Banks scramble to contain rising cyber threat

The Sony hacking episode prompted corporate executives and banks to review cybersecurity measures amid an increase in server breaches.

The high profile hack on Sony Pictures last year rattled corporate executives worldwide. The cyber attack, believed to be the work of North Korean hackers and purportedly linked to the movie “The Interview,” a political satire on North Korean dictator Kim Jong-un starring Seth Rogen and James Franco, exposed the movie studio to embarrassing leaks of confidential e-mails.

The leaks revealed that female film stars such as Jennifer Lawrence and Amy Adams were paid less than their male co-stars and that producer Scott Rudin had called Angelina Jolie a “minimally talented spoiled brat” in a private e-mail exchange. In addition, personal details of Sony Pictures’s staff, including salaries and social security numbers, were disclosed.

Cyber attacks such as the one on Sony, which forced its co-chairman Amy Pascal to step down, have underscored the risks of cyber crime to executives even as they rapidly digitize their businesses.

“Senior leaders must compete at the digital frontier because that is absolutely the future of the business”, said Stephen Bird, Citi’s Asia Pacific chief executive while emphasising top management must be deeply involved in product development and constantly questioning how the bank detects and mitigates cyber risk.

JP Morgan last year found itself under siege from hackers, who gained access to the e-mail addresses and phone numbers of some 83 million US households and small businesses. Closer, Standard Chartered found itself in the cross hairs of Singapore’s regulator last year after bank statements belonging to 647 private wealth clients were stolen from a server at its printing company Fuji Xerox.

“We are pursuing digital engagement while constantly containing the cyber risk that comes with that opportunity,” said Citi’s Bird who added that he spends a significant amount of his time on product development and ensuring cybersecurity.

Consultants and industry players say banks are boosting spending on cybersecurity. In a 2014 PwC global survey of financial institutions, 75% of respondents said they were set to increase security spending in the next 12 months compared with the previous year.

“Our financial services firms have been very focused on cybersecurity threats for a good number of years and are currently spending vast amounts of resources both in terms of money, systems and personnel to ensure that systems are secure,” said Rebecca Terner Lentchner, head of policy and regulatory affairs at the Asia Securities Industry & Financial Markets Association.

At a conference last year, shortly after JP Morgan experienced the breach, CEO Jamie Dimon said the US bank would likely double up on cybersecurity spending in the next five years having spent about $250 million in 2014.

Amid a more stringent regulatory environment, banks cannot afford to be complacent. “We are making sure we have adequate infrastructure so we don’t have any risk [of] management hiccups,” Helman Sitohang, Credit Suisse’s CEO for Asia Pacific, told FinanceAsia in an interview.

Sitohang added that the need for watertight security was a general one. “It’s not only cybersecurity; we have to make sure we are covered from anything that could pose a threat such as market risk, credit risk and also regulatory risk,” he said.

Data protection

Breaches in cybersecurity are a problem for any bank but the loss of customer data is especially pressing. “Customers are increasingly worried about what’s happening with their data and want to know that all their data and, particularly, all financial records are being kept safe,” said Paul Haswell, a partner at law firm Pinsent Masons, who advises banks on data protection. “It only takes one bit of bad press to do irreparable damage to a financial institution like a bank.”

Market-sensitive information relating to mergers and acquisitions and banks’s internal discussions with boards are also vulnerable to theft as hackers become more sophisticated.

In the US in mid-2013, according to a report by US-listed cybersecurity firm FireEye, a group dubbed FIN4 stole M&A and other market sensitive information from more than 100 companies, targeting pharmaceutical companies that had ongoing drug trials as well as firms providing M&A advice. FIN4 stole usernames and passwords to e-mail accounts which allowed them to view private correspondence.

Bryce Boland, the chief technology officer for Asia Pacific at FireEye, who was previously the security chief technology officer at Swiss bank UBS, now leads cyber crime investigations. His passion for hacking technology began at the age of six, when he was soldering memory into his ZX-81 on the kitchen sink. These days, though, Boland dons a suit as he crusades against marauding cyber criminals.

FireEye's Bryce Boland

Over a coffee in Hong Kong’s Central area, Boland told FinanceAsia that every bank he has consulted has faced a cybersecurity breach in some shape or form. “They have all been compromised to some extent. Everyone we have investigated has had a breach. Every bank that we have assessed has been compromised by malware they didn’t know was there.”

So far, there have been a number of high-profile cybersecurity breaches for banks in Asia, but it is likely that many of the breaches have not threatened banks’s infrastructure to the extent that they hit the headlines.

The shift in banking from brick and mortar branches to mobile banking has left customers more vulnerable to cyber attacks. “One of the challenges of mobile banking [is that] people think these devices are secure but they’re not very secure. An attacker can compromise an app or deliver you a compromised app that does a variety of things,” Boland said.

In South Korea, a Chinese cybercriminal group dubbed the “Yanbian Gang” used fake mobile apps to steal data and siphon millions from mobile banking customers over a period starting in 2013. The hacking group targeted customers from KB Kookmin Bank, Hana Bank, Shinhan Bank, Woori Bank, and NH Bank, according to security software firm Trend Micro.

In the realm of private wealth, advisers are also concerned over the potential loss of data, given the confidential nature of their relationship with clients. “The wealth managers get concerned because they are holding a lot of sensitive information about high net worth individuals,” Boland said.

(With additional reporting by Alison Tudor-Ackroyd)

¬ Haymarket Media Limited. All rights reserved.