Authored by: Haydn Lightfoot, Sr. Director of Business Consultancy
James Ellis, Sr. Consultant of Business Consultancy
If financial institutions were not considering cybersecurity a priority, the attack on the Bangladesh central bank in February 2016 made it one. Hackers managed to steal over $100m, of which only a small proportion was later recovered. Later in the year, Tesco Bank saw £2.5m drained from around 9,000 customer accounts when criminals broke into their systems. Losses are not only from fraudulent transactions, in May 2017 the WannaCry attack crippled a vast number of computers, including National Health Service systems across the UK and in September Equifax saw the personal information of 143 million Americans stolen. The combined costs of companies being forced offline for extended periods of time, data recovery and ransom payments, and ultimately reputational damage, are incalculable. Whilst the risk may be incalculable, however, that does not mean that it cannot be managed and controlled.
For banks in particular, it is not a challenge to be faced alone. Regulators have provided guidelines, such as the Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook, that help to protect against cyber-attacks, but by the same token regulators expect regulated entities to take steps to implement all their requirements.