ICBC home web page close up view on laptop screen
A ransomware attack on ICBC, China’s largest bank, in November disrupted trades in the US Treasury market © Dzmitry Kliapitski/Alamy

When the New York arm of China’s largest bank was hit by a ransomware attack in November, disrupting the $25tn US Treasury bond market, it proposed sending a runner across Manhattan to US bank BNY Mellon armed with a USB stick of data to help settle trades.

For an industry that has long been known as one of the most resilient, well-resourced and highly regulated in terms of cyber security, the hacking of ICBC revealed the alarming fragility of interconnected financial systems — and the lack of sophisticated contingency planning for a crisis.

And it was not the only big cyber attack to hit the sector in 2023. Dublin-based technology group Ion Markets was also targeted by ransomware earlier that year, which knocked out parts of the financial plumbing that underlies the vast derivatives trading industry — forcing customers, at one point, to revert to old-fashioned paper ledgers.

According to a recent Bank of England survey of UK market participants, the risk of such attacks is now deemed the number one systemic risk to the financial system.

“The financial sector is grappling with an escalating onslaught from cybercriminals,” says Tris Morgan, managing director of security at telecoms group BT. His company’s data reveals, on average, “more than 46mn signals of potential cyber attacks every day, worldwide” — with banking emerging as the most vulnerable industry.

Hackers target financial groups not just in an attempt to steal funds directly, but also to extract troves of highly sensitive personal information to then employ for further attacks, or to threaten to leak, as an extortion tactic.

According to Steve Stone, head of Rubrik Zero Labs at security group Rubrik, financial services organisations already hold 20 per cent more data than those in other sectors. “More data means a larger surface area to target and more potential blind spots for [chief information security officers],” he says. “It is typically at the fringes where visibility is at its lowest and where gaps in security lie.”

Indeed, experts note a shift by increasingly bold cyber criminals from selling card data on underground marketplaces to deploying ransomware — which is becoming easier in an era of generative artificial intelligence and off-the-shelf tool kits. In 2023, the number of ransomware attacks in the finance industry surged by 64 per cent, and was nearly double the 2021 level, according to Sophos, a cyber security company.

Luke McNamara, deputy chief analyst at Mandiant Intelligence, Google Cloud’s cyber security business, adds that “entities within the financial sector” can also be a target for “espionage actors”, such as nation states, because they play a role in “politically sensitive functions, such as sanctions enforcement and compliance, or financing of high-profile or controversial projects”.

The stakes are high. According to Philippe Thomas, chief executive of tech due diligence and audit tech group Vaultinum, hacks could lead to financial loss, disruption to a country’s financial infrastructure, and even threats to political stability “as confidence in financial markets is essential for global economic health”.

In October, Lloyd’s of London warned that a significant cyber attack on a global payments system could cost the world economy $3.5tn.

Beyond bank runs and instability, in a market where customer trust and confidence is vital, “a cyber breach can trigger immediate financial and reputational damage for fintech vendors themselves but also for the banks and brokers that rely on their software to trade clients’ money on public exchanges,” adds Thomas.

So where are the vulnerabilities? In a 2023 KPMG survey of 142 banking CEOs, only 54 per cent said they were “well-prepared” for a cyber attack, with those feeling underprepared blaming the increasing sophistication of attackers, talent shortages and a lack of investment in cyber defence. However, some expressed a hope that nascent generative AI technology could help bolster their cyber response.

This general lack of preparedness extends to monetary plumbing.

A 2023 IMF survey of 51 countries found that 56 per cent of the central banks or supervisory authorities do not have a national cyber strategy for the financial sector, and 64 per cent do not mandate testing and exercising cyber security measures.

There is a consensus that financial services organisations need to invest in cyber attack simulations, stress testing, contingency planning, and crisis response. Stone says that, to mitigate risks, they need to “assess their data holdings, look at their operational risk management and consider their operational resilience to set them in the best stead for battling threats.”

Experts also say that industry-wide collaboration and increased regulatory harmonisation will be vital for survival. “Today, there is a lot of emphasis on intelligence gathering and sharing, to keep pace with the new tactics and techniques being utilised by threat actors,” says Jim Simpson, director of threat intelligence at cyber company Searchlight Cyber. He points to the intelligence sharing initiatives being led by cyber-focused non-profit FS-ISAC.

But the responsibility for cyber security cannot stop there. Others emphasise the importance of addressing weaknesses all along the supply chain.

“Rapid technological adoption, like cloud services and mobile banking, coupled with increased reliance on external vendors, introduces new vulnerabilities and amplifies systemic risks due to the concentration in essential technology and service sectors,” cautions Thomas.

“This calls for higher scrutiny from clients of these third-party software providers.”

Copyright The Financial Times Limited 2024. All rights reserved.
Reuse this content (opens in new window) CommentsJump to comments section

Follow the topics in this article