How private banks can shore up their cyber defences

The wealth management industry makes a tempting target for cyber criminals. What can be done to stop them?

With low levels of security and counter-productive regulations, private banks increasingly find themselves at the mercy of cyber criminals, according to speakers at this year's PWM Innovation in Wealth Management Summit.

“If we talk about wealth management in particular, phishing and ransomware normally get a lot of attention,” said Ganna Pogrebna, lead for behavioural data science at the Alan Turing Institute.

In recent years, major players including JP Morgan and Bank of America have been victims of ‘phishing’ hacks, she added, with vulnerability to cyber attacks emanating from a combination of “human psychology” and poor infrastructure.

For hackers the financial sector as a target is second only to the healthcare sector, according to the Bank for International Settlements. “When we go to organisations, in 80 per cent of cases, not only are they not well prepared, they also often don’t know whom to call in case of an attack,” said Ms Pogrebna.

However, some behavioural tools have been developed that can detect cyber attacks, she said, highlighting the newly-built human cyber security sensor.

“This tool shows you a screen with a potential cyber attack,” she said. “It asks you: do you think it could be the beginning of a cyber attack?”

Human behaviour

For the majority of cyber attacks, humans fail to understand the full scope of the event. “We focus a lot on education, on phishing, probably ninety per cent of our focus is on education,” said Ms Pogrebna. “Cyber security is about don't click on this, or don't click on that,” she added.

But this approach is not always possible or sustainable, as Ms Pogrebna pointed out: “For my book, I was interviewing a bunch of organisations in the City of London, where there was a CEO who clicked on the wrong link twice, and they switched off her email.”

Among factors that play on human psychology, Ms Pogrebna highlighted QR codes and the sharing of internet data with third parties.

Deep fakes

Deep fake videos, allowing actors to fake someone's voice, were also highlighted as a major threat to the financial sector. Earlier this year, a finance worker in Hong Kong at a multinational firm was duped into paying out $25m to a fraudster using deep fake technology to pose as the company’s chief financial officer in a video conference call.

In the 1990s such information was not readily accessible, but “now this type of information is available to anybody”, said Ms Pogrebna. She added that fraudsters can “deliver it at speed with a lot of sophistication”, which will allow it to be “scalable”.

According to Ms Pogrebna, financial services organisations are making it easy for criminals. “For example, your job adverts give away a lot of information, from what systems you are running to whether you use Windows or not. Criminals can exploit this,” she told the audience of high-tech wealth managers in London.

“The most sophisticated tools that we have currently, with standard machine learning is deception systems,” she said. “So a lot of my job is, for example, designing these mazes for cyber criminals – so we wait for them in the right places, collect a lot of forensic information when the attack is in progress, and then prosecute if we can.”

Exploiting regulations

While the industry is mired in debate about whether its regulatory system is fit for purpose, cyber criminals have taken the opportunity to exploit that very system, said Ms Pogrebna, who asked the summit audience whether they knew cyber criminals' most common monetary demand. According to the General Data Protection Regulation, the fine levied for failing to disclose an attack is up to €20m or 4 per cent of total annual turnover. Cyber criminals tend to typically ask for this amount.

Ms Pogrebna offered a stark warning to the audience: “If you are in regulation, please think what you put in these regulations, because sometimes you can give people ideas.”