"No single actor – not the Federal (National) government, nor any individual firm – has the resources to protect markets from cyber-threats on their own," said Kenneth E Bentsen, Jr., SIFMA president and CEO, in a news release announcing the completion of SIFMA’s global industry-wide Quantum Dawn V cyber-security exercise.
Quantum Dawn V is the latest of the cyber-security resilience test by the Securities Industry and Financial Markets Association (SIFMA), US. The comment sparks concern because the very same words were used to describe the results of the previous Quantum Dawn test conducted two years ago.
"The financial services industry is a top target, facing tens of thousands of cyber-attacks each day. Enhanced harmonisation of regulatory standards and supervision, to reduce the amount of duplicative or redundant rules, would help enable firms to devote more resources to security and better protect investors," Bentsen said in the announcement.
The previous exercise had more than 50 financial firms, government regulators and SIFMA itself taking part. This edition had a wider, global scope, with over 600 participants from over 180 financial institutions and government agencies from Australia, Canada, Europe, Hong Kong, India, Malaysia, Japan, Singapore joining the drill.
Regulators, central banks and government entities from across the globe were either participants or observers.
While there are several stress tests conducted across the world to assess the business resilience of banks, Quantum Dawn V is the first global cyber-security stress test for financial institutions.
"Quantum Dawn V was not a pass/fail test but rather an opportunity for participants to interact across functions internally and with partners externally, both locally and globally, and to exercise their crisis response and communications plans," read the fact sheet of the test.
"This a laudable idea," said Ilia Kolochenko, founder and CEO of web security company ImmuniWeb. "Other countries and industries shall definitely follow the example."
However, he suggested expanding the test scenario by including breaches of trusted third-parties and governmental authorities.
"A large-scale ransomware attack, even if well-prepared and aimed against major financial institutions, is much less perilous than a campaign simultaneously targeting market regulators, news agencies and law enforcement agencies," he said.
SC Magazine UK wrote in August about how the financial services remain low-hanging fruits for cyber-criminals, after the Capital One data breach came to light. A survey of 100 senior business decision-makers in the UK by data security company Clearswift showed that 70 percent of financial companies faced a cyber-security incident.
Share prices are the first casualties of a security incident. The annual study on the impact of data breaches on the share prices by Comparitech found that share prices of breached companies hit a low point two weeks following a breach, with share prices falling 7.2 percent on average and underperforming the NASDAQ by -4.18 percent.
Finance and payment companies saw the largest drop in share price performance following a data breach, said the study. Their share prices are worst hit when breaches leak highly sensitive information such as credit card and social security numbers.
RBS, in its half-yearly financial results, conceded that the group is subject to increasingly sophisticated and frequent cyber-attacks. "The group is exposed to third party risks including as a result of outsourcing and its use of new technologies and innovation, as well as related regulatory and market changes. Failure to effectively manage these risks could adversely affect the group," it said.
While most of the cyber-incidents happen due to targeted attacks, security negligence, such as in the case of Equifax, also play a part. This month, UK MPs recommended that financial companies refund and reimburse victims of fraud, as well as recommending a mandatory 24 hour delay on all first time payments between bank accounts to try and outwit fraudsters.
"These recommendations from MPs to refund and reimburse customers will come as welcome news," commented Mark Crichton, senior director, - security product management at OneSpan.
"Fraud is only becoming more sophisticated as hackers continue to target vulnerable channels such as digital and mobile, and users simply cannot be expected to foot the bill any longer, especially when there are often life-changing sums of money at risk," he said.
However, instead of delaying payments by 24 hours, banks should take steps to prevent attacks from happening in the first place, he suggested.
"We’re witnessing huge developments in preventative technology, including innovations in adaptive authentication, biometrics and behavioural techniques to tackle the UK’s billion-pound fraud problem. To get ahead, risk-based systems that can analyse vast amounts of channel-driven data and detect fraud in real-time are crucial for banks to adequately defend against attacks and buck fraud trends."
However, an attack targeting the financial infrastructure need not be mounted directly, warned Kolochenko.
"A true "Black Swan" will likely breach a couple of reputable news agencies to spread explosive but fake news, then will corroborate them with a message from a couple of breached governmental websites such as SEC or DOJ and, finally, will paralyse major banks with ransomware to create a verisimilitude of a global collapse," he explained.
"Such an attack may be the disastrous end of a modern-day financial world that is unprecedentedly fragile. Therefore, it would be a good idea to consider and assess the risks imputed to trusted third-parties during the next exercise, making it multidimensional," he added.