In 2014 an estimated 93 percent of financial services organizations experienced cyber attacks and threats, with more than 52 percent having a reimbursement policy of all losses related to cyber crimes not being investigated, resulting in a “financial data loss between $66,000 – $938,000, depending on the size of the organization (Eddy, 2014). The report created by Kaspersky Lab and B2B International also reported that 28 percent of these same institutions believe that the risk of damages from cyber-crime is outweighed by the cost of prevention, as well as reporting that although the financial institution is responsible for the loss, consumers need to be better educated about cyber crimes (Eddy, 2014).
The same survey disclosed that roughly 82 percent of businesses would consider leaving a financial services institution that suffered a data breach, along with highlighting that businesses choose financial organizations based upon the institution’s security reputation (Eddy, 2014). Attacks occurred from GOZeus and Cryptolocker malware in 2014 in the U.S., Canada, and the United Kingdom, allowing theft using bank login credentials; first identified in 2011, targeting Windows based computers and web servers, using command control attacks along with stealing bank credentials (Raistrick, 2014). The FBI (Federal Bureau of Investigation issued intelligence of 250,000 URLs that these programs are expected to use over the next three years (Raistrick, 2014). The motivation and lucrative rewards associated with cyber crimes are extremely enticing to criminals and the current tools and techniques that are free, or nominal costs continue to encourage crime activity.
PwC conducted a 2014 Global Economic Crime Survey of the Financial Services sector and reported that financial services institutions are extremely attractive targets, with 45 percent suffering from economic crimes during 2014, versus 34 percent of all other industries (PwC, 2014). Approximately 1,330 responses were received from the Financial Services sector representing 79 different countries (PwC, 2014). The PwC survey “defined cybercrime as an economic offense committed using the computer and the Internet… only includes such economic crimes where computer, internet or use of electronic media and devices is the main element and not an incidental one. Examples include distribution of viruses, illegal downloads of media, phishing and pharming and theft of personal information such as bank account details” (PwC, 2014). According to PwC, financial services institutions do not always identify and log the cyber-element of economic crime experienced, which increases exposure to cyber threats due to lack of accurate tracking and the inability to grasp and understand cybercrime risks.
Common types of crimes reported and the associated percentage level in the survey include: (1) Asset misappropriation of 69 percent; (2) Procurement fraud of 29 percent; (3) Bribery and corruption of 27 percent: (4) Cybercrime of 24 percent; and (5) Accounting fraud of 22 percent (PwC, 2014). Financial Services and Retail and Consumer companies represented the highest level of risk, with both reporting 49 percent (PwC, 2014). Money laundering is still a major concern due to impact on the financial services institution’s reputation and only one out of four financial services survey respondents conducted an annual fraud risk assessment, with the other respondents unaware of what a fraud risk assessment entails (PwC, 2014). Cyber fraud is committed by both internal and external individuals, with the typical internal fraudster being a male senior manager with six or more years with the organization, approximately 31 to 40 years old, and having a bachelors and masters degree; (PwC, 2014).
While financial services institutions believe that cyber crimes are increasing, many believe that it will not happen to their financial organization. According to PwC, “There is a stark disconnect in the perception of cybercrime risk within financial services organizations. Respondents from the internal audit, compliance and risk functions thought it was more likely than unlikely that their organizations would experience cybercrime while the opposite was true for finance and executive management respondents” (PwC, 2014). Some financial services institutions believe that cybercrime has decreased and have become complacent and do not believe they are at risk. Cybercrime fraud is a business risk, no longer just an information technology risk.
Insurance companies are warning that a new era of cyber fraud is occurring and is impacting financial institutions that are uninsured. An independent lab revealed that in the first quarter of 2015, cyber theft of more than $1 billion had impacted over 100 banks in more than 30 countries, due to malware installations by cyber criminals which permitted bank access to internal operations and ATMs, which collected the cash using mules (Bronson, 2015). Hackers used social engineering and phishing to acquire access to ATM controls, resulting in one bank loosing over seven million dollars; currently, there is no insurance coverage for this type of crime; coverage is not available under almost all financial indemnity, crime and banker’s blanked bond policies (Bronson, 2015). Financial institutions, payment processors, online gaming, and companies using bitcoins and cryptocurrencies are at risk (Bronson, 2015).
