JP Morgan Chase reported last week that 76 million households and seven million businesses had their private information compromised, including customer names, addresses and telephone numbers but excluding financial information.
Follow-up reports have since claimed that the investment bank may have been compromised by a state-sponsored actor which exploited an employee password to break into a company server (via the Bloomberg newswire).
More positively, however, the hack has sparked a deeper discussion about protecting financial institutions from cyber-attack, and most notably amongst politicians, financiers and insurers in the UK.
The House of Commons Treasury Select Committee has reportedly held several ‘high-level meetings' with regulators and other experts in cyber-crime in recent months, and is said to have stepped up its plans since the attack.
“The Treasury Committee has been looking at this issue for many years,” Andrew Tyrie, chairman of the cross-party Treasury Committee, told The Telegraph. “The JP Morgan case illustrates the scale of the risks and the importance of ensuring that firms, regulators and, where appropriate, the intelligence agencies are taking all reasonable steps to prevent cybercrime.”
The committee is also believed to have been discussing cyber security with policymakers at the Bank of England.
Elsewhere, Legal and General – one of the biggest fund managers in London – has used news of the cyber-attack to urge the biggest companies on the UK stock exchange to focus on cyber security, meanwhile the former US home secretary chief Tom Ridge has announced the foundation of a company that will sell cyber-attack insurance.
Legal and General warned FTSE350 companies how they should use this incident to improve their cyber security practises, after expressing concern that only half of chairmen in the FTSE350 thought their board understood how data loss impacted their business.
“Cyber security is a tier one threat to the UK's national interest, alongside acts of terrorism and natural hazards,” said corporate governance director Sacha Sadan in the firm's annual corporate governance report.
“Boards need to be aware of these threats when making strategic decisions or building processes to support the business,” he said.
Meanwhile, the US' first-ever homeland security chief, Tom Ridge, has announced that he is working with Lloyd's of London to launch an insurance company (Ridge Insurance Solutions ) that will specialise in corporate cyber security policies. The company will be based in Washington DC.
“This is not just about insurance but helping and incentivising companies to manage their cyber operations more effectively,” said Ridge, a former governor of Pennsylvania.
Responding to the news, Andrew Barrett, managing director at QSA Coalface, told SCMagazineUK.com that businesses must get better at protecting themselves (he cites one example of some firms not keeping system logs in a ‘usable state') but says that financial services remains a forerunner in cyber security protection.
“We are seeing a lot of interest in our services in order to perform broader risk assessments that can support multiple compliance regimes as well as reduce risk,” he told SC, before adding that industry collaboration – a big issue in last year's Waking the Shark II exercise – is complicated by the fact that companies will try and capitalise on their rivals' own cyber security failures.
“To give the financial services industry as a whole its dues, they are by far the most mature when it comes to cyber security in part because of the level of regulation they are subject to but in part due to the recognition of the role they play in relation to customer money,” said Barrett.
“Banks are moving away from being physical vaults that we once put our gold and silver in because the collective investment meant they could better secure it. They are, however, in the same position with assets accessible electronically and we should expect to see them at the forefront of cyber security. As with many things, the politicians and policy makers are often late to the party and focus on the last major threat. Many of my friends and peers in industry however, see this as a good thing as it keeps prodding the executive decision makers to fund the cyber security projects appropriately.”
Ben Densham, chief technology officer at security consultancy Nettitude, added that most organisations can expect to be breached, but says that financial organisations are the prime target.
“Financial organisations are front and centre for custom attacks that can be delivered to them,” Densham told SC.
“In the UK the next generation of penetration testing is aiming to provide a much higher level of security assurance to organisations through the use of threat intelligence, advanced targeted testing and in-depth response capabilities. At the end of the day, the ability to effectively respond in depth to a breach is critical – whoever you are. Expect to be breached and ensure you can respond when it happens.”
Earlier this month, the British Bankers' Association announced that 12 government and law enforcement agencies are to use a “pioneering” financial crime alert system to warn banks on the latest threats in fraud and cyber-crime.