Banks and other financial institutions are all too aware of the cybersecurity threat. They have lost millions in theft and fraud over the years. In response they have spent millions on technical measures to protect themselves, both perimeter and in depth defences. Such measures are necessary, but not sufficient. In 1932 British Prime Minister warned that “the bomber will always get through”. Despite all the security measures put in place by both sides in the Second World War, this was broadly true. In the 21st century it is the hacker who will always get through. In large part this is because the vulnerabilities of information systems are as much human as technological (opening spear phishing emails, inadequate passwords, disgruntled employees). As I argue in my new book “Cyberdiplomacy”, institutions like banks need to develop broader “diplomatic” strategies to complement the technical measures.
To see why, it is worth considering the full range of bank’s engagement with cybersecurity. Firstly there are the direct threats to the bank itself. These are not limited to financial theft and fraud. Hackers may equally be looking to steal data, whether client data or details of the bank´s operations. Such data can be sold on in the dark web, be used to blackmail the bank, or be released to damage the bank’s reputation. If the bank has been developing new software, the aim my be theft of intellectual property. The bank’s systems may be used as a conduit to gain access to the systems of more important clients to steal data or intellectual property, especially if the bank has been investing in hi-tech start ups. Hackers may attempt to disrupt the bank’s operations, either for blackmail (eg ransomware operations) or again to damage its reputation. Disruption operations may be targeted specifically at damaging the bank, or as part of a broader governmental operation to destabilise society. Finally the bank may be the inadvertent victim of a non-targeted operation (like the Wannacry ransomware worm in 2017).
Dealing with these threats requires more than just technical measures, as shown by the decreasing but still significant delays before cyber penetrations are identified in the financial sector. Like other companies, banks need to exchange information and good practice with each other and governments, possibly creating secure fora to do so. They need to work on government to ensure that all parts of government prioritise cybersecurity over cyber offense. They need to engage with the public to ensure that the public blames the hacker not the bank when a hack occurs. And they have to develop effective internal strategies to ensure all their employees understand their cybersecurity responsibilities and follow the protocols (and upload patches immediately!)
But banks do not just have to worry about the security of their own systems. They have to worry about those of their customers, including their retail customers. With ever more online banking, retail customers become another cyber vulnerability. Careless use of their online accounts can risk hackers finding ways into the bank’s systems. The risks are multiplied as banks have piled update upon update on already creaking computer systems, as shown by the increasing online banking crashes. It is not just that careless online customers could allow hackers to access their accounts or the bank’s systems. Retail customers in particular are vulnerable to all manner of online or telephone fraud where they are persuaded to reveal their bank account details. There is pressure on banks to be more generous towards the victims in such cases. Some arguing that banks have a duty of care towards their retail customers. It is in banks’ interests, both to reinforce the security of their systems and to head off unwanted new regulations, to improve the cybersecurity awareness of their customers, and in particular their more vulnerable retail customers.
Banks of course also lend money. It is their core business. They invest in companies and projects. Major investments require careful due diligence, to ensure as far as possible that the investment is viable and its recipient will be able to repay it. When such investments are, or may become, vulnerable to geopolitical or cyber threats, due diligence should also ensure that the recipient of the investment is taking steps to guard against these. Some banks do insist on the recipient adopting the necessary technical cyber protection (as a mortgage lender may insist on the mortgage recipient taking out house insurance). But if technical cybersecurity measures are necessary but not sufficient, does that mean that technical due diligence is also insufficient? For major investments do they need to develop diligence criteria which include recipients putting in place broader non-technical cybersecurity strategies?
Banks and other financial institutions face major cyber threats. They are extremely attractive targets. They must continue to invest in technical cyber defence. But they also need to develop broader strategies to engage with governments, other banks, their clients and recipients of their investment and the general public. This will be all the more true as fintech develops and ever more complicated digital systems increase interconnectedness, and therefore vulnerabilities.