Clear command and control needed in cyber-crime war

An agreement expected to be announced later this week by the finance chiefs of the world’s top 20 economies would see them take a united front to tackling the problem in a bid to shore up financial stability.

• READ MORE: Cracking the global cybersecurity conundrum

Prompted by the theft of some $80 million (£64m) in a cyber-attack on the Central Bank of Bangladesh in 2016, the finance ministers are understood to have agreed to pledge to help each other to fight attacks, wherever they stem from and wherever they strike.

Such a willingness to co-operate underlines the scale of the threat posed to the banking system by cyber-attacks.

The impact of global cyber-crime continues to rise at alarming rates and the financial services industry is a key target. Estimates suggest the cost will have reached some $2 trillion by 2019, a threefold increase from the 2015 estimate of $500bn. But there are fears that the reported figures are only the tip of the iceberg, with many breaches thought to remain under the radar as businesses and organisations are reluctant to admit to them.

In the UK, a National Crime Agency report into the issue warned that activity is growing fast and evolving at pace, becoming both more aggressive and technically proficient. It said the international crime groups targeting UK businesses are increasingly professional and have “industrialised” their criminal activity so they can act at scale.

“Some of these groups are now so well established and business-like that they have well-defined organisational structures, access to specialist skills and functions like call centres and translators,” it observed.

The threat posed to the UK financial services sector is an issue which Treasury committee chairman Andrew Tyrie has long been concerned over.

200 Voices: find out more about the people who have shaped Scotland

Prompted by failures connected to the IT systems of RBS, Barclays and HSBC between 2015 and 2016, Tyrie looked in detail at what had gone wrong in each case and what action was being taken to prevent future IT failures.

His conclusion was that banks need greater IT expertise at main board and senior management level. He also called for much greater resources to be put towards modernising, managing and securing banks’ IT infrastructures.

While Tyrie believes the banks themselves need to be doing more, in a letter to Chancellor Philip Hammond today he also urges much more clarity from government.

In November the Chancellor announced a £1.9bn strategy aimed at increasing the country’s defences against cyber threats. While the strategy was broadly welcomed, Tyrie believes there is a serious lack of clarity around public sector governance over the issue and that lines of responsibility and accountability for reducing cyber threats are currently blurred.

“The Chancellor has said that both a director-level group and a ‘governance framework’ provide a single point to address cyber issues in the finance sector. But who is in charge?” asks Tyrie in the strongly-worded letter.

“Is it the director or does the framework take precedence? Who is he or she? A headless framework scarcely inspires confidence.”

Tyrie said the set-up “sounds perilously resonant of the catastrophically inadequate and headless Tripartite authorities”

set up to monitor system risk in banking in 1997.

The Tripartite system aimed to share the responsibility for financial regulation between the Financial Services Authority (FSA), HM Treasury, and the Bank of England.

“The problem with such committees and frameworks is that all too often they only get the attention they deserve after a crisis – when it’s too late. This must not be permitted to happen in the case of financial cyber risk,” said Tyrie.

“It is essential that the intelligence community, regulators and wider government are co-ordinated in making sure that financial cyber crime has a high priority, and is not subordinate to other work.”

Tyrie believes the consequences of getting it wrong could be severe: “Such a lack of co-ordination will inevitably lead to greater opportunities for criminals to exploit vulnerabilities in the banking industry’s IT systems. They are already under frequent attack.”

Given the scale of the challenge faced by financial services, Tyrie believes a single point of responsibility for cyber risk with a direct line of accountability to a single official, in turn accountable to a single minister is now needed.

Tyrie suggests that minister could be the Chancellor himself. Given the havoc a major cyber attack would have on businesses and individuals, it is a prospect Hammond is unlikely to relish.

Click here to ‘Like’ The Scotsman Business on Facebook