The number one mistake people make regarding technology is they don’t realise that, with smart devices, the internet can kill people.
This is a real and relevant risk to the financial services industry, too. Think about the following quote from the opening few lines on the front flap from Bruce Schneier’s latest book, Click here to kill everybody:
“Everything is a computer. Ovens are computers that make things hot; refrigerators are computers that keep things cold. (…) All computers can be hacked. And Internet-connected computers are the most vulnerable. Forget data theft: cutting-edge digital attackers can now crash your car, your pacemaker, and the nation’s power grid.” [Source here]
The cover of Bruce Schneier’s new book, “Click Here To Kill Everybody”
It’s a terrifying and underrated prospect that which Schneier explains. While reading, this thought-provoking book had me nodding in agreement and shaking my head in frustration.
Schneier provides a range of example, including the US Department of Homeland Security remote hack of a Boeing 757 in 2017. Quite terrifying, and they made their point loud and clear. Even aeroplanes made by the most trusted of manufacturers are vulnerable.
Just imagine the risk of cyber terrorists hacking a passenger plane. It’s the apex of cyber risk. However, the financial services industry doesn’t trail far behind.
In testimony to the Treasury Committee in June 2019, Professor Anil Kashyap, Member of the Financial Policy Committee of the Bank of England, provided an eloquent analysis of such risk.
Kashyap was questioned on a quote of his that read, “I worry about cyber risks, partly because breaches are inevitable.”
The interviewer proceeded to ask what cyber threats he worries about, and how they could be a threat to financial stability. To that, Kashyap replied, “There are two types of attack we tend to think of. The one the public tends to think of is a denial of service attack where a system goes down and something goes offline and is not working… That’s the one that gets the most attention. But the one I worry about more is a data integrity breach.”
He goes on to explain what such a breach would mean, “It’s where somebody penetrates your system and does malicious things for months, let’s say. You find yourself in a situation where you have to restore a corrupt system. The act of coming back online destroys the ability to move forward.”
He likened it to one’s health, “[y]ou know you’re sick now, but you don’t know when you became sick, and you don’t know how far along you are.”
In conclusion, he added, “[w]ith data integrity, we’re in new territory...it’s just a matter of time before one of these happens on a big scale, and we’re just gonna have to find out.”
Professor Anil Kashyap
Kashyap fear is rational. The European Central Bank (ECB) and the Bank of England (BoE) have also taken steps to promote cyber resilience in the financial services sector, including
Beyond the continuous off-site supervision and risk assessments undertaken by the ECB, the clients we, at Reply, work with have seen an increasing number of targeted on-site inspections (OSIs), focusing on IT risk areas in general, but also on IT security and cyber risk.
Towards the end of Q2/2019, my colleagues Stephan De Prins (Avantage Reply in France), Francois Delcourt (Avantage Reply in Belgium), Paolo Fabris (Avantage Reply in Italy), Tim Falla (Glue Reply in UK), and Gwenael Gavray (Avantage Reply in Luxembourg) put on paper their collective experience dealing with IT risk in financial institutions in their five respective countries.
It is an excellent read and if like me you want to understand more about the expectations of the Bank of England and the European Central Bank, I wholeheartedly encourage you to read it.
You’ll find the paper here and I welcome you to read it.
Whether you work in financial services or not, you may find it a wise investment of time to understand what Schneier calls “security and survival in a hyper-connected world.”
Next week… something surprising that every shareholder, director or executive ought to know about regulatory reporting.