Technological change: Competitive advantage or point of weakness?
Digitalization is advancing. Many companies including banks and financial service providers are moving towards a paperless office or to multi-channel distribution via the internet, mobile apps, etc. On the one hand, more rapid communication with the customer is enabled through larger server and storage capacities, faster computers and data cables and thus, correspondingly faster response times. On the other hand, however, such change also brings with it virtually daily attacks from hackers on the computer systems, i.e. on the operating and application software of German banks.
If you look at IT security in the finance sector, banks and other financial service providers are in particular an attractive target. Hackers have zeroed in on not only stealing the bank’s money, but also essentially also customer data. A typical financial institution is attacked an estimated 80 to 100 times per year and the number of cyber attacks at global and national level is continuing to rise. The variety of attack methods via various access points poses a high risk and can cause significant disruptions to operational processes, such as for example operational interruptions, data loss or data protection violations, reputational damage, loss of assets, even so-called “cyber liabilities”, the liability claims from the customers concerned. These hacker activities are now also recognized as very serious dangers by the regulatory authorities (European Central Bank, Federal Financial Supervisory Authority (BaFin) and the German Federal Bank) – completely separated from the future requirements on the operators of critical infrastructures which some larger banks also have to deal with at present. This perception is even more so present if there is also the impression that the IT security systems of the banks suffer from deficiencies. The supervisors of the European Central Bank, the Federal Bank and the BaFin came to this conclusion when testing the IT systems, as BaFin President Felix Hufeld reports in an Interview in the BaFin Journal. As a result, you must certainly expect higher capital requirements for such cases owing to existing IT deficiencies. The cyber risk can therefore now be considered one of the major risks for the German financial sector. Even though banks are only mentioned in the previous context, it can be assumed that corresponding tests will also be carried out in due course for other regulated companies such as financial service providers or insurers.
What does cyber risk specifically mean
The term “cyber” basically means computer-controlled processes or virtual worlds generated by them. The following attacks, amongst others, may come up as cyber risks:
Sabotage attacks on a web server
Hacking mobile apps/web services
Tricking virus scanners using crypto Trojans
SQL injections (database attacks), e.g. using falsified bar codes
Bypassing Windows password protection
Attacks on smartphone lock codes
Attacks on payment systems
When considering these examples, it quickly becomes clear that external hardware components are used in most cyber-attacks, for example a previously-modified USB stick or a small Trojan program, which is for example slipped into the internal IT circuit with the help of an email. External attackers therefore always require internal access to influence the bank’s technology in this manner. In this respect, it may be assumed that the cause of such a risk is 70% “internal”.
Measures against cyber risk
For this reason, a major focus should be put on the internal risk situation, or awareness. For the topic of awareness, it is also necessary to for example actually also live by the BSI principles. When operational errors occurs, this should not have any personal consequences for employees since mistakes will otherwise not be mentioned where possible. The following principle is better: If something happens, internal training should for example be carried out to avoid mistakes recurring. Deliberate errors are naturally excluded from such a principle.
The measures to be implemented are, however, not only limited to the company per se, but also relate to its outsourced services. The access possibilities are increased to this effect because banks are increasingly shifting more IT areas to specialized providers. This means that the external service providers commissioned by banks transfer special activities such as for example software development to further external service providers which thus increasingly puts a focus on bank supervision.
Read about our focus topic article “Outsourcing and external procurement in the IT of banks according to MaRisk and BAIT”.Read
Regulatory requirements for more security
In addition to the already embedded publication on the minimum requirements for risk management (MaRisk), there is a further circular from the BaFin on the bank supervisory requirements for IT (BAIT). The awareness of cyber risks should also be increased thereby at management level which, in addition to specifying an IT strategy also for example includes implementing suitable damage management.
How can we support you?
As is often the case, the devil is in the detail. Q_PERIOR stands by you as a reliable partner with specialist and IT experts and will accompany you during the implementation process of your IT security. There is a lot that you can do with regard to the audit. We focus on testing and consultancy on the topic of awareness owing to the significant “internal” risk situation. This includes:
Testing and consultancy on strategy:
Does your institution have an IT strategy customized to the business and risk strategy?
Does your company strategy suitably include the corresponding security aspects in addition to profitability of a potential strategy field?
Do you treat your IT and cyber risks with just as much care as your existing traditional risks in order to ensure a comprehensive and group-wide cyber defense?
Are there robust overviews on the IT landscape including all components of any heterogeneous IT architecture (front end, middleware, host applications)?
Are there possibly multi-stage security areas geared thereto, suitable emergency plans and security updates?
Does your strategic development of IT also include individual data processing in the specialist areas in addition to information security organization?
Testing / consultancy on IT security:
Are contracts for external procurement of IT services (these are for example services rendered once) designed similar to the contracts for outsourcing in your institution?
How do the requirements for outsourcing/partial outsourcing of the IT processes reflect on intra-group or even external service providers?
When designing the IT systems and the associated IT processes, did you ensure the basic obligation for emphasis on conventional standards (e.g. ISO 2700X, BSI basic protection catalogs?
Testing / consultancy on IT security:
Testing of the IT infrastructure, associated business processes and IT security design/IT security management
Is encryption software (BSafeguard), Bitlocker, etc.) specifically adapted or configured (hardening)?
Is patch management operated and monitored (basic rule: NEVER leave it out)?
Are there maintenance contracts for anti virus software and firewall?
In your institution, in the context of application development (including for applications developed and operated in specialist areas), is there
– overview documentation understandable for third parties?
– a code readable for qualified third parties?
– a central register for these applications?
– administration and suitable controlling of the state of the IT systems (including their components and connections)?
– processes for changing the IT systems which are suitably designed depending on the complexity of the systems (including acceptance and preparation of change requests)?
– monitoring and controlling deviations from normal operation?
Coaching and advice
IT governance training of audit departments
Accompanying audits under the leadership of audit manager
You can find more on the impacts of possible cyber attacks on IT systems and how you can prevent them with an IT security management system (ISMS) in our focus topic article.Read