Speaking at the Reuters Financial Regulation Summit in Washington, Mary Jo White, the chair of the Securities and Exchange Commission (SEC) in the US, warned that cyber-crime is the most pressing threat to global financial systems.
The SEC found that in some cases, major exchanges, dark pools and clearing houses did not have cyber-policies in place that matched the risks they faced.
"What we found, as a general matter so far, is a lot of preparedness, a lot of awareness but also their policies and procedures are not tailored to their particular risks. As we go out there now, we are pointing that out,” reported Reuters.
White said that the SEC was actively reviewing cyber-security defences of financial institutions to see if they are fit for purpose.
Her remarks come after the Bangladeshi central bank was defrauded of US$ 81 million (£56 million) due to a vulnerability in software used to make payments through the Swift system.
Tom Kellerman, chief executive of the investment firm Strategic Cyber Ventures and former member of the World Bank's security team told Reuters that White's remarks on the subject were a “historic recognition of the systemic risk facing Wall Street."
Kevin Bocek, chief security strategist at Venafi, told SCMagazineUK.com that in the wake of a breach security teams rush to issue a patch and think that their work is done.
“But banks need to realise that plugging the immediate security gap is just one step on the road. Kicking bad guys out and keeping it that way requires focused attention and making sure the basics are done right. Unfortunately, there is a trend of what Gartner describes as ‘lazy' remediation: patching, but leaving the real vulnerabilities or weakness unsecured,” he said.
Werner Thalmeier, Radware's head of security in EMEA, told SCMagazineUK.com that the more complex infrastructure that banks operate in-house and through outsourced models (multiple datacentres through to cloud, hybrid cloud and virtualisation) demands a new approach.
“We're seeing greater adoption of real-time attack mitigation that uses behavioural analysis (ie an understanding of what is a normal pattern of use on the network) so defence plans can be invoked within seconds not hours of an attack. This approach also allows for the defence gaps in the many layers in the network to be closed,” he said.
Philip Lieberman, president of Lieberman Software, said that banks are not mandated to implement proper security, nor are there any significant legal or financial consequences for their failure to implement proper and appropriate security.
“Many purchase insurance and accept fines as better alternatives to proper security. There is also a weak culture of cyber-security in many large financial institutions as well a lack of experience implementing contemporary threat mitigation techniques,” he told SCMagazineUK.com.
He added that banks need to move from a singular focus on regulatory compliance and broaden their view toward general security and daily operational security in cyber-space. Few banks operate full time cyber-defence teams and security operations centres (SOC).
“We see that credit unions and smaller institutions generally do a better job at security than their bigger counterparts. This is probably due to their greater commitment to their customers and shareholders, rather than to Wall Street investors,” he said.
Separately it is just being reported now by BankInfosecurity that on 21 January last year, 2015 US $12.2 million (£8.5 million) was stolen from Banco del Austro (BDA), in Ecuador, reportedly using fraudulent SWIFT interbank messages. BDA filed a lawsuit against Wells Fargo for not flagging the transactions as being suspicious, saying it noticed the fraud the same day that it occurred and "promptly informed its correspondent banks."
Wells Fargo counters that BDA's information security policies and procedures are responsible for the fraud, saying it honoured a valid request received via the SWIFT messaging system. It says hackers successfully stole and used a valid SWIFT logon from BDA and one court filing says that “for each unauthorised transfer, an unauthorised user remotely accessed BDA's computer system after hours, logged onto the SWIFT network purporting to be BDA, and redirected transactions to new beneficiaries with significant dollar amounts,” and that this unusual behaviour should have triggered warnings.