Fighting financial crime with cybersecurity insights
Fighting financial crime with cybersecurity insights
“The financial industry is often viewed as a leader in managing cyber risk, because we’ve had to respond to the growing threat. Security and trust are at the heart of our business.” Cheri McGuire Group Chief Information Security Officer Standard Chartered’
2
Fighting financial crime with cybersecurity insights Financial institutions suffer greater average losses to cybercrime than other businesses1. It is no surprise, then, that they prioritise and invest in cybersecurity more than non-financial companies2. Figure 1: Survey of risks to financial stability
Risks to broader economy Percent of respondents 0
20
40
60
80
Cyber risk
Geopolitical risk
Impact of new regulations
Brexit
Sudden dislocation in financial markets 2016
2017
Source: DTCC Systemic Risk barometer 2017 Q1, from Cyber Risk for the Financial Sector – IMF
1 2
2017 Cost of Cybercrime Study Banks Spend on IT Security is 3X Higher Than Non-Financial Organizations
3
Fighting financial crime with cybersecurity insights
Figure 2: Reporting of cyber risk
Cyber risk awareness by sectors in the US (Share of annual reports featuring cyber-attack)
Agriculture, mining and construction Transportation, communications Wholesale and retail trade Manufacturing
Services Finance, insurance and real estate 0%
5%
10%
15%
2016
2017
Source: SECform 10-K; and staff calculations, from Cyber Risk for the Financial Sector – IMF
“The financial industry is often viewed as a leader in managing cyber risk, because we’ve had to respond to the growing threat. Security and trust are at the heart of our business,” observes Cheri McGuire, Standard Chartered’s Group Chief Information Security Officer. In many organisations, the head of cybersecurity risk management is part of the technology team and reports to the Chief Information Officer, “competing for very limited resources, alongside the digital and innovation
4
agendas, stability and obsolescence risk, and other major technology implementation programmes.” Instead, McGuire answers to the Chief Risk Officer. It is a reporting structure that underlines the Bank’s approach to cybersecurity as a key business risk. That approach also serves to feed vital cybersecurity insights to the Financial Crime Compliance Team to intensify their ongoing vigil against criminals and illicit money flows.
Overview of common threat against financial institutions Attacks at customer side Credit card fraud
Financial trojans
Phishing
Social engineering
Mobile fraud
Attacks against the financial situation Disruption/Distributed Denial of Service (DDoS)
ATM/POS attacks
Blackmailing
Bank-to-bank fraud
Common attacks
Source: Internet Security Threats Report – Financial Threats Review 2017
5
Fighting financial crime with cybersecurity insights
Cybersecurity is squarely on banks’ agendas Enhancing cyber and data security was the most frequently cited priority among the banks surveyed for the EY Global Banking Outlook 20183, and banks have good reason for concern. They are by far the preferred target of highly sophisticated state-sponsored cybercriminals, whose attacks benefit from big budgets, top talent and immunity from prosecution4. Russia and North Korea are acknowledged as the two main countries behind hacks of financial institutions. “Nation states are robbing banks,” claimed a former NSA Deputy Director5, alleging it was governmentbacked North Korean hackers who stole tens of millions
of dollars from banks in developing countries from 2015 to 2016 by submitting fake payment orders via the SWIFT network. Faced with such a formidable threat, it is natural that financial institutions spend up to three times as much on cybersecurity as other firms6. But despite banks’ willingness to spend big on shoring up their cyber defences, the EY report calls attention to the difficulty of achieving that goal in light of the acute cybersecurity skills shortage – there will be 3.5 million unfilled cybersecurity jobs worldwide by 2021, predicts Cybersecurity Ventures7. Furthermore, “Hiring people with the right cyber skills is one thing; helping them develop the right business and risk skills for a banking environment is another,” warns EY.
EY Global Banking Outlook
3
Economic Impact of Cybercrime — No Slowing Down
4
NSA Official Suggests North Korea Was Culprit in Bangladesh Bank Heist
5
Banks Spend on IT Security is 3X Higher Than Non-Financial Organizations
6
Cybersecurity Jobs Report
7
Enhancing cyber and data security was the most frequently cited priority among the banks surveyed for the EY Global Banking Outlook 20183, and banks have good reason for concern.
6
Figure 3: The importance of protecting against internal and external threats is clear in banks’ 2018 priorities
What is the importance of the following business priorities to your organisation in 2018*? 2018 priorities: all banks
2018 priorities: Global Systemically Important Banks (G-SIBs)
2017 ranking: all banks
Enhance cyber and data security
89%
90%
6
Implement a digital transformation programme
85%
82%
-
Recruit, develop and retain key talent
83%
82%
8
Gain efficiencies through technology adoption
82%
82%
13
Invest in technology to reach and service customers
81%
86%
4
Manage reputational, conduct and culture risks
79%
82%
1
Comply with consumer regulations
78%
77%
11
Optimise the balance sheet
78%
82%
16
Manage the threat of financial crime
78%
76%
5
Meet compliance and reporting standards
77%
67%
3
Improve risk management
77%
73%
9
*% respondents represents banks that indicated ‘important’ or ‘very important’. See EY Global banking outlook 2017 for a detailed analysis of these five strategies
Grow
Optimize
Protect
Control
Reshape
Source: Global Banking Outlook Survey 2018
7
Fighting financial crime with cybersecurity insights
Inclusive solution to an expansive problem
estimates suggest that cybercrime accounts for up to USD200 billion9.
