Cyberattack could catch Asian banks off-guard

Industry insiders express concern over banks' defences against hackers amid threat through third-party services and focus on prevention

PUBLISHED : Sunday, 08 November, 2015, 11:42pm
UPDATED : Sunday, 08 November, 2015, 11:42pm

Recall the last unprecedented data leak at a major Asian bank?

Probably not. Because it was never reported to the public, nor to the customers whose personal information was swiped by cyber thieves.

Few Asian nations have mandatory disclosure rules that, like in the United States, force banks and companies to make painful admissions on cyberattacks.

So news on data breaches such as the one at JP Morgan Chase last year - the one that lifted information on 76 million households - does not break in Asia.

But that does not mean malevolent hackers have ignored Hong Kong or elsewhere in the region. Far from it, and the shortfall in spending on a public response to an attack could eventually catch Asia's banks off guard.

"The one that banks in Asia have probably spent the least on [compared to Western counterparts] is response," said Paul O'Rourke, the lead cyber security partner at EY in the Asia-Pacific.

The prevailing response to cyberattacks has been technological, meaning that the fight between the banks and the bad guys plays out purely in cyberspace. That tactic is coming up short as attacks on bank data can - at least in the West - unleash media storms, send share prices tumbling and leave customers mulling a change of banks.

"In the past, a lot of the banks were good at responding to the technology attack," O'Rourke said. "Now it's regulatory relations, media relations, investor relations, legal ... and, potentially, third parties."

Third-party attacks are part of the increasingly complex battle to keep financial data safe online.

Banks outsource to an array of service providers that handle everything from crunching data to cross-border payments. Increasingly, cyber criminals are breaking into banks through third parties, leaving the institutions at the whim of weaker security systems at small companies.

That is just one way the calibre of cybercrime is changing while also ratcheting up how much banks pay to keep crooks out or clean up their mess.

The volume of cybercrime and its monetary toll on the banking system are unknown because a limited number of firms report the crimes, Madan Oberoi, the director of cyber innovation at the international police organisation Interpol, said last month at the Sibos conference in Singapore.

Oberoi also noted that an emerging trend in cybercrime was extortion, where hackers threaten a range of attacks until a price is paid. In a rare regional case that reached the media this year, hackers attempted to extort Bank of China and Bank of East Asia for payments in bitcoins.

Technology research company Gartner said in a report this year global spending on cyber security could hit US$77 billion this year, a more than 8 per cent increase on last year. By 2018, the amount companies pay out could surpass US$100 billion.

"But are they spending it correctly?" Bill Taylor-Mountford, Asia-Pacific vice-president at security intelligence firm LogRhythm, asked of banks in the region. "Today, they tend to focus on perimeter security technology such as firewalls. They are trying to keep the hackers out, which is not wrong but it is not enough."

When banks focus too much on keeping attackers from breaking through, they end up missing the ones that have found ways around the walls or have already gotten in.

Preventing attacks is essential but that effort has pulled attention away from other key elements of strong security systems, such as reducing the time it takes to detect and respond to attacks once they happen, Taylor-Mountford said.

International regulators have not given banks much time to respond to major attacks. The Bank for International Settlements gives financial institutions just two hours to resume operations in the event of what it calls a "major disruption".

Banks in Hong Kong have been preparing for just that. The Hong Kong Monetary Authority and the Securities and Futures Commission last month collaborated with 25 banks and securities brokers to run the city's first industrywide crisis management drill.

The exercise, on October 9, simulated a bomb attack on a transport hub and a cyberattack that led to a data leakage. The results from the drill have yet to be released.

Will the drills and the billions of dollars hit the mark?

Some of the banking industry's top experts still find the global financial system in a vulnerable position.

When asked if she was worried about the potential for a "cyber September 11" hitting the global financial system, Blythe Masters, a progenitor of the credit-derivatives market at JP Morgan and now the chief executive of cryptocurrency settlement platform Digital Asset Holdings, said she had little reassurance.

"It worries me profoundly," she said at Sibos. "We're more prepared than we were five or six years ago but I would not say that we are in a place where anyone could or should feel particularly comfortable."