Addressing cyber security risks in the financial sector

The momentous growth in the digitalisation of the finance industry over the last decade(s) has transformed the sector to a point where an increasingly wide variety of financial services are now becoming available to more and more people, faster than ever before.

Not only is this because digitalisation allowed us to connect across greater distances; but it also expanded our storage and processing power, thereby, enabling our financial (and its subsidiary) systems to get bigger and more complex.

In that regard, what many may not know is that when you increase linearly the intricacies of a complex system, the risk associated with it goes up exponentially, as a consequence. That is why it is always important to have additional safety measures placed into a system that is advancing in complexity, to serve as a counterbalancing force against the heightened systemic risk.

Unfortunately, this is one lesson we have been taught the hard way—or have at least been made to dearly pay for, regardless of whether we've learnt the lesson or not. By that, I am, of course, referring to the Bangladesh Bank (BB) heist, whereby more than USD 80 million was stolen (some of which has been recovered) by hackers from the Bangladesh central bank, via the Federal Reserve Bank of New York, before being transferred to the Philippines and laundered through its casino system—another USD 20 million was successfully traced to Sri Lanka and has since been fully recovered.

Investigations in Bangladesh, the Philippines and the FBI following the BB cyber heist revealed something even more concerning—that hackers were able to exploit weaknesses in the “supposedly secure global money transfer system known as SWIFT”, which banks use for major money transfers between themselves, according to Al Jazeera. But the specifics of what weaknesses were exploited in the SWIFT system are yet to be made clear.

At one-point SWIFT even refuted this claim, blaming rather weaknesses in the security of the Bangladesh central bank for the breach. According to SWIFT, hackers had used relatively simple malware to target the BB's computer system to bypass the primary risk controls, initiate irrevocable fund transfer processes and tamper with statements and confirmations that would normally act as secondary controls.

Having initially denied SWIFT's claim, BB hired a US-based firm to lead the investigation. And their investigation, similar to SWIFT's, found “footprints” of malware of hackers, which also indicated towards a breach in its system.

An internal forensic investigation by the BB found that this malware was installed within the bank's system sometime in January 2016, and had been sitting there for a month gathering information on the bank's operational procedures for international payments and fund transfers. Having gathered this information, the hackers had waited for precisely the right time to launch their attack—that is, right before a weekend to avoid immediate detection.

Despite the findings of these investigations, the entire series of events that led to the theft remains unclear. Many investigations are still ongoing, and negotiations for recovering the stolen money is continuing between the different parties.

However, one positive to take from this is the seemingly increased urgency among government officials to strengthen the cyber security of the country's financial institutions, including the central bank. For example, according to a report by The Daily Star, “the BB has taken up a major remediation plan involving around Tk 200 crore to strengthen its security system”, which was planned to be implemented by June this year.

In August, the BB also cautioned all scheduled banks of cyber attacks and urged them to boost their security measures following similar attacks in India where hackers siphoned off nearly USD 13.5 million through simultaneous withdrawals across 28 countries. And, in accordance with that, one thing that should perhaps be well understood is that hackers usually look for one point of weakness along the connected chain of financial institutions and services, which they can then breach and use to access the entire string.

Thus, it is not only important for the central bank to improve its safeguards to avoid another disaster, but for all financial institutions in our country to do the same, and for our financial security experts to be in constant communication with others around the world to ensure that the integrity of our financial system is well maintained.

At the end of the day, cyber security has become a matter of great importance and concern, as can be seen by events across the world over the last years. However, perhaps because of a lack of understanding, banks and top banking officials are still reluctant to invest in full-scale security measures, without which, safety of the entire financial system cannot be guaranteed. The National Cyber Security Index 2018 report points out that while Bangladesh is very invested in fighting cybercrime and building military capability to do the same, there is zero progress in the area of cyber threats analysis and informing. The index is built by the Estonia-based e-Gov Academy.

This is where regulators must intervene and involve cyber security experts, as it needs to be understood that the cost of ignoring such threats in the long-run, is going to be much higher. And that the damage that can be done to the cyber networking infrastructure as a result, as well as to consumer confidence, is simply not worth the risk.

Eresh Omar Jamal is a member of the editorial team at The Daily Star. His Twitter handle is: @EreshOmarJamal