Sibos Update

Security: The Bedrock for Innovation

Day Three on the Spotlight stage saw the focus turn to cyber security and its critical role as the foundation for all industry innovation.

Opening the day, Oisin Lunny, Spotlight stage host & Professor of UX Driven Business at Barcelona Technology School reminded us that rigorous cyber security is the bedrock for the community as a whole and must be the core building block of all innovation.

Up first was a conversation between Andrew Gray, Group Chief Risk Officer at DTCC and Dr. Daniela Peterhoff, Co-Head of EMEA Corporate & Institutional Banking & Global Head of Market Infrastructure at Oliver Wyman, about the most critical risks that Financial Market Infrastructures (FMIs) are managing today.

Setting the scene, Peterhoff noted that Oliver Wyman has seen a 15% increase in cyber-attacks, alongside a similar increase in cyber budgets over the last three to five years. Two in three firms have been affected by cyber-attacks, she said, and one in three organisations have been hit by insider attacks.

She said that the drivers for this increase in cyber activity are numerous: the world is becoming increasingly digitised with evermore interconnected and seamless processes; the pace of innovation has significantly increased; there has been a significant increase in technological complexity; and the attacks themselves are increasing in sophistication.

Andrew Gray underlined that, due to their position in the financial services ecosystem, the stakes are even higher for FMIs than for other players. He said that there are often no other substitutes for the critical services they deliver, so if an FMI was attacked and went down, the whole system is down. And that raises the bar for FMIs, he said.

Turning to what the DTCC is doing in response, Gray said that they were continuing to invest significantly in cyber protection and ensure that they meet the numerous guidelines and requirements that have been published by a range of regulators. The firm is also working closely with the industry because, he said, cyber is not a problem that can be solved by individual firms as the ecosystem is so interconnected, so they need to work together.

Gray noted that the DTCC is working with other FMIs, regulatory agencies, supervisory agencies and industry trade associations to come up with ways to not only prevent attacks from happening, but quickly respond them.

Polls were interspersed throughout the session asking for the audience’s input on how their firms were dealing with the cyber threat. The final poll, asking what the greatest technology risk firms face, delivered a surprising result. The majority of the audience thought that legacy software is the greatest source of risk to firms; while cloud technology risks were second highest, Peterhoff had expected that the cloud would have been of greatest concern to delegates.

Opening the second session, Steve Silberstein, CEO at FS ISAC delved into the past to help us understand the role of cyber intelligence sharing today. He recounted the work that took place at Bletchley Park, the British centre of intelligence during World War 2, as an extremely significant example of intelligence gathering and sharing, which is said to have reduced the duration of the conflict by up to two years.

Fast forwarding to today, Silberstein said that while everybody agrees on the merits of information sharing, its importance, and that the right thing to do, challenges remain. He said that while there are well established central hubs for disseminating high quality cybersecurity information, the sheer volume of technical information – file hashes, indicators of compromise and IP addresses, etc. – could easily drown the uninitiated.

FS ISAC, he said, is working with smaller institutions that lack the resources to complete this highly complex undertaking alone – sifting out and monitoring the data that is most critical to safeguarding their security and putting this information in front of senior decision makers. Institutions, he said, should have regular phone calls or multi-lateral face-to-face meetings as a trusted circle and openly share TLP:RED information.

Next in the spotlight, Stella Cramer, Partner, Head of Technology & Innovation Asia Pacific, and Head of FinTech SE Asia at Norton Rose Fulbright spoke of the legal barriers to cybersecurity intelligence sharing, and the reasons why FIs must overcome them to protect the industry as a whole.

First discussing the cyber threat landscape, Cramer noted that the fragmented nature of the legal and regulatory frameworks across the world makes information sharing a real challenge for entities with a global footprint. She said that questions remain about how, and in what level of detail, firms should share information. Cramer noted that this is particularly challenging when firms are weighing up the need to share information versus the requirements of banking secrecy laws that protect the confidentiality of account holder information.

In the afternoon session, Daryl Kellison and Hubert Toussaint from SWIFT’s Red Team of ethical hackers held a live demo, which put the spotlight on the malicious activities of the hackers themselves. This was a long awaited rematch of a live-demo from Sibos 2018 which saw a battle between ‘Global Bank’, a fictional entity, and a set of highly resourceful hackers. Kellison reminded us all that, while all the organisations and people mention in the demo are fictional, the techniques used are not, and are being employed by hackers somewhere in the world today.

Narrating the story, Kellison set the scene by noting that ‘Global Bank’ had received a huge amount of negative PR in the press following the 2018 hack. In response, it had rebranded itself as ‘McDuck Bank’, hiring a new CISO, with the incoming CEO, Scrooge McDuck, declaring the bank “unhackable”.

Toussaint played the role of hacker, with Kellison walking us through the hacking process. Toussaint started on the internet, finding information on social media which could be cross-referenced against data from the earlier 2018 hack. Then, employing various hacking techniques, and taking advantage of malicious tools available publically online, Toussaint was able to crack the bank’s poorly secured external and internal defences, step-by-step.

So the hackers again won the rematch of ‘hacker vs. bank’. They cracked a file containing highly sensitive information – including the results of a class-action lawsuit and the codes to the bank’s Bitcoin vault – leaving CEO McDuck with egg all over his face.

Closing up, Kellison said that Toussaint took advantage of misconfigurations and common security mistakes, noting that the bank could have detected and stopped the hackers at numerous points in the process.

The moral of the story – security is the bedrock for every institution, and firms must do everything in their power to prevent, detect and secure.