Brokerages must prepare for increasing amounts of cyber crime attacks.
Cyber-fraud experts and clearing industry officials say that when cyber-crime happens, the problem is primarily the responsibility of the financial institution involved. The broker-dealer is usually socked with most of the costs. It also has to face the potential destruction of a business by malicious hackers, according to fraud experts.
So the financial services industry has become a preferred target of cyber-criminals, say executives of clearing brokerages that are studying the issue.
First Clearing and others in the financial services industry are issuing these warnings. They are saying that cyber-crime is becoming a massive threat to brokerages, as well as to exchanges and, indeed, the entire financial services industry. In a white paper, First Clearing says there were around $388 billion in cyber-fraud losses in 2011. And that makes cyber-crime “larger than the global markets in marijuana, cocaine and heroin combined,” according to the paper, titled “Getting Serious About Cyber Risk.”
The report calls for firms to adopt the “four pillars” of risk management. These services, which First Clearing and others are offering, include educational support, consulting, educational events and technology tools to stop cyber fraud.
The report also calls for brokerages to candidly evaluate their vulnerabilities and how they will respond to hackers’ attacks.
See Chart: PWC U.K Crime Findings
“The best, most effective way to measure or implement an appropriate security posture,” the report says, “is to undertake a guided third-party risk assessment. If an attacker were probing your defenses today, are you comfortable you would even know?”
FINANCIAL SERVICES TARGETED
Cyber-crime constitutes about half of all the fraud reported in the financial services sector, according to a 2012 worldwide survey by PricewaterhouseCoopers UK. About 44 percent of financial fraud is cyber-fraud, according to the survey, which had around 4,400 respondents.
“It is scary. It’s hard to look at those facts and not have some level of concern,” said Chris Valenti, who coordinates the Information Service Initiative for First Clearing.
“The risk is urgent for all businesses,” added First Clearing chief risk and quality officer Al Caiazzo.
Valenti said that part of the problem is that it is much easier to attack a system than to defend. “However, it is not impossible. Defending is a layered thing. It is not just throwing up one big wall,” he said.
One critical element of defense is convincing the industry of the seriousness of the problem, especially smaller and midsize brokerages, industry experts say. Indeed, one surprising result of the PwC UK poll is that about half of the senior executives surveyed don’t know if cyber-fraud is a problem at their firm.
Acknowledging the potential risk is critical, industry experts say.
“We believe what firms must do is take steps to understand what their risks are and understand how much ability they have to absorb those risks,” Caiazzo said. He said the financial services industry is vulnerable, the same as any other, because it is increasingly depending on technology to conduct business.
The problem is growing and can take various forms.
See Sidebar: Fighting Cyber Fraud
One is an attack on a public network. For instance, hackers might be successful in denying some form of public service. This affects the public Internet channel. An example of this happened in Hong Kong, when trading in certain securities was suspended because the site that publishes official news about securities was under attack, said Michael Leibrock, vice president of systemic risk at the Depository Trust and Clearing Corp. In this case, Leibrock said, the actual trading and matching engines continued to operate because most of the core functions, such as clearing and trading, happen on separate private network.
However, more destructive serious attacks, he added, have the potential to affect the normal market infrastructure. These can be systemic attacks.
“These attacks occur inside the security perimeter of the exchanges or the market infrastructure, while the others are happening at the market edge,” Leibrock said. There have been a lot of the first kind of attacks-the denial-of-service kind-recently, and almost none of the latter.
The securities industry, or at least the biggest firms, is taking the problem more seriously. Cyber-crime has been the focus of big brokerages banding together, along with the industry utility, the DTCC. Yet technologist Bruce Schneier warns that cyber-criminals are relentless.
“History has taught us never underestimate the amount of money, time and effort someone will expend to thwart a security system. It’s always better to assume the worst,” said Schneier, a fellow at the Berkman Center for Internet and Society at Harvard Law School.