Managing Cyber Fraud
Financial services institutions can protect themselves. To protect against internal fraudsters, PwC suggests the following: “(1) Define the organization’s strategic aspiration for ethical business conduct – ensure that a clear vision is set and that it is effectively communicated to all in the organization; (2) Assess the organization’s current integrity risk exposure (e.g. by conducting a gap analysis for misalignment between intended, expressed and actual behavior) and define the risk tolerance level; (3) Identify and address the drivers of undesirable behaviors within the organization. For instance, review the organization’s recruitment policy and ‘ethos’, communication round risk and reward and other behavioral triggers” (PwC, 2014).
External risks continue to exist and evolve. The PwC survey revealed recent attacks took place across mobile networks (PwC, 2014). In the United States, great increases in financial services institutions cybercrimes included “outages created by Distributed Denial of Service (DDOS) attacks to massive ATM withdrawals effected by organized criminal groups” (PwC, 2014); credit card fraud has become more pervasive due to the U.S. not fully embracing the Chip and PIN systems at all institutions (PwC, 2014). In Japan, phishing scams continue at elevated rates and target “bank customers’ personal computers via virus, using fake pop-up windows or e-mails masquerading as legitimate internet banking interfaces to trick customers into inputting their personal information safely” (PwC, 2014). The landscape of cybercrimes is physically changing, which is reflected in a rise in cybercrimes originating from Africa due to more initiatives to grow broadband services in the region, as well as cybercriminals relocating from Europe to South Africa (PwC, 2014).
Globally, regulators realize that cybercrime is a systemic risk due to the management of huge monetary assets and confidential and sensitive customer data. The risk impacts not only financial institutions but other types of businesses as well. United States’ regulators require cyber incidents of a material nature to be disclosed in registered public company filings, such as SEC 10K filings (PwC, 2014). Financial services institutions need to educate employees at all levels including the C-suite to junior management about cyber threats.
Reducing cyber fraud is the entire organization’s responsibility. There are different types of cybercrime, from hacking to data theft, which affect different functions of the bank in varying ways, and understanding potential fraudsters and crime motivations factors are critical. Institutions need to conduct regular, on-going tracking and monitoring, personal and sensitive data must be guarded, and back-up policies and business continuity plans must be established. Organizations need to manage mobile banking applications by forcing all traffic from these devices to complete a security check (Raistrick, 2014). Inline blocking is an option for GoZeus and Cryptolocker, as well as controlling software update processes (Raistrick, 2014). Employees need to understand that downloads need to be done from official sites. Network segmentation and next generation firewalls can enhance security platforms and should be utilized (Raistrick, 2014). Financial services management must continue to understand the types of risks that are occurring, along with understanding cybercrime best in class practices. Tracking and monitoring of financial services institutions’ losses must be documented and reported to understand the impact and address recovery levels, as well as establish more effective counter methods, including insurance coverage. Cyber fraud requires consistency and diligence.
- Bronson, C. (2015). “New era” of cyber crime leaves financial institutions uninsured. Insurance Business. Retrieved February 2016, from http://www.ibamag.com/news/new-era-of-cyber-crime-leaves-financial-institutions-uninsured-21615.aspx
- Eddy, N. (2014). Financial Institutions Under Constant Threat From Cyber Criminals. Eweek.com. Retrieved February 2016, from http://www.eweek.com/small-business/financial-institutions-under-constant-threat-from-cyber-criminals.html
- PwC,. (2014). Global Economic Crime 2014 Survey. Retrieved February 2016, from http://www.pwc.com/gx/en/services/advisory/consulting/forensics/economic-crime-survey.html
- Raistrick, A. (2014). Financial institutions and Cybercrime: It’s only just begun » Banking Technology. Bankingtech.com. Retrieved February 2016, from http://www.bankingtech.com/235512/financial-institutions-and-cybercrime-its-only-just-begun/