Do bank network managers need to be cyber experts?

First published in Issue #9 of the TNF Journal in June 2022 to coincide with The Network Forum's annual meeting in London

50% of cyber-attacks originate through a third party, but Network Management teams are not doing enough to protect their banks from high-risk providers. Ultimately, this is IT Security’s responsibility, but they cannot be expected to understand the complex ecosystem of custody and post trade counterparties. The answer? Network Management and IT Security need to work hand-in-hand.

There is nothing so terrifying as a risk you do not understand. For most of us, cyber security is one such risk. We all know the horror stories: massive data breaches, crippling financial losses, and shady new-age criminals, sometimes state-sponsored, never found. $81 million was stolen from the Bank of Bangladesh in 2016 following a cyber-attack, and Banco de Chile took nearly two weeks to resume normal services in 2018 when ‘MBR Killer’ malware enabled attackers to transfer $10 million through the bank’s SWIFT system.

We are aware of the risks, and we know that they are growing. Cyber-crime is poised to wipe approximately $10.5 trillion off the global economy annually by 2025, up from $3 trillion in 2015. Most Financial Services companies have invested heavily in building security and resilience, but financial firms are also 300 times more likely than other institutions to experience attacks.

The key statistic, for attendees of The Network Forum, is that almost half of cyber-attacks originate through a third party. Consider what that means for a moment. Your bank may have a first-rate security team, a vast Enterprise Security budget and a tightly controlled attack surface, but that is only 50% of the picture.

Due to the interconnectivity of financial markets, a bank is only as secure as its supply chain, service providers and outsourcers – every third party, in short, that it relies on to deliver services to its clients, and especially those that hold client data and assets. The spillover risk of a cyber-attack on one financial institution is huge and could impact the operations of a market or even affect a bank’s liquidity. What does this mean for Network Managers?

Network Management teams do not need to be cyber experts. However, they do need to work closely with their banks’ IT Security and cyber teams. Some Network Management teams have already built sophisticated working relationships with the cyber experts in their banks: Network Management teams escalate IT due diligence responses for validation, whilst the Security teams provide continuous vulnerability monitoring of agent banks, CSDs, transfer agents and others.

After the infamous SolarWinds breach in late 2020 and the Log4J vulnerability discovered in late 2021, you can be sure that third-party cyber risk is firmly on IT Security teams’ agenda. But while they are cyber experts, they cannot be expected to be risk experts. It is Network Management’s job to educate them about the real-world implications of, for example, a CSD or Exchange halting operations due to Ransomware, a transfer agent suffering a data breach, or an agent bank being fined or shut down by the local regulator.

Do not assume that your bank’s IT Security team understands post-trade risk. Network Managers need to ensure IT Security work with them to reduce the likelihood of downstream service providers, probably unknown or ill-understood by IT Security, introducing vulnerabilities into their banks. Banks can build secure and resilient networks, but only when Network Management and IT Security work hand-in-hand.