What do Regulators and Cyber-criminals Have In Common? They’re Watching You.

May 12th, 2016

Cybersecurity Risks are growing and so are regulatory measures intended to mitigate these risks – this was a key finding in Clutch’s Annual Regulatory Highlights Report 2016 that charts the critical issues of concern to regulators globally. Here we explore what these concerns mean for global companies.

The most successful bank robbery is the one you never hear about. Cyber-criminals who used the malware Dridex to steal critical account information of infected users thought they were committing the perfect crime. Conservative estimates suggest they made $100m through banking fraud before October 2015 when the FBI put a temporary stop to the distribution of the malware. Recent reports suggest that the cyber-gang is back – stronger than before.

What the example of Dridex tells us is that cybersecurity is a global battlefield in which regulators, enforcement entities, and criminals are vying for supremacy in what is likely to be a protracted struggle.

So where do global companies fit in? It’s critical for firms to ensure they have adequate controls in place. Otherwise they are at risk on two fronts – attacks from cyber-criminals and enforcement actions from regulators.

What Are The Risks?

On March 2nd 2016, the International Organization of Securities Commissions (IOSCO), published its Securities Markets Risk Outlook 2016, a report aimed at identifying emerging risks in the securities market.

In the report, IOSCO identified cyber-threats as a key risk to stability. Within cyber-risk, there are four particular areas of concern. Firstly, denial of service attacks – these involve targeting exchanges, banking services, or other infrastructure in a way that may undermine the integrity of the financial system. Such attacks could obstruct the functioning of markets.

Secondly, there is the direct theft of confidential data or monies. This affects both financial services firms and customers/investors. A Dridex attack falls within this category. Thirdly, there is the threat of reputational damage for financial services institutions. And lastly, there is the possibility of hacking in retail banking. Mobile payments, digital wallets, contactless payments and online banking are easy and efficient methods for retail payment but are vulnerable to cyber-criminals.

Ok, So What?

Recognizing the existence of these risks is just the first step for firms worldwide. Global regulatory bodies are setting standards and companies need to act swiftly to meet these new requirements.  IOSCO recently published a further report in April encouraging market participants across the world to adopt security measures.

Meanwhile on the 9th of May the European Banking Federation (EBF), the Global Financial Markets Association and the International Swaps and Derivatives Association (ISDA) announced they are seeking to encourage effective global policy measures on cybersecurity, data and technology through a new set of common principles.

Here is a breakdown, jurisdiction by jurisdiction, of some individual regulators’ responses to heightened cybersecurity risks.

USA:

President Obama’s 2017 budget proposal allocates $17bn to cybersecurity, representing a 35% increase on the U.S. government’s current spend. Earlier this year, he unveiled a Cybersecurity National Action Plan primarily designed to improve the government’s own understanding of cyber-risks.

Meanwhile, the Federal Reserve is engaged in several initiatives to develop industry cyber-risk standards and the Office of Inspector General (OIG) stated that the Federal Reserve’s number one management challenge is to enhance oversight of cybersecurity at supervised institutions.

Already, companies are exploring Cyber Insurance as a way to mitigate emerging risk especially coverage that includes breaches to third-parties such as the one suffered by Target. Other measures companies are investing in order to improve their standing in the eyes of regulators include Endpoint Security such as the ones offered by Symantec and Carbon Black and decreasing or eliminating their reliance on manually updated controls.

Europe:

In an effort to ensure harmonized cybersecurity standards across the EU, the European Commission (EC) and the European Parliament made concerted progress in introducing EU-wide legislation on cybersecurity. The legislation is expected to be ratified in the next few months with domestic implementation likely to be scheduled for two years hence.

Earlier in 2015, the Bank of England’s Financial Stability report recommended that the Bank, the Prudential Regulatory Authority (PRA) and the Financial Conduct Authority (FCA) work with key financial services firms to ensure that they complete CBEST (a vulnerability testing framework) tests and adopt individual cyber-resilience action plans.

Asia:

In September of 2015, the Hong Kong Monetary Authority (HKMA) issued a circular on cybersecurity risk management that set expected standards for banks, including clear management accountability for cybersecurity, internal risk management measures and regular evaluations of internal cybersecurity controls.

In Singapore, the government recently established an agency for national cybersecurity. The new Cyber Security Agency (“CSA”) will tackle strategy and policy development in relation to the cybersecurity challenges and capabilities in Singapore, and will oversee sectors such as banking and telecommunications to enhance their response to cybersecurity threats.

In Conclusion – What This Means For Companies Worldwide:

Beyond the risks from cyber-attacks, there is a growing regulatory risk to companies if they fail to raise their cybersecurity standards. In the event of an attack, businesses will be increasingly subject to enforcement action should they lose personal data.

In 2015, the EU took further steps to introduce the General Data Protection Regulation (GDPR), Europe’s revised data privacy laws. The revisions to these laws will apply in early 2018, two years after their adoption by European Parliament and Council. Their influence on the way U.S.-based companies conduct business with their European divisions, vendors, and customers cannot be underestimated. If a company processes the personal data of EU residents through offering goods or services in the EU market, they fall within the scope of these laws. Non-compliance penalties can be up to 4% of annual turnover.

In the U.S., as recently as March 2016, the CFPB issued its first fine for data security breaches against the online payments start-up Dwolla. This could be an indicator that cybersecurity enforcement may intensify.

Overall, 2016 marks a critical year for companies to assess and address their vulnerability to breaches in cybersecurity. There are two parties alert to breaches – cyber-criminals and regulators. And, if any weaknesses are detected by either, companies will have to pay a hefty price.

For a consolidated view of the 18 of the world’s major global regulators policy and enforcement goals for 2016, download Clutch’s Financial Services Regulatory Highlights Report 2016

Charles Hastie

Charles Hastie

Charles Hastie is Regulatory Head at Clutch Group, working out of the company’s London office. Charles harnesses his long-standing regulatory investigation experience to develop strategic solutions for Clutch’s financial services clients. He establishes ongoing liaisons with key opinion leaders, government officials, and regulatory bodies to ensure that significant developments in the field are monitored and relayed to clients. For more information, contact Charles at charles.hastie@clutchgroup.com.