For advisors and broker-dealers, the threat of cyberattacks and compromised data keeps them up at night. A 2018 poll done by the Investment Adviser Association found over 80% of advisors think cybersecurity is their top compliance challenge.
And Investment Advisor’s latest survey of independent broker-dealer executives revealed that nearly 70% see cybersecurity as their greatest long-term technology concern.
It’s no wonder. In mid-January the Securities and Exchange Commission charged nine defendants in connection with hacking into its Electronic Data Gathering, Analysis and Retrieval, or Edgar, filing system and using non-public information to use for illicit trading in 2016 (for which they made about $4 million in illegal profits).
The cybersecurity firm Bitdefender says that nearly half of financial institutions experienced a breach in the past year, with close to 60% having an advanced attack or finding signs of suspicious behavior in their infrastructures. In addition, an often-cited report from Raytheon-owned Websense concludes that “the number of attacks against the finance sector dwarfs the average volume of attacks against other industries by a 3:1 ratio.”
As for the recovery costs from data breaches, financial firms spend more than the overall U.S. corporate average of almost $7.4 million in 2018, according to the latest study conducted for IBM.
Plus, there are broader issues at stake — such as how vulnerable the U.S. financial markets are to both cyberattacks and cyberterrorism. Could a cyberattack on a stock exchange, banking system or the Federal Reserve potentially disable or even halt the global financial system?
To look at these critical issues, ThinkAdvisor spoke at length with Sid Yenamandra, the co-founder and CEO of cybersecurity firm Entreda.
Yenamandra, who is well-versed in the potential causes of a major cybersecurity-related disruption, breaks this subject down into three areas — (1) the overall threat posed to the industry by cyber attacks; (2) what cyber insurance is, what risks are facing cyber insurers and how these risks can affect the broader financial system; and (3) what actions financial firms are and should be taking to improve their cybersecurity.
ThinkAdvisor: How could a cyberattack imperil our financial system?
Yenamandra: Cyberterrorism is the next frontier in terms of any sort of terrorist attack that could occur as a top threat-maker, and I completely agree that a cyberattack could cause the next financial crisis either directly or indirectly.
Here’s a couple of examples that were cited in a recent Harvard Business Review article that are on point.
First, an attack on a bank. A cyberattack could be leveraged to trigger a run on a bank. And it’s been demonstrated in past real-life incidents. With the recent hack that occurred — and it’s not the first time — on the [Society for Worldwide Interbank Financial Telecommunication or] Swift codes, where a small bank was compromised.
The Swift codes were used to basically issue a bunch of illegal transfers, some of which actually went through. The Swift system is the central nervous system of most banks, so it’s the key [area where a cyberattack] could bring down the banking system.
Second, there’s a difference between a hacktivist and script kiddie. A hacktivist is typically someone who is a bit more organized in terms of what they’re trying to actually accomplish.
A script kiddie is generally an unsophisticated hacker building something to solve a particular problem that gets blown out of proportion and has unintended consequences, which is what happened with the hacking of Twitter, Facebook and some of the big systems [recently] — that is, the denial-of-service attacks that happened. That could certainly have ramifications, but it’s not something that would actually cause the next financial crisis.
TA: What’s the difference between a cyberattack and cyberterrorism? And how should firms address these risks?
Yenamandra: The distinction would be the scope and the impact of the attack. A lot of times, hackers are targeting the vulnerabilities of a single organization. Now, you may be part of a sweep where your organization is one of 50 organizations that hackers are targeting to see if they can exploit the vulnerability. But those [threats] tend to be more opportunistic then they are targeted.
A cyberterrorist activity, on the other hand, is a cold-blooded, premeditated attack to try to bring down something to cause mass-scale harm, [such as to] cause a financial crisis by bringing down the banking system or affecting a large network of folks, like an attack on the stock market. That’s not just a cyberattack, that’s cyberterrorism.
A firm can do a lot to prevent a cyberattack. But on cyber terrorism side, that’s harder to protect against, because you’ve got nation-state actors, an organized crime unit, pretty large scale and sophisticated threat actors that are doing big things.
