Cybercrime: Are banks doing enough?

The RBI recently asked commercial banks to “immediately” put in place a cyber security policy, a much-needed reminder, in the wake of increasing cyber attacks in the financial system. Nobody imagined that the tech innovations of the late 20th century would perch the entire planet at our veritable fingertips, the benefits are not without cost, though.

While Information Communication Technology (ICT) brought unintended consequences in the form of cybercrimes, banking sector also has its share like ATM/credit card frauds, phishing, identity/data theft, funds-transfer crime, electronic money laundering etc.

As advances in IT led most banks to migrate to core banking platforms, nearly 80% of the transactions are digitally executed, raising the need to have a robust cyber security on a continued basis. The loss in the banking sector is huge across the globe both in terms of combating the cyber attacks and development of systems. With over 1.5 million annual cyber attacks, a perceptible trend observed is more related to financial frauds.

Though increased real-time monitoring has been undertaken by banks, which are often reactive and time-consuming, cybercrimes continue to outsmart the banking routine, attacks becoming increasingly sophisticated and highly targeted. Now, the emerging channels, such as mobile/online banking, are opening new doors for cybercriminals.

The banking industry, once a simple and reliable business of “linking perspective lenders with prospective borrowers,” has witnessed massive transformation, the technology rendering the geographical boundaries obsolete, effectively meaning that the cybercrimes come und-er no specific jurisdiction. Acco-rding to the National Research Council, “The modern thief can steal more with a computer than a gun. Tomorrow’s terrorist may be able to damage more with a keyboard than with a bomb.”

Cyber security is more than a technology issue and it cannot remain in the IT domain. As internet provides anonymity, criminals escape, emboldening them to repeat the crime. We are not fighting lone attackers or small factions any more. Rather, we now face full-blown organisations that are structured like sta-rtup companies, where attack tactics are constantly updated.

Globally, laws restricting digital crime vary. Nearly 70% of cybercrime crosses national borders, and the UN reports convey that about half the nations have inadequate legal framework to book extraterritorial cybercrimes. Almost 80% of cybercri-mes go unreported due to lack of awareness of the crime or the ability to report it, or fear of consumer backlash on the part of the business. As the digital frontier continues to evolve, it is hard to guess the next pattern.

More people jump on the internet and threats galore.  The changing crime scene leaves traditional policing and probing methods trailing, and police lack resources to keep up. The rise of sophisticated fraudsters operating from behind their monitors, instead, is causing banks severe headache.

Will bank customers soon face a “security fee” to keep their deposits safe, as banks spend more to protect data? However, better investment in information security might pay. JP Morgan, for instance, spends $250 m a year on cyber security.

While online banking existed since the 1980s, few cases were reported until 2004, escalation of cyber attacks is thus relatively recent. Up to $1b were plunder-ed in 2013 and 2014 from banks worldwide. In certain cases, criminals penetrated right into the heart of the accounting system, inflating account balances. For example, if an account has $1,000, criminals alter its value as $10,000 and then transfer $9,000 to themselves – the original $1,000 will still be intact!

No complacency

Even if bank’s software is uni-que, they can’t get complacent. Though a fraud is uncovered, it is feared that banks could be hit again, the malware once instal-led is hard to detect. Also, in the “low impact-multiple-victim” crimes, the theft need not be planned for millions of dollars.

New capabilities now mean that one person can virtually commit millions of one dollar each. Surveys indicate that most bank boards are not sufficiently proactive, despite many countries’ boards having a fiduciary responsibility to shareholders regarding cyber risks.

Financial cyber security still hinges on how well banks safeguard customer information.  With the profile of cyber attacks shifting from isolated groups to digital mafia, risks to the system, given the frequency and severity, multiply exponentially. Cyber criminals are determined to target not just individual accounts, but the financial system itself.

Finally, regulators and law enforcement agencies are worried about the changing nature of the crime. Increasingly, attackers look for weaknesses in the critical infrastructure. For instance, an incursion that disabled a stock exchange’s trading system could wreak havoc in the markets. Similarly, compromising an automated clearing house network would have instant implications for businesses and individuals that could paralyse the process of payments.

According to the PricewaterhouseCoopers Global State Information Security Survey 2016, cyber security insurance is “one of the fastest growing sectors” in the insurance market. The PwC forecasts that the global cyber insurance market will reach $7.5b in annual sales by 2020, up from $2.5b in 2015. It’s time the regulators increased cyber vigilance, shared threat information, and worked to detect breaches proactively.

(The writer is a retired banker)