Financial cyber-fraud has several dangerous aspects that threaten clearing brokerages as much as low volumes and low interest rates. Many firms aren’t even aware of the problem, industry observers say, which often assumes the form of unauthorized wire transfers. Such illegal transfers average $183,000.
FINRA recently warned against this type of fraud. It told firms to take additional steps to ensure that a wire transfer is legitimate. But that would mean adding some manual steps and not relying solely on electronic communications during the transfer. Ironically, this suggestion to use more manual instructions comes at a time when the industry is trying to become more electronic-a kind of catch-22 for the brokerage business.
And the problem of cyber-fraud isn’t limited to firms. Big exchanges that clearing firms use are also under attack. For example, about half of exchanges reported experiencing a cyber-attack in the past year, according to a survey conducted by the Committee on Payment and Settlement Systems/Technical Committee of the International Organization of Securities Commissions.
The problem is also legal. Most of the legal sanctions in have not been effective enough to prevent these attacks, according to a DTCC report, “A White Paper to the Industry on Systemic Risk.”
According to the DTCC paper, exchanges view “cyber crime in the securities markets as a potential risk, citing the possibility of massive and financial and reputational impact.”
The clearing industry’s utility says it is making a fight against cyber fraud a priority. For example, it is working with firms as well as the United States Department of the Treasury and the United States Department of Homeland Security to define “critical infrastructure” and have closer cooperation between the federal government and key industry participants.
DTCC officials also warn that the cyber fraud threat will increase in the next few years and become more sophisticated. One reason why these attacks will be more challenging and frequent, DTCC officials say in echoing others in the industry, is that it is easy to hide in cyberspace.
“Attackers benefit from their anonymity and the lack of attribution as well as their existence outside U.S. and E.U. (European Union) jurisdictional boundaries, all of which minimize the probability of prosecution,” according to the DTCC White Paper.
“Due to the asymmetric nature of the Internet,” the paper continued, “it is very inexpensive for an attacker to launch an attack and very expensive for the defender to defend against those attacks.”
Indeed, it could be very expensive for the financial institution, the site of choice for most hackers. That’s because the institution is usually on the hook.
And when the problem happens, it is mainly the financial institution’s to deal with, according to regulators.
FDIC Regulation E (Sec. 205.6) limits how much a client will have to pay in the case of cyber-fraud through unauthorized transfers. If a client notifies the brokerages within 48 hours, the client is liable for only $50 of losses. After 48 hours, the client liability is $500. The rest of the liability belongs to the financial institution. The institution, the First Clearing paper notes, could become the biggest victim of cyber-fraud.
“Although consumers are well protected, corporations are not. When it comes to commercial liability, Regulation E sets no limits,” the First Clearing report says.
“Should one of your clients become the victim of cyber fraud, your financial institution is expected to absorb the losses in excess of the consumer’s protection limits,” the report cautions.
Some firms try to protect themselves by carrying insurance against cyber-fraud. But, said one clearing industry executive who didn’t want to be quoted by name, “firms can’t collect on these policies unless they can demonstrate they had taken the right steps to protect against the problem.”
What are firms to do?
First, one must try to understand the cyber-criminal/hacker (See Sidebar “How to Defend Against Cyber Fraud”). Second, firms should think differently about how they defend themselves from cyber-attacks, says First Clearing’s Valenti. The firm should construct layers of protection, where one layer can compensate for the problems of another.
“When people think of defense, they think of a great wall, and that’s all they can do. It should be a series of layers,” Valenti said. These might include policies, procedures and various technologies that “can complement each other.”
This “don’t put all your eggs in one basket” strategy is designed to slow down hackers, so the chance of detection improves.
“This multifaceted defense,” Valenti added, “will mean it’s not impossible to stop cyber-fraud.”
And fraud expert Schneier also cautions that financial services executives should assume the worst: that the technology of fraud will continue to progress. In that case, he says, be prepared for a problem that will seem bigger than it is today.
“Give yourself a margin for error,” Schneier said. “Give yourself more security than you need today. When the unexpected happens, you’ll be glad you did.”