“Cybersecurity today is a business risk, just like any other risk, and it needs to be addressed that way,” argues McGuire. “It’s really about a mindset shift from ‘this is a technology problem, we need to let the technologists solve it,’ to ‘it’s a business risk that requires the engagement of the whole of the organisation,” she explains.
Last year, cybercrime resulted in an estimated USD600 billion in losses10, putting it in second place on the list of the world’s leading transnational organised criminal activities, behind the trade in counterfeit and pirated goods and, depending on the source, either just ahead of or tied with drug trafficking11.
By approaching cybersecurity as a principal business risk, Standard Chartered is better able to fulfil its financial crime compliance responsibility. After all, cybercrime has become one of the world’s leading sources of illicit revenue seeking to be laundered. The UN estimates that up to USD2 trillion of criminal proceeds is laundered every year8, of which current best
Of the three, cybercrime is arguably the most transnational. “You can hatch a crime in Astana with your victim in Los Angeles while organising the cashout in Dubai,” wrote Misha Glenny, the author of DarkMarket: How Hackers Became the New Mafia, in a column for the Financial Times. It is clearly also the one that financial institutions are most susceptible to and directly involved in warding off.
Figure 4
Growing threat Estimated increases in data-breach costs and global cybersecurity spending over the next five years Annual cost of data breaches (USD tn)
Annual cybersecurity spending (USD bn)
3
150
2
100
1
50
0
0 2017
2018
2019
2020
2021
2017
2022
2018
2019
2020
2021
2022
Source: Juniper Research/The Wall Street Journal
Money-laundering and globalization
10
Economic Impact of Cybercrime
Michael McGuire, Into the Web of Profit - Understanding the Growth of the Cybercrime Economy
11
Global Financial Integrity, Transnational Crime and the Developing World
8 9
8
The nexus between cyber and financial crime
“The nexus between cyber and financial crime has opened up new challenges from a financial crime perspective. CyFI helps better manage financial crime risks posed by cyber-enabled crime by working in partnership with cybersecurity, business, and industry and understanding the issues they’re seeing and thinking about how that could impact us from a money laundering perspective,” says Patricia Sullivan, Standard Chartered’s Europe and Americas Head of Financial Crime Compliance.
In the US, Standard Chartered’s Financial Crime Compliance function (FCC) recognised the need to address the increasing use of cyber to facilitate the movement of illicitly gained proceeds by traditional financial criminals. FCC drove the creation of a dedicated Cyber-Enabled Financial Intelligence Group, dubbed CyFI, charged with identifying, analysing, mitigating and reporting cyber-enabled financial crime. CyFI generates actionable intelligence by bringing together a variety of information from financial data, other teams within the Bank, industry partners and law enforcement, as well as through online searches and the use of specialist tools and techniques for mining restricted access sites and blockchain analysis.
12
CyFI also helps the Bank comply with guidance issued by the United States Financial Intelligence Unit in October 2016, that requested the inclusion of cyberrelated information when financial institutions file suspicious activity reports (SARs)12.
Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime
Top 3 notable cyber heist incidents of 2017-2018 (By the total amount stolen)
USD4.4m
USD60m
USD100m
NIC Asia Bank Nepal
Far Eastern Bank Taiwan
Post-Soviet Bank Russia
November 2017
October 2017
February 2017
Top 3 notable data breach incidents of 2017-2018 (By the total records leaked)
90k
143m
100k
BMO and Simplii Canada
Equifax US
FAFSA: IRS US
May 2018
September 2017
April 2017
Source: IntSights Cyber Intelligence, Financial Services Threat Landscape Report
9
Fighting financial crime with cybersecurity insights
Breach-proofing the human element “You can look at any report on security risk and almost all of them will tell you between 90 and 95 per cent of data breaches are caused by human error, or phishing. Somebody clicking on a malicious link that is designed to trick them, that then infects their machine or the company’s network,” says McGuire. Therefore, in addition to having the right technical security protections in place, staff training and instilling the right organisational culture is critical to cybersecurity. It comes down to making sure all three pillars of cybersecurity – people, process and technology – are firmly in place. “While technology is core, it also will only get you so far.” Integral to addressing the human element of cybersecurity is encouraging more people to pursue careers in the field. “The glamorisation of cyber through TV shows and the media has raised awareness but some of the portrayals emphasise it as a set of almost unobtainable technical skills without highlighting how important a breadth of skills, both technical and soft, are to meet the diverse nature of the threat,” says Sullivan. And rather than treating the human element as a liability, banks would benefit from bringing diverse perspectives into the big tent of the cybersecurity campaign. “Since the monetisation of financial crime through cyber methods continue to grow, so should the enhancement of the cyber financial crime compliance function. As CyFI expands across Standard Chartered’s footprint [from the US to other jurisdictions] we will need to ensure that it meets different geographic challenges by leveraging local expertise and approaches to maximise understanding and also to help facilitate effective intelligence and investigations,” adds Sullivan. As McGuire puts it: “It’s important that we have diverse cybersecurity professionals and analysts to bring a multitude of perspectives.”
