This past week the FFIEC issued a statement advising financial institutions to actively manage the risks associated with interbank messaging and wholesale payment networks. The FFIEC warned financial institutions to assess their risk and to determine the presence of risk management practices and controls. The FFIEC urged institutions to request specific security control recommendations from their payment system provider.
The statement came two weeks after the FBI issued a statement warning U.S. banks of a malicious cyber group targeting foreign banks. Recognized as one of the largest financial cybercrime operations to date, over $80 million was stolen from the Federal Reserve Bank of New York using Bangladesh Central Bank's credentials. According to the FBI’s statement, "The actors have exploited vulnerabilities in the internal environments of the banks and initiated unauthorized monetary transfers over an international payment messaging system."
While the perpetrator has not been identified and blame for the loss has yet to be determined, there are several key lessons we can learn from this to improve the cyber resilience of financial institutions going forward.
Compliance is no longer enough. The traditional mindset of protecting your bank’s perimeter security is no longer effective. You must begin to think about what happens once an attacker gains access to your system, whether through someone else’s credentials or a compromised node on your network.
Layered security is imperative. Proper network segmentation, firewalls, strong authentication and patching combined can provide for a more secure environment than any single control alone.
Ensure you are taking the proper steps to protect yourself. Conduct penetration testing and risk assessments on a routine basis.
Our biggest piece of advice for financial institutions: Go on the offense to secure your network. Employ an adversarial mindset with advanced penetration testing when it comes to protecting your data, network and reputation. Let an experienced third party help you understand the way a hacker will approach breaching your system.
Banks spent centuries perfecting the secure handling of tangible wealth. Every step of progress criminals made in stealing that wealth was addressed by improvements in physical security and the practices surrounding storing and transferring wealth. Today, wealth is not as directly tied to tangible assets as it once was. Cyber criminals can take advantage of the complexity of modern software and networks, as well as a lack of visibility, to steal much more effectively than their bank-robber ancestors. Banks must evolve their security to address these new threats by investing in cyber security and employing trusted partners that can test that security.