuclear capabilities

target-iconInternet-based or cyber attacks have crossed the line from being a relatively minor institution-level threat to a significant danger to the stability of the financial system. A year which saw a growing chorus of warnings of the systemic dangers of cyber attack culminated in a speech by Atlanta Federal Reserve Bank president David Lockhart in late November: “In the last few months, the United States has experienced an escalating incidence of distributed denial of service attacks aimed at our largest banks,” Lockhart said.

He added: “Recent attacks involved unprecedented volumes of traffic – up to 20 times more than in previous attacks... The increasing incidence and heightened magnitude of attacks suggests to me the need to update our thinking. What was previously classified as an unlikely but very damaging event affecting one or a few institutions should now probably be thought of as a persistent threat with potential systemic implications.”

The threat covers state-sponsored and non-state (or “hacktivist”) attacks as well as criminally motivated threats. In fact, Dominique Benz, a New York-based director in Citi’s operations and technology risk management group, says: “Criminals are not now the primary issue on our radar.” Marina Roesler, head of the group, adds: “There are different ways to deal with all three: activists, nations and criminals. The state attacks are particularly interesting, because I think that’s where the next wars are going to be fought.”

A few recent high-profile attacks have highlighted the damage that can be done by state-sponsored cyber warfare. Denial-of-service attacks on Saudi and US banks in September were linked to Iran; the Stuxnet software which damaged Iranian nuclear centrifuges in 2011, and the related Flame software, were linked to Israel and the US; and it’s reasonable to expect that a tool which is demonstrably cheap, easy to use and effective will be used more and more frequently, either for destructive or information-gathering purposes.

Banks and other financial institutions need to prepare for the indirect effects of an attack aimed elsewhere – and should treat this as a business continuity scenario rather than a threat which can be completely defeated, Lockhart continued. “Even broad adoption of preventive measures may not thwart all attacks. Collaborative efforts should be oriented to building industry resilience. Resilience measures would be similar to those put in place in the banking industry to maintain operations in a natural disaster – multiple backup sites and redundant computer systems, for example,” he warned.

Collaboration between threatened companies and public-sector organisations has grown. Late in 2012 the UK government’s communications intelligence agency, GCHQ, announced it would act as a threat clearing house for UK companies under threat and approved security providers, as well as offering advice and training on computer security – and the US Department of Homeland Security has been vocal in encouraging US banks to work together and exchange information on threats and defensive responses.

Roesler comments that this could go further: “I expect we will see more and more banks starting to co-operate to block threats to the system – there may also be opportunities to disrupt the threat before they get attacked,” she says.

As cyber attack has grown as a business continuity threat, there has been an increasing tendency for critical infrastructure – critical not only to the financial sector but to the country as a whole – to be moved online. Banks would not be immune to the widespread destructive effects of an attack on national infrastructure. Paul Simmonds, co-founder of information security site The Jericho Forum, told a London security conference in November: “I’m worried we’re rushing headlong into connecting parts of critical infrastructure items to the internet. Whether it’s smart meters or embedded Scada [industrial process control] systems, because of convenience and cost savings we’re just saying we’re going to connect it to the internet because we can’t afford to put a man there.”

Paul Davis, director for Europe at IT security provider FireEye, agrees: “When it comes to critical infrastructure, extreme vigilance is needed when taking the leap of faith into the online world,” he says. “Data loss and fraud are terrible outcomes of a breach, [but] an intrusion on our control systems could have significantly more devastating consequences.”

Top 10 operational risks 2013: Back to introduction

IT sabotage

NEXT: Reputational damage

Incentives and compensation

I expect we will see more and more banks starting to co-operate to block threats to the system

Fraud and customer data abuse

Epidemic disease

Political intervention

Sanctions and AML compliance

Emerging market operating risks

Business continuity and disaster recovery

Failure to enforce internal controls

 

Operational risk best practice will be discussed at OpRisk Europe on June 11-14 in London. For more information and details about attending visit opriskeurope.com

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact info@risk.net to find out more.

Financial crime and compliance50 2024

The detailed analysis for the Financial crime and compliance50 considers firms’ technological advances and strategic direction to provide a complete view of how market leaders are driving transformation in this sector

Investment banks: the future of risk control

This Risk.net survey report explores the current state of risk controls in investment banks, the challenges of effective engagement across the three lines of defence, and the opportunity to develop a more dynamic approach to first-line risk control

Op risk outlook 2022: the legal perspective

Christoph Kurth, partner of the global financial institutions leadership team at Baker McKenzie, discusses the key themes emerging from Risk.net’s Top 10 op risks 2022 survey and how financial firms can better manage and mitigate the impact of…

Emerging trends in op risk

Karen Man, partner and member of the global financial institutions leadership team at Baker McKenzie, discusses emerging op risks in the wake of the Covid‑19 pandemic, a rise in cyber attacks, concerns around conduct and culture, and the complexities of…

Moving targets: the new rules of conduct risk

How are capital markets firms adapting their approaches to monitoring and managing conduct risk following the Covid‑19 pandemic? In a Risk.net webinar in association with NICE Actimize, the panel discusses changing regulatory requirements, the essentials…

Most read articles loading...

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here