Financial services face cyber-attacks
Concerns around big data, mobile, IoT & cloud.
The Australian Securities and Investments Commission (ASIC) is seeking industry feedback by 31st June to close the loopholes around cyber-security and attacks on financial systems, or other regulated sectors.
The regulated industry sectors remains vulnerable to attacks, says this key industry regulator. Cyber-security is its core focus for 2015.
Cyber-security breaches are costing the global economy more than US $400 billion. In Australia, nearly 5 million people are affected by some form of cyber-attack, resulting in estimated losses of nearly AU $1 billion.
A recent March ASIC “Cyber-resilience health-check” report says that industry feedback will further tighten the financial services and other regulated sectors. Organisations need to be better-prepared to respond, adapt to and recover from unprecedented cyber-attacks.
These attacks are escalating across the data-driven, mobile, internet and cloud-based services’ sectors, says ASIC.
Why cyber-resilience matters
The financial services and other regulated sectors must invest in cyber-resilience programs. These are critical to build investor and consumer trust in financial and related transactions.
In a global economy, electronic links across financial systems mean the impact of a cyber-attack spreads quickly. These attacks affect the integrity and efficiency of global markets. Trust and confidence in the financial system is compromised.
Australians are rapid adopters of technology. Nearly 7.5 million consumers access the internet through mobile phones. This use is spawning a swift growth of financial services, including mobile banking or electronic payments.
More Australians shop online for insurance and financial services, compared to their counterparts in the US or other major European economies.
Protecting critical infrastructure
Australia’s financial system is part of the critical infrastructure. This sector is vital to support economic growth, and meet financial needs, including credit or payments services.
Cyber-attacks are now considered a systemic risk for the financial system. This systemic risk is broadly defined as the risk of disruption to the flow of financial services.
An increased reliance on online accounts by investors or electronic trading contributes to increased cyber-risks for market players or participants.
Health check for business
The ASIC report highlights “health-checks” that enable businesses to review their cyber resilience programs. Among the trends:
Businesses face cyber risks, both external threats and internal vulnerabilities. These are evolving over time. A PricewaterhouseCooper’s “Global State of Information Security Survey 2015″ polled more than 9,700 security, IT, and business executives.
The PwC findings suggest the total number of cyber-security incidents detected in 2014 was 42.8 million, an increase of 48 percent from the previous year.
More worrying, an estimated 71 per cent of incidents go undetected. Cyber risk management is still a largely voluntary exercise for most companies in the United States, Asia-Pacific and Europe.
Any business that interacts over electronic networks or the internet, or is reliant on third-party technology vendors and suppliers, carries a risk of exposure.
At a glance: Which platforms are vulnerable?
Internet of things (IoT)
Australians are more wired and interconnected through a range of connected consumer devices, or the internet of things devices. This includes baby monitors, smart televisions, security cameras, cars and medical equipment.
There’s an increase in cyber-attacks on IOT devices. IOT devices can have access to, or provide a link to some of our most sensitive personal data, such as banking and financial information.
A recent study of IOT devices found that 70 per cent of the 10 most commonly used devices contained serious vulnerabilities, such as poor software protections.
Cloud technology or ‘shared’ computing services enable organisations or individuals to store and access data and programs over the internet. This replaces building and maintaining their own infrastructure.
Cloud platforms present unique cyber-risks. These include compromising an organisation’s control over its data and systems. This is especially so with a provider that’s a third party or operates offshore.
Cloud providers generally do not guarantee the security of data stored in their cloud, and or may limit their contractual exposure.
The shared storage of information increases exposure to cyber-attack. For example, data from one company can be compromised if another company on the same cloud service is being hacked.
Data breaches are a key business risk. Companies hold large amounts of personal information. This includes financial information, about individuals, customers, suppliers or staff.
Hacking from external sources is considered the primary cause of data breaches. Data breaches raise privacy concerns and result in financial loss for individuals and businesses.
A company may be open to liability for the breach of privacy and this can affect company value. This also results in loss to business reputation, that’s not easily replaced.
As mobile and digital technologies get more complex and grow in use, the risks associated with these platforms also increases. For example, 38 per cent of mobile users have experienced some form of cyber-crime.
Cyber-attacks specific to mobile technologies include the use of hidden malware inside mobile apps.
Social media makes users more susceptible to cyber-attack, largely because of its accessibility and use on mobile devices.
For example, fake offers intended to obtain personal and financial details of the person or other ‘phishing’ have accounted for the largest number of attacks involving Facebook users.
ASIC case studies: The report cites incidents, including:
- JP Morgan Chase & Co
Computer systems were hacked at JP Morgan Chase & Co. The names, addresses, phone numbers and email addresses of approximately 76 million households and 7 million small businesses were exposed. The company became aware of this cyber-attack in August 2014.
The more sensitive data like customer account information or social security numbers was not compromised.
It’s understood that hackers were able to get into the network by compromising the computer of an employee with special privileges, at work and home to access the bank’s network to obtain contact data.
A key vulnerability was that JP Morgan Chase & Co failed to ensure all of its servers were installed with a two-layered security system (two-factor authentication) like most major banks.
This matter is the subject of ongoing investigation in the United States.
- Warsaw Stock Exchange
In October 2014, hackers breached the Warsaw Stock Exchange and exposed the login credentials of several brokers. Using the stolen credentials, they gained access to the private email inbox of the stock exchange, and stole customer data. The hackers represented themselves as “cyber-terrorists.”
The attack lasted 10 days as the Warsaw Stock Exchange struggled to get the attackers out of the system.
- Identity fraud in client accounts
ASIC has unearthed instances of identity fraud in financial markets, including:
Clients being impersonated by mimicking the client’s email address or establishing an email address which is markedly similar to that of an existing client.
After establishing email contact with a broker, the criminal issues instructions to liquidate the client’s positions and distribute the proceeds to alternative bank accounts (including third party accounts).
Overseas clients having their mail intercepted and personal details stolen, such as the client’s full name, address, date of birth and share trade account information.
The criminal supplies relevant information to Australian brokers, including certified copies of passports and drivers’ licences, to effect share sales. The legitimate clients’ securities have then been sold without their approval or knowledge.
- Eastern European stock manipulation
ASIC detected instances where an account holder based overseas purchased shares on an Australian market through a market participant.
Suspected related parties gained unauthorised access to other client accounts (hacking) and used them to sell their holdings for cash.
The cash was then invested into the particular shares purchased by the account holder, to increase the price of the relevant stocks. The account holder based overseas then sold their shares at the higher price, generating a profit.
The shares involved were usually ‘penny stocks’ and are not traded frequently under normal market conditions. The price and trading volume of these shares often increase significantly on the days when account hacking activities occurred.