Financial Industries Pressured To Improve Cybersecurity Practices by Kayla Matthews
No, it’s not the plot of “Ocean’s Eleven.” This February, $81 million was stolen by hackers from Bangladesh’s central bank. The money was then moved to casinos in the Philippines, and because casinos there are not included in anti-money laundering laws, from there its location is unknown.
The Society for Interbank Financial Telecommunications (SWIFT), an international money transfer network used by thousands of banks, issues credentials to bank employees, which grants them permission to move money across the network. The hackers in the Bangladesh attack used stolen SWIFT credentials to complete money transactions just as a legitimate bank employee would.
In his 2021 year-end letter, Baupost's Seth Klarman looked at the year in review and how COVID-19 swept through every part of our lives. He blamed much of the ills of the pandemic on those who choose not to get vaccinated while also expressing a dislike for the social division COVID-19 has caused. Q4 2021 Read More
The Bangladesh Bank had few cybersecurity measures in place to prevent the attack. It had no firewalls and used $10 switches to link its computers to the SWIFT network. The hackers were after $1 billion but were blocked due to their own typo.
This bank heist is one of the biggest in history and has sent shockwaves throughout the financial services industry.
The United States Has Taken Note
In some ways, the U.S. is just as vulnerable to attack. The Securities and Exchange Commission (SEC) found that 88% of broker-dealers and 74% of advisors have stated that they have experienced a direct cyber-attack on one or more of their vendors in 2013-14. The frequency of such attacks shows no signs of slowing.
Consequently, the SEC is cracking down hard on lax security at U.S. corporations to prevent future attacks at home like those in Bangladesh. SEC chairwoman Mary Jo White promised to hold investment companies and their leadership responsible if they failed to meet data security standards. SEC chief of staff Andrew Donohue added compliance was paramount and companies that failed to do so would face punishment.
When asked about the importance of cybersecurity, White told Reuters, “We can’t do enough in this sector.” This is a strong warning to both would-be hackers as well as to bankers.
This Year’s FINRA Exams Will Be Tough on Cybersecurity
The Financial Industry Regulatory Authority (FINRA), the SEC-sanctioned disciplinary branch of the New York Stock Exchange that conducts periodic regulatory exams, is reviewing thousands of company emails this year to determine whether companies have a “culture of compliance” or if employees look the other way when rules are broken.
According to BDO’s recent Asset Management Insights report, FINRA will also be assessing whether firms fully protect customer information, their ability to protect systems such as SWIFT from unauthorized access, their supervision of vendor system changes, and what quality controls are in place. They will likely check for:
- Records in WORM format
- Email attachment encryption
- Strong passwords
- Thoroughness of firms’ reporting processes for data loss
Companies that fail to meet these standards are vulnerable to both hackers as well as enforcement actions by the SEC.
U.S. Companies Have Government-Backed Protections Against Foreign Cyber-Attackers
While regulatory pressure has increased dramatically, so have protections for U.S. companies.
Some believe the North Korean government hacked Sony Pictures Entertainment at the end of 2014 and stole personal information, leaked unreleased movies and embarrassing email conversations, and managed to pressure Sony to delay the release of its comedy The Interview, which is about the fictional assassination of North Korea’s leader, Kim Jong Un.
Afterward, an executive order authorized the U.S. government to impose sanctions on foreign governments that commit cyber-attacks on U.S. companies. Luke Dembosky, a former Justice Department cybersecurity official, told the Washington Post the threat will be used to show attackers the U.S. is serious about cracking down.
U.S. companies can now add economic sanctions to their list of actions against cyber-attackers. Criminal prosecutions, export license restrictions, and trade actions are also at their disposal.
Cyber-Security Will Never Be the Same Again
Today has never been more fraught with cyber-threats, but the new SEC crackdown and broader attention to the issue globally has changed the security landscape forever. U.S. companies ultimately shoulder the responsibility to protect themselves and their customers from cyber-attacks to the fullest extent possible.
In the end, increasing regulatory pressure to ensure clients are not defrauded is more or less inevitable given the wide range of online threats in a globalizing world.
About Kayla Matthews
Kayla Matthews is a blogger and writer who covers topics related to technology, cybersecurity and tech in business. You can read more posts from Kayla by following her on Twitter: @KaylaEMatthews.