lolloj - Fotolia
The banking sector is known for a lack of reporting of attempted cyber attacks, so the security industry plays an important role in shedding light on the scope of the challenges and risks faced by banks.
So a warning that a major UK bank will fail in 2017 as a result of a cyber attack is a headline-grabber and adds to the pressure on banks to get their security right.
Speaking to the BBC, cyber security expert Richard Benham, a visiting professor at the University of Gloucestershire, warned that a major bank will not recover from a cyber attack this year.
He said there would be a run on a bank as a result of a cyber attack. This would see customers withdraw their money at the same time due a lack of confidence, leaving the bank in breach of solvency rules.
Although one source doubted that a major bank would fail because of a hack or similar attack, he did expect banks to increase their focus on cyber security this year. “Saying that a major bank will fail grabs attention, sure,” said the source. “But I don’t see a cyber attack bringing down a major bank, even if the attack is effective. At that point, the major bank becomes too systemic to fail.”
But the source said 2017 “must surely be the cyber wake-up year for banks”, adding: “We’ve seen enough of what state-sponsored cyber attacks can do.”
However, claims like Benham’s will play an important role in getting banks to improve security by putting the challenges they face in the public domain. And they really do need to improve, according to one cyber security expert in the UK banking industry, who wished to remain anonymous.
Read more about cyber crime in financial services
- The FCA expresses concern about the cyber security of banks after 9,000 Tesco Bank customers lost £2.5m in fraudulent transactions.
- Secure messaging service Swift was surprised by the gaps in banks’ cyber security practices highlighted by mega cyber heist, says CISO Alain Desausoi.
- Failure to follow standard network security best practice has exposed a Californian investment bank to cyber criminals’ demands.
He said the speed that a crisis could emerge after a cyber attack posed a major challenge. “The financial crises in the past took months or years to build up, so if regulators are paying attention, there is time to prepare,” he said. “But in the case of a successful cyber attack, it can happen in a matter of minutes with no prior warning, so the shock may be greater.”
The banks are attractive targets and they are under a constant barrage of cyber threats, so purely on the basis of statistics, if there are millions of attempts every year, there is a fair chance a few major incidents will take place.”
One area where banks need to improve is communicating internally and externally about cyber attacks. The anonymous source said there was a lack of communication about cyber attacks within the banks themselves.
“The banks don’t even share the details of cyber attacks internally, in my experience,” he said. “Details are usually kept very close to those directly involved plus top management only. Sometimes we would see a glossy summary giving headlines about how many viruses were blocked or how many attempted logons were prevented, but not much about the nature of an attack or the values involved, unless it had to be reported publicly.”
Fears will only increase among the public as successful cyber attacks on banks hit the headlines. In November 2016, for example, Tesco Bank halted online banking after 40,000 current accounts were compromised and half of them were hit by fraudulent transactions by hackers over one weekend. A total of £2.5m was stolen from 9,000 accounts.