Large-Scale Cyber-Attacks on the Financial System
Article Synopsis :
The complexity of the financial services industry, interconnectedness of individual players, and introduction of new and innovative technologies heighten the risk of a large-scale cyber-attack on the financial sector. Both the public and private sectors must mobilize themselves to be well prepared. This whitepaper from Oliver Wyman explores how this might be done.
In today’s world of geopolitical turmoil and rapid technological innovation, the threat from bad actors with serious financial means and deep technological capabilities is very real. Hence, the orchestration of a large-scale cyber-attack is likely a matter of “when”, not “if”.
Though this paper focuses on the implementation of potential initiatives for the U.S. financial system, the coordination opportunities identified apply similarly to financial markets in other jurisdictions and should be considered by local regulators and industry coordination groups worldwide.
The document is organized around three main themes:
- LARGE-SCALE CYBER-ATTACKS: Key attack types and scenarios for large-scale cyber-attacks with systemic consequences in the context of the payment, clearing, and settlement ecosystem.
- RESPONSE AND RECOVERY: Challenges faced by the industry to respond and recover quickly and effectively from a large-scale cyber-attack.
- OPPORTUNITIES FOR MORE INDUSTRY COORDINATION: Proposed initiatives to strengthen industry-wide coordination and increase the effectiveness of response and recovery strategies.
A variety of attack types can be highly disruptive in nature, but the manipulation of critical data is singled out as the attack type most likely to have systemic consequences for three main reasons:
- DETECTION: Difficulty identifying that an attack has occurred, particularly if data manipulation is executed without detection, bypassing reconciliation controls. For example, FireEye found that it takes on average 146 days for firms to detect a cyber intrusion.
- RESPONSE: Difficulty establishing when and how the attack originated, especially in an interconnected system with multiple options for breach origination, and a resulting inability to respond quickly.
- RECOVERY: Difficulty identifying and reverting to the ‘last known good’ state of data, given that analyzing and diagnosing data manipulation can be complicated and time consuming.
If the corruption of data integrity is pervasive and harmful enough, it could result in the disabling of key market players, causing financial loss and the disruption of critical financial services activities throughout the economy.
In many instances institutions apply business continuity approaches designed for physical attacks to cyber-attacks. But cyber-attacks fundamentally differ from physical attacks, rendering many traditional business continuity mechanisms ineffective in the cyber context:
- DETECTION: A physical attack is an external, visible event, while cyber-attacks are typically imperceptible, often by design, as attackers almost without exception employ sophisticated methods to cover their tracks.
- RESPONSE: The impact of a physical attack is usually recognized immediately, pinpointed, and contained. On the contrary, cyber-attacks often spread quickly and invisibly, the full extent of the impact not immediately clear.
- RECOVERY: Recovery from physical attacks optimize for immediate resumption using alternate processes and back-up applications or geographically diverse data centers. Recovery from a cyber-attack needs to balance speed of resumption with potential negative consequences resulting from premature resumption (for example, proliferation of malware to additional internal systems or external partners).
The paper sees two main opportunities to strengthen industry cooperation on response and recovery:
OPPORTUNITY 1: COLLECTIVE RESPONSE & RECOVERY PLAN, OUTLINING KEY RESPONSE AND RECOVERY REQUIREMENTS.
The proposed initiative entails developing a tangible outline of collective actions to be taken upon detection of a large-scale cyber-attack, based on a set of standardized criteria and tailored to specific cyber-attack scenarios.
The concepts build on the existing FS-ISAC All Hazards Crisis Response Coordination playbook which provides guidance to the financial sector on how to evaluate and respond to physical or cyber crises, share information and analysis, and coordinate with government and other partners. In addition, it supplements the response and recovery playbooks currently in development by the Financial Systems Analysis and Resilience Center (FSARC).
The proposed initiative supplements these capabilities by stipulating the development of concrete response and recovery standards, tailored to specific cyber-attack scenarios, and further empowering existing governance bodies to offer recommendations on resumption decisions critical to the entire system.
OPPORTUNITY 2: CONTINGENT SERVICE ARRANGEMENTS.
This initiative includes arrangements allowing financial institutions to continue critical operations in the event that they or a partner suffer an outage from a cyber-attack, through one of the following operating models:
- Individual firm backup infrastructure to perform critical functions
- Arrangements between private institutions to provide mutual assistance in support of critical payments, clearing, and settlement activities
- Industry utility designed to perform critical operations of several financial institutions (for example, through a request for technical assistance)
The FSARC has already advanced the thinking on this topic through the Wholesale Payments Initiative (WPI) playbook. The playbook recommends that financial institutions set up back-up accounts with a peer firm for their largest/most critical accounts, allowing for continued servicing of these accounts in case of an outage.
In addition, the Sheltered Harbor initiative, spearheaded by FS-ISAC, requires banks to proactively store retail customer account data in an industry-standard format, allowing for a peer bank to restore account information and keep a stricken business up and running.
While this paper advances two proposed initiatives for prioritization by the industry, further discussion is required in industry-wide forums. Refinement, detailing and implementation of the proposed initiatives will require a five-step approach:
- Assignment of ownership and responsibilities for the initiatives, including assignment of primary owners and identification of additional key stakeholders and their responsibilities.
- Mobilization of the appropriate industry stakeholders, including financial services and non-financial services representatives practically responsible for the design and deployment of capabilities required at each stage of the response and recovery lifecycle.
- Detailing of each initiative, including scope, ownership structure, execution model, and enforcement mechanism.
- Development of a structured implementation plan, considering achievable timelines, resource commitments, and industry buy-in.
- Phased implementation, considering which industry players need to be integrated into the solution and prepared most rapidly, and incorporating effective testing approaches beyond tabletop exercises.
Link to Full Article:: click here
Digital Insurer's CommentsThis is a serious paper from Oliver Wyman on a very serious topic. We agree that industry cooperation is required, as problems with one player can contaminate other players, bringing down entire payments, clearing and settlement ecosystems.
As detection is nearly impossible, especially in instances of data corruption, efforts are rightly focused on response. Individual market players may be taken down temporarily, causing financial loss, with spot disruption of critical financial services activities, but the larger system must endure, functioning throughout, sustaining investor confidence.
Link to Source:: click here