Skip to main content

About the author

Derek Duggan

Managing Director | Banks

Derek Duggan is Thomas Murray’s Managing Director, Banks. He originally joined Thomas Murray in 1995 as Head of Information Services. Derek now leads the large team that delivers our banking solutions. He’s responsible for our banking line of business, including all aspects of network management, client relationship management and sales.

First published in Issue #9 of the TNF Journal in June 2022 to coincide with The Network Forum's annual meeting in London

50% of cyber attacks originate through a third party, but network management teams are not doing enough to protect their banks from high-risk providers. Ultimately, this is IT security’s responsibility, but they cannot be expected to understand the complex ecosystem of custody and post-trade counterparties. The answer? Network management and IT security need to work hand-in-hand.

There is nothing so terrifying as a risk you do not understand. For most of us, cybersecurity is one such risk. We all know the horror stories: massive data breaches, devastating financial losses, and shady new-age criminals, sometimes state-sponsored, never found. State-backed threat actors stole US$81m from the Bank of Bangladesh in 2016 in a cyber attack, and Banco de Chile took nearly two weeks to resume normal services in 2018 when ‘MBR Killer’ malware enabled attackers to transfer US$10m through the bank’s SWIFT system.

We are aware of the risks, and we know that they are growing. Cyber crime is poised to wipe approximately US$10.5tr off the global economy annually by 2025, up from US$3tr in 2015. Most financial services companies have invested heavily in building security and resilience, but financial firms are also 300 times more likely than other institutions to experience attacks.

The key statistic for attendees of The Network Forum is that almost half of cyber attacks originate through a third party. Consider what that means for a moment. Your bank may have a first-rate security team, a vast enterprise security budget, and a tightly controlled attack surface, but that is only 50% of the picture.

Due to the interconnectivity of financial markets, a bank is only as secure as its supply chain, service providers and outsourcers – every third party, in short, that it relies on to deliver services to its clients, and especially those that hold client data and assets. The spillover risk of a cyber attack on one financial institution is huge and could impact the operations of a market, or even affect a bank’s liquidity. What does this mean for network managers?

Network management teams do not need to be cyber experts. However, they do need to work closely with their banks’ IT security and cyber teams. Some network management teams have already built sophisticated working relationships with the cyber experts in their banks: network management teams escalate IT due diligence responses for validation, while the security teams provide continuous vulnerability monitoring of agent banks, CSDs, transfer agents and others.

After the infamous SolarWinds breach in late 2020 and the Log4J vulnerability discovered in late 2021, you can be sure that third-party cyber risk is firmly on IT security teams’ agenda. But while they are cyber experts, they cannot be expected to be risk experts. It is network management’s job to educate them about the real-world implications of, for example, a CSD or exchange halting operations due to ransomware, a transfer agent suffering a data breach, or an agent bank being fined or shut down by the local regulator.

Do not assume that your bank’s IT security team understands post-trade risk. Network managers need to ensure IT security will work with them to reduce the likelihood of downstream service providers, probably unknown or little understood by IT security, introducing vulnerabilities into their banks. Banks can build secure and resilient networks, but only when network management and IT security work hand-in-hand.

Orbit Security

Orbit Security

Security ratings for enhanced attack surface management and third party risk. Monitor for breaches and vulnerabilities that could be exploited by threat actors.

Learn more

Contact an expert

Robert Smith

Robert Smith

Head of SaaS Sales and Customer Success 

Roland Thomas

Roland Thomas

Associate Director | Cyber Risk