Asia’s financial services industry must unite against the threat from cybercriminals
Mark Clancy says an overwhelming asymmetry in the cost of mounting cyberattacks and defending against them leaves an important sector of the Hong Kong economy at serious risk
As a key pillar of Hong Kong’s economy, the stability of our financial services industry is rightly taken very seriously. It is estimated that the industry directly contributes more than HK$300 billion or 16 per cent in value to Hong Kong’s GDP.
Yet, there is a growing threat that continues to place the operations of the financial services sector at risk, not only in Hong Kong but globally. This threat – cybercrime – is showing no signs of abating as cybercriminals continue to gain the upper hand due to the relatively low cost of launching cyberattacks and the high cost of defending against them.
For example, a lone hacker can rent the black-market tools online to bring down the website of a major bank for under US$1,000, yet that institution could be forced to spend more than US$1 million to defend itself against this attack. This is more alarming when you consider that one hacker can target multiple organisations using a single piece of malware. This major asymmetry in cost and effort leaves our financial services sector at risk.
The cost of these attacks is clear – the Asia-Pacific cybersecurity market is expected to grow to almost US$33 billion by 2019, with an expected compound annual growth rate of 14.1 per cent between 2013 and 2019, according to figures from MicroMarketMonitor.
There are numerous drivers behind cyberattacks on financial institutions. The motivation usually falls into four buckets – financial gain through theft of money or information; politically motivated attacks by “hacktivists”; cyberespionage to steal secrets for economic or other advantage; and, destructive attacks that strike at the core of a business, such as the unprecedented 2014 attack on the Japanese electronics giant Sony.
Unfortunately for the financial services sector, Sony-style attacks have become more prevalent, often rendering good cyberhygiene and fraud management tools impotent because cybercriminals are intent on damaging the business and its infrastructure rather than stealing money or data. We have seen these types of attacks in parts of Asia and the Middle East and it is concerning that they may become the “new normal”.
Research repeatedly highlights the increasing risks posed by the actions of cybercriminals. The Depository Trust and Clearing Corporation’s (DTCC) latest systemic risk barometer shows that cyber risk remains the No 1 concern globally for the financial services industry, with 70 per cent of 400 respondents citing it as a top-five risk. A common theme was concern over the frequency and ability to manage attacks.
One approach to combating this insidious crime is leveraging a community defence model – the coordinated sharing of cyberthreat information among financial institutions in an effort to identify and block attacks. Increasingly, this model of automating threat intelligence is gaining support from the financial services community and beyond.
While the idea of information sharing is well established in the US, it is not so well formed in Asia. However, positive action is being taken in Hong Kong, Singapore, Japan and Australia. The US-based Financial Services Information Sharing and Analysis Centre recently established a threat intelligence group in Singapore to build information sharing expertise in the region.
Asian regulators have adopted a practical approach to the issue. The Hong Kong Monetary Authority is working with the banking industry on establishing a framework and mechanism for the sharing of information on cyberthreats. Encouragingly, regulators in the region have resisted static rules and regulations which can quickly become outdated given the fast-paced evolution of cyberthreats.
Clearly, we will never be able to rid the world of cyberattacks. However, if Asia’s financial services industry is able to band together to share real-time information on cyberthreats, we will reduce the capabilities of less-sophisticated attackers and force more advanced hackers to work harder. Doing so will also bring down the cost of defending against these attacks, shifting the numbers in our favour.
Mark Clancy is the CEO of Soltra, a DTCC joint venture with the Financial Services Information Sharing and Analysis Centre