How would you prevent a threat actor a nation state from bringing down the stock market? If you’re an organization that’s investing heavily in funds that trade on the market, there’s nothing you can do with any organization that’s going to prevent that.
The best you can do from an operational standpoint is to essentially have some sort of insurance program in place that can protect you from loss of revenue in the event of cyberterrorism. Many insurance policies do actually have that as part of the underwriting.
TA: What about government action to protect against cyber risks?
Yenamandra: All the federal agencies have a cyber threat or anti-cyber threats or cyberterrorism organizations. The National Security Agency definitely has one, but they’re looking at larger-scale issues that could threaten the national security of the country.
Then you’ve got the FBI … that’s focused on slightly larger-scale problems that could protect the national security of its citizens specifically or organizations. So when you look at something like Nasdaq or any of the stock markets, that would be something that would fall under both.
It would be an FBI/NSA [issue], and many of these organizations work very closely together. There’s a lot of sharing of threat intelligence that happens between all the federal organizations, but [how they act] would depend on the scope of the attack and which organization takes control.
TA: What’s happened in past cyberterrorism attacks on the markets?
Yenamandra: I don’t know of any mass-scale cyberattack that has caused an entire financial crisis. Having said that, I’m not sure that we would know what really triggered [a market drop].
There have been corrections in markets, crashes and incidents where there’s a sudden drop in or change in trading volume or trading activity, for example, but we don’t always know what caused it. We don’t if it was actually malware, for instance.
Many hedge funds use technology to do trading — a lot of it is automated. [What] if there is a virus, or malware, of if there’s a threat actor that causes something to go awry? It would be hard to trace. And that kind of information doesn’t get leaked out that easily.
The answer is we don’t know. Could [a serious cyberattack on the markets] be within the realm of possibility in the near term? The answer is absolutely yes.
If you think about it, it’s the most cost-effective way of causing the most amount of damage. And there are just so many vulnerabilities out there that it’s not entirely that hard [to launch], which is the reason why you’re seeing the frequency of attacks increase.
TA: Given the growing threat of cyberattacks, how are the roles of chief risk officer, compliance officer, security officer and such changing?
Yenamandra: With the escalating regulatory environment around cyber in the financial-services industry, and in any industry that’s dealing with regulated data, the role of the chief information security officer, or CISO, … is for the individual with “fiduciary responsibility” for an organization when it comes to managing physical risks.
It’s not an easy role. In fact, many federal organizations are now considering passing changes to rules wherein the CISO could be personally liable, if it seemed that the person was negligent in taking the necessary steps and maintaining the fiduciary [responsibility] for an organization.
Certainly that could change the liability profile of most organizations, particularly in the regulated markets. There is a saying within the CISO community, that if a CISO survives about two or three years within an organization without an incident, they’re doing great.
The last thing you want as a CISO is to have an incident occur and then somebody launches an investigation and finds that [the breach] was something that was pretty basic and highly preventable and well within the budgets of most firms to address.
This is why many CISOs in regulated industries are trying to work together to do information sharing around best practices — to make sure that what they’re implementing for their firm lines up with what is standard and typical for most other firms.
That’s important, not just from a best practices perspective but also a legal standpoint.
Look at the recent case with Equifax: The CISO in that particular scenario — and there was a massive uproar — had a degree in music. If you were to ask that individual in a court of law “what makes you qualified in the area of cybersecurity?” A lot of questions could be raised, and they were, which is why [Equifax] made a change.
My point is, unfortunately and with good reason, that CISOs are now directly under attack from a legal standpoint, because they have to maintain their fiduciary status.
They have to do what’s in their best interest, the organization’s best interests, and the best interests of all stakeholders, clients or investors to make sure that they’re taking adequate steps and lining up the risk-mitigation strategies of their organization to be in line with best practices.
Certainly the legal world is changing. Risk officers, compliance officers and general counsels certainly are waking up to this now.