13
Why Cybersecurity Needs More Women in Leadership
14
The National Autistic Society to pilot cybersecurity apprenticeship scheme
10
A big part of that will be achieved by closing the gender gap – women currently account for a mere 11 per cent of cybersecurity professionals13. Beyond that, “We’re also starting to see some major initiatives around neurodiversity,” says McGuire. In June, the National Autistic Society in the United Kingdom launched a pilot apprentice scheme to get more talented autistic people employed in cybersecurity14. “They can perhaps bring a different level of insight than more traditional candidates, or they can be particularly suited to analytical roles,” explains McGuire.
Responding to the expanding attack surface The cyber threat may now seem greater than ever before. Increasing interconnectedness and adoption of technology, and moving to fully digital platforms in the cloud mean “the attack surface is getting much, much larger,” explains McGuire. But the attacks themselves have not evolved radically, she adds, with the recent high-profile assaults on financial institutions having generally exploited preventable failures. When people and process rather than technology consistently prove to be the weak links in cybersecurity, it is clear a fresh mindset and approach are critical to address the rapidly expanding attack surface. It is that awareness that underlies Standard Chartered’s integrated strategy to manage cyber risk.
This material has been prepared by Standard Chartered Bank (SCB), a firm authorised by the United Kingdom’s Prudential Regulation Authority and regulated by the United Kingdom’s Financial Conduct Authority and Prudential Regulation Authority. It is not independent research material. This material has been produced for information and discussion purposes only and does not constitute advice or an invitation or recommendation to enter into any transaction. Some of the information appearing herein may have been obtained from public sources and while SCB believes such information to be reliable, it has not been independently verified by SCB. Information contained herein is subject to change without notice. Any opinions or views of third parties expressed in this material are those of the third parties identified, and not of SCB or its affiliates. SCB does not provide accounting, legal, regulatory or tax advice. This material does not provide any investment advice. While all reasonable care has been taken in preparing this material, SCB and its affiliates make no representation or warranty as to its accuracy or completeness, and no responsibility or liability is accepted for any errors of fact, omission or for any opinion expressed herein. You are advised to exercise your own independent judgment (with the advice of your professional advisers as necessary) with respect to the risks and consequences of any matter contained herein. SCB and its affiliates expressly disclaim any liability and responsibility for any damage or losses you may suffer from your use of or reliance on this material. SCB or its affiliates may not have the necessary licenses to provide services or offer products in all countries or such provision of services or offering of products may be subject to the regulatory requirements of each jurisdiction. This material is not for distribution to any person to which, or any jurisdiction in which, its distribution would be prohibited. You may wish to refer to the incorporation details of Standard Chartered PLC, Standard Chartered Bank and their subsidiaries at http://www.sc.com/en/incorporation-details.html. Š Copyright 2018 Standard Chartered Bank. All rights reserved. All copyrights subsisting and arising out of these materials belong to Standard Chartered Bank and may not be reproduced, distributed, amended, modified, adapted, transmitted in any form, or translated in any way without the prior written consent of Standard Chartered Bank.
Committing our expertise to power your ambition Local service on a global scale With a presence in more than 60 markets and a unique footprint covering Asia, Africa and the Middle East, Standard Chartered’s business combines global capabilities with deep local knowledge to provide innovative products and services to meet the diverse and ever-changing needs of our corporate and institutional clients in the world’s most dynamic markets.
Your partner for the long run Building on a rich banking heritage of over 160 years, Standard Chartered is committed to providing a working partnership that builds your business with value-added and strategic solutions that reflect our longevity and unparalleled success. We are committed to our clients, employees and communities at all times.
Dedicated to sustainable success As a leading international bank, our success is built on teamwork, partnership and the diversity of our people. With a long-term strategy to build a sustainable business, Standard Chartered leads by example in helping to develop emerging markets and ensuring we make a positive impact on society and the environment.
The right capabilities for your needs Corporate Finance Principal Finance
Digital Solutions Global Research
Angola
Cameroon
Hong Kong SAR
Lebanon
Qatar
Thailand
Argentina
China
India
Macau
Saudi Arabia
The Gambia
Australia
Colombia
Indonesia
Malaysia
Sierra Leone
Turkey
Bahamas
Côte d’Ivoire
Iraq
Mauritius
Singapore
Uganda
Bahrain
Egypt
Ireland
Myanmar
South Africa
United Arab Emirates
Bangladesh
Falkland Islands
Japan
Nepal
South Korea
United Kingdom
Botswana
France
Jersey
Nigeria
Sri Lanka
United States
Brazil
Germany
Jordan
Oman
Sweden
Vietnam
Brunei Darussalam
Ghana
Kenya
Pakistan
Taiwan
Zambia
Cambodia
Guernsey
Laos
Philippines
Tanzania
Zimbabwe
October 2018
Transaction Banking Financial Markets