Banks - with their substantial cash deposits - are among the institutions most targeted by cyber-attackers.
Cyber-attackers often work for criminal groups or rogue states. A number of attacks have exploited security vulnerabilities at banks’ SWIFT portals to make off with large quantities of money. The regularity of these attacks – given the spoils available – will only increase and custodians need to be prepared.
Distributed Denial of Service (DDoS) attacks and data thefts have also crippled the infrastructure at a number of well-known institutions. DDoS attacks on custodians could easily impair clearing and settlement activities or corporate action processing. Alarmingly, the UK National Crime Agency said the software behind the damaging 2017 DDoS on seven UK banks could be rented out for less than $15. 1
Regulators demand the industry respond to cybercrime
The risk of cybercrime to capital markets has been grappled with by regulators. The International Organisation of Securities Commissions (IOSCO) acknowledged as far back as 2013 that inadequate cyber security was a potential systemic risk to exchanges, while a number of domestic regulators including the US Securities and Exchange Commission (SEC) and European Central Bank (ECB) have authored detailed guidance on the issue.
While the authorities have released frameworks specifying best practices, there is very little regulatory harmonisation in the field of cyber security, which can make compliance at global organisations a very difficult exercise. 2 Most regulators concede prescriptive rules are not the appropriate solution, although they do expect providers to have joined-up approaches in place to ward off or react to cyber attacks. 3
Network managers scrutinise cyber security
Cyber security is also a pivotal issue for network managers at broker dealers and global custodians -they will regularly probe sub-custodians about their various protections during on-site due diligence visits. A lot of this added network manager scrutiny is regulatory driven. The Alternative Investment Fund Managers Directive (AIFMD) and UCITS V apply strict liability provisions on providers if assets are lost or stolen anywhere in the custody chain, making cyber security a priority for clients.
There is even momentum at the Association for Financial Markets in Europe (AFME) to integrate more cyber security questions into the industry body’s standardised due diligence questionnaire (DDQ) template for network managers. 4 With clients increasingly examining custodians’ cyber security, providers are investing heavily into their systems.
Custodians join the cyber battle
Aside from creating a robust IT infrastructure, staff wide education is the best defence against being hacked. A number of banks are conducting regular cyber training, with a handful even phishing their own personnel to test employee awareness and responses. Firms operating in some of the less developed markets are also conducting deeper due diligence on local suppliers, where cyber security may be nothing more than an afterthought. Banks with large footprints therefore need to ensure their cyber defences and policies are fully standardised and coordinated, otherwise criminals will find weaknesses.
Getting it wrong can be an expensive mistake
Cyber defences systems and proper training will help reduce the probability of being hacked, but it will never eliminate the risk entirely. If an organisation is successfully attacked but can demonstrate that its policies and procedures are in line with best practices, the consequences can be better contained. An organisation with poor cyber defences will face sterner costs and criticism, as clients may be tempted or forced to pull business from that provider.
Custodians therefore cannot afford to be complacent. The regulatory impact on custodians could also be severe and punitive in the event of a serious cyber attack. Firstly, the theft of assets in the custody chain following a cyber attack could result in providers being forced to replenish the proceeds under AIFMD and UCITS V, while data breaches can incur large fines under the General Data Protection Regulation (GDPR).
Cybercrime in the next five years
As cybercrime becomes increasingly potent, more banks are turning to disruptive technologies to protect themselves against the evolving outside threats. A number of firms are utilising AI tools like pattern analysis to identify abnormal or irregular trends, which could be a prelude to an attack. A study found 29% of organisations said they want to use AI in incident detection, while 27% acknowledged they would deploy the technology in incident response. 5
However, as custodians increasingly leverage big data and integrate disruptive technologies like Blockchain and AI into their operational processes, they need to be assured these innovations are well-insulated from risks. As many of these technologies are still untested and immature, their vulnerabilities and risk vectors have not been fully understood or considered by market participants.
With clients and regulators becoming more focused on cyber security and data protection, custodians need to make sure their organisations can withstand attacks and respond quickly to breaches. Operational deficiencies in cyber security can have systemic implications and reducing this risk must be an industry priority, otherwise client money or data could be put in jeopardy.
Charles Gubert
Director
GTL Associates
charlesgubert@gtlassociates.co.uk
1 National Crime Agency (April 25, 2018) International operation shuts down notorious cyber crime website
2 Herbert Smith Freehills Are you keeping pace with cyber-security rules and regulations?
3 Herbert Smith Freehills Are you keeping pace with cyber-security rules and regulations?
4 Global Custodian (July 24, 2018) Network managers reducing DDQ questions for sub-custodians
5 CSO (January 25, 2018) Artificial intelligence and cyber-security: The Real Deal