South China Morning Post
Advertisement
Advertisement
Hewlett Packard employees work in the HP cyber defence centre in Boeblingen, Germany, to protect clients from cybercrime. Photo: EPA
OpinionComment

Asia’s financial services industry must unite against the threat from cybercriminals

Mark Clancy says an overwhelming asymmetry in the cost of mounting cyberattacks and defending against them leaves an important sector of the Hong Kong economy at serious risk

Advertising partner
Why you can trust SCMP

As a key pillar of Hong Kong’s economy, the stability of our financial services industry is rightly taken very seriously. It is estimated that the industry directly contributes more than HK$300 billion or 16 per cent in value to Hong Kong’s GDP.

Yet, there is a growing threat that continues to place the operations of the financial services sector at risk, not only in Hong Kong but globally. This threat – cybercrime – is showing no signs of abating as cybercriminals continue to gain the upper hand due to the relatively low cost of launching cyberattacks and the high cost of defending against them.

Bank of America is one of many financial institutions repeatedly attacked by hackers. Photo: Reuters
For example, a lone hacker can rent the black-market tools online to bring down the website of a major bank for under US$1,000, yet that institution could be forced to spend more than US$1 million to defend itself against this attack. This is more alarming when you consider that one hacker can target multiple organisations using a single piece of malware. This major asymmetry in cost and effort leaves our financial services sector at risk.
One hacker can target multiple organisations using a single piece of malware

The cost of these attacks is clear – the Asia-Pacific cybersecurity market is expected to grow to almost US$33 billion by 2019, with an expected compound annual growth rate of 14.1 per cent between 2013 and 2019, according to figures from MicroMarketMonitor.

There are numerous drivers behind cyberattacks on financial institutions. The motivation usually falls into four buckets – financial gain through theft of money or information; politically motivated attacks by “hacktivists”; cyberespionage to steal secrets for economic or other advantage; and, destructive attacks that strike at the core of a business, such as the unprecedented 2014 attack on the Japanese electronics giant Sony.

A magazine with cartoons of US President Barack Obama, left, and North Korean leader Kim Jong-un at a bookstore in Seoul, South Korea. The United States imposed sanctions on North Korean government officials for a cyberattack against Sony, insisting that Pyongyang was to blame. Photo: AP
Unfortunately for the financial services sector, Sony-style attacks have become more prevalent, often rendering good cyberhygiene and fraud management tools impotent because cybercriminals are intent on damaging the business and its infrastructure rather than stealing money or data. We have seen these types of attacks in parts of Asia and the Middle East and it is concerning that they may become the “new normal”.
Cyber risk remains the No 1 concern globally for the financial services industry

Research repeatedly highlights the increasing risks posed by the actions of cybercriminals. The Depository Trust and Clearing Corporation’s (DTCC) latest systemic risk barometer shows that cyber risk remains the No 1 concern globally for the financial services industry, with 70 per cent of 400 respondents citing it as a top-five risk. A common theme was concern over the frequency and ability to manage attacks.

One approach to combating this insidious crime is leveraging a community defence model – the coordinated sharing of cyberthreat information among financial institutions in an effort to identify and block attacks. Increasingly, this model of automating threat intelligence is gaining support from the financial services community and beyond.

Officials of the Interpol Global Complex for Innovation in Singapore. The IGCI is tasked with cracking down on cybercrime. Photo: Kyodo
While the idea of information sharing is well established in the US, it is not so well formed in Asia. However, positive action is being taken in Hong Kong, Singapore, Japan and Australia. The US-based Financial Services Information Sharing and Analysis Centre recently established a threat intelligence group in Singapore to build information sharing expertise in the region.

Asian regulators have adopted a practical approach to the issue. The Hong Kong Monetary Authority is working with the banking industry on establishing a framework and mechanism for the sharing of information on cyberthreats. Encouragingly, regulators in the region have resisted static rules and regulations which can quickly become outdated given the fast-paced evolution of cyberthreats.

READ MORE: Cyberattack could catch Asian banks off-guard

Clearly, we will never be able to rid the world of cyberattacks. However, if Asia’s financial services industry is able to band together to share real-time information on cyberthreats, we will reduce the capabilities of less-sophisticated attackers and force more advanced hackers to work harder. Doing so will also bring down the cost of defending against these attacks, shifting the numbers in our favour.

Mark Clancy is the CEO of Soltra, a DTCC joint venture with the Financial Services Information Sharing and Analysis Centre

Post