Friday, 2 December 2016

Tesco cyber-attack provides regulatory food for thought

Every little helps when it comes to controlling the financial system, but Giles Kenwright of Delta Capita explains why the Tesco cyber-attack will hopefully trigger banks and regulators to look at the bigger compliance picture 

A cyber-attack that wiped £2.5 million from a major supermarket’s client accounts in just a few hours, should ring alarm bells across the boardrooms of Britain’s biggest banks. While the damage to Tesco’s brand reputation may be substantial, more significant still is that this attack could be a sign of things to come for the wider banking sector.

It is not as if the major players have been burying their heads in the sand. Eight of the largest firms, including JP Morgan, Bank of America and Goldman Sachs, teamed up earlier this year to tackle the growing cyberthreat. While still in its infancy, the group is already sharing information with eachother about where future threats could materialise. The trouble is that, at the same time, these conglomerates are entangled in the weeds of other regulatory issues, which is eating into time that could be spent developing a longer-term plan to tackle cybercrime.

MiFID II is a prime case in point. Just under a year out from implementation, there is concern that like many of the waves of recent regulation, it focuses on closing the stable door of problems that have already occurred. The expanded scope of asset classes with MiFID II to cover Fixed Income and OTC derivatives products, brings greater transparency for instruments that were central to the 2008 Financial Crisis. The greater precision demanded by the new clock sync rules, allows the regulation to catch up with the explosion in algo trading and HFT, addressing some of the lessons learned from the US Flash Crash, over six years ago.

So the key question is, what is the next big threat to the financial system and can the regulators be more proactive? Many senior banking executives are already well aware of the risk of cybercrime. But while a bank can get its own house in order, can it be sure that their counterparts are following suit? The global banking system is highly connected but only as strong as the weakest link. And there is more than one type of hostile actor at play, each with different objectives. While a criminal gang is likely to have profit as the primary motive, a ‘hacktivist’ group may want to obtain confidential data, and a rogue foreign state may want to delete or corrupt data without being detected, which may lead to greater disruption in the long-term.

Unfortunately, cyber regulation didn’t arrive in time to stop the Tesco breach, but what if the next instance were to involve a banking behemoth. Also, what if the amount of money involved couldn’t be absorbed by shareholders? Cybercrime has the potential to eclipse the Lehman Brothers collapse. There is a start at least; on 13th September, New York’s Department of Financial Services announced a new series of cyber security regulation, coming into effect in 2017. It only applies to New York state and is unlikely to be rigourous enough to protect the global banking system but it is a step in the right direction.

Let’s hope that politicians and regulators across the rest of the world follow suit, before there is a more significant cyber-security breach. There are a number of simple measures that banks can conduct to better protect themselves in the meantime. From regular ‘penetration testing’ of their computer interfaces, to ensuring that staff undergo awareness training as simple ‘confidence tricks’ can often bypass sophisticated controls. Outsourcing certain regulatory tasks could also free up some capacity for banks. While this approach may not provide all the answers, the recent attack on Tesco proves that every little helps when it comes to solving the longer term cybercrime challenge.

No comments:

Post a Comment