On the defensive

On the defensive

Features Regulation In Depth

On the morning of May 24, nearly 500 servers and more than 9,000 workstations stopped working at Banco de Chile’s branches across the country. Something that appeared to be a virus crashed infected computers, leaving them in an unbootable state. Chaos ensued. Bank employees saw that the malware was corrupting the Master Boot Records, or MBRs, on the hard drives of branch computers, but online and phone banking systems were not affected. The MBR killer’s only goal appeared to be wiping out the hard drives of the computers it infected.

What bank technicians didn’t immediately realize was that the wiper malware was just a cover for the real attack. While IT crews scrambled to stop the spread of the virus and fix servers in hundreds of branches, cyber attackers infiltrated Banco de Chile’s SWIFT international money transfer system and siphoned off $10 million of its assets. Most of the transfers ended up in accounts in Hong Kong.

Fearing a reputation disaster and possibly a bank run, management at Chile’s second-largest commercial bank said its systems had been hit by a virus that took down servers but didn’t reach client accounts, according to a statement following the attack.

The dark side of innovation

CEO Eduardo Ebensperger later admitted that the MBR-killing virus had been deployed as a distraction and that $10 million of the bank’s funds had vanished.

The fintech revolution is creating innovative tools for financial transactions across Latin America, integrating hundreds of thousands of previously underbanked clients into online networks through mobile payments, digital wallets, cryptocurrencies, crowdfunding and alternative lending.

The downside: new technology also opens up new channels for cyberattacks. Foreign groups from Asia and Eastern Europe that didn’t target the region before have become active in the past few years, either working alone or in conjunction with local groups.

The most publicized incidents have happened at traditional banks. The Banco de Chile cyber heist is a recent example of a new technique used in the region: malware deployed as a cover for an attack that takes advantage of vulnerabilities on the bank’s end in the SWIFT system.

Despite the pickup in the number of incidents, Latin America’s financial sector is still not doing enough to protect itself against the threat of cyberattacks. For most institutions, cybersecurity remains an information technology issue rather than a C-suite priority. Digital security preparedness and cyber governance are usually assigned to just one department in an organization instead of a goal owned by the entire business.

What’s more, regional cooperation among players is minimal and institutions hesitate to share information about incidents for fear of punishment by market authorities and regulatory agencies. The labor force is severely unprepared and lacks the necessary skills for even the most basic cybersecurity jobs. Budgets dedicated to detection and protection against attacks are often woefully inadequate.

"There is a big need for collaboration and for more investment in cybersecurity infrastructure and human resources," says Belisario Contreras, manager of the cybersecurity program at the Organization of American States. " We need to recognize that these criminal groups are working together. They are getting stronger and more sophisticated, so we also need to work together to combat these threats."

Three proactive approaches

Most countries in the region still don’t see the benefits of collaboration and have zero regulation to deal with cybercrime. But a few of the more mature economies have been working on regulation and intelligence-sharing mechanisms.

Earlier this year, Brazil’s National Monetary Council issued a resolution establishing new cybersecurity requirements covering institutions regulated by the Central Bank. The resolution requires financial institutions to establish cybersecurity policies by May 6, 2019, and fully comply with the regulation by the end of 2021. The new rules also cover third-party service providers that contract with institutions regulated by the Central Bank, including those located outside of Brazil. 

The Central Bank in August introduced regulation for the dozens of Brazilian fintech companies. Within this new regulatory framework, fintechs must disclose any security breach or incident to peers and to the Central Bank.

The banking association FEBRABAN has been working for the past few years on collaboration agreements with law enforcement in Brazil to combat bank fraud and is working to boost cybercrime intelligence sharing among its members. 

In Mexico, an epic cyberattack this spring on the country’s main payment systems led Banxico, the central bank, to step up cybersecurity efforts. Hackers tapped into the Sistema de Pagos Electrónicos Interbancarios, or SPEI, the interbank electronic transfer system, stealing around 300 million pesos ($15.3 million) from five banks, including Banorte, Mexico’s second-largest bank. The cybercriminals created phantom orders that caused SPEI to wire funds from legitimate accounts to fake accounts in other institutions. The money was promptly taken out, often with the help of accomplices who withdrew the funds at branches or ATMs in dozens of locations. 

Mexican authorities, including the attorney general and central bank, formed an Immediate Response Group to coordinate faster action and share information on incidents. Banxico quickly moved to create a cybersecurity unit to design and issue guidelines on information security for the country’s banks.

Colombia has tackled cybersecurity through revisions to current legislation. The country has also entered cooperation agreements with international institutions, such as the Budapest Convention on Cybercrime, the first international treaty on online crime, which particularly deals with copyright infringement, online fraud, child pornography and violations of network security.

But overall in Latin America, financial institutions tend to see themselves as competitors. Simply put, sharing intelligence on cybercrime remains unthinkable for most players, says Julian Dana, director for Latin America at Mandiant Security Consulting Services, which provides incident response and general cybersecurity consulting.

In the United States, the Financial Services Information Sharing and Analysis Center, a resource for cyber threat intelligence analysis and sharing was created by and for members and operates as a member-owned non-profit entity. There is nothing of the kind in Latin American countries.

At the corporate level, the culture is slowly changing, and more companies now have a Chief Information and Security Officer with a strategic role to ensure information assets are adequately protected. "But in most organizations, these leaders are still low on the hierarchical chain. And in many countries in the region, the culture and the attitude is still that the IT guys are the ones responsible for security," Dana says. 

This attitude is also seen at business associations which should be leading the way in changing this culture, said William Beer, principal advisor specializing in cybersecurity at Ernst & Young.

"Business associations don’t really see cybersecurity as a corporate risk or a corporate governance issue," he said

In a recent report titled "The State of Cyber Security in the Banking Sector in Latin America and the Caribbean," the Organization of American States (OAS) shows that cybersecurity is still largely relegated to the information technology department, the leader of which is at least two levels down on the hierarchical ladder from the CEO.

And companies are still not investing enough.

Most respondents to the OAS survey of 191 financial institutions said convincing the company’s top management to invest in digital security solutions was "moderately complex." And overall, the financial sector in Latin America is still not investing in cutting-edge technology to detect and prevent cyberattacks, spending most of the digital security budget in more basic firewall protection.

As a group, the LatAm financial sector, is spending more on recovering from incidents than investing in attack prevention. The study also showed that the total cost of responding to and recovering from digital security incidents for an average bank in the region represents approximately 1.52% of the EBITDA of the preceding year, equivalent to $1.9 million per year. Some 61% of respondents in the OAS survey said their security budget was less than 1% of EBITDA.

In total, according to OAS, banks in Latin America spent about $809 million for digital security incident response and recovery in 2017.

To be sure, the security problems aren’t new, although they are growing faster than bank resources. About two years ago the Inter-American Development Bank (IDB) and OAS asked this question about cybersecurity: “Are We Ready in Latin America and the Caribbean?” The conclusion of their report was essentially "No." It raised an alarm about the extreme vulnerability of Latin America’s online systems as the digital revolution powered ahead.

Four in five nations did not have cybersecurity strategies or plans for protecting critical infrastructure. Two in three lacked any sort of control center for cybersecurity crises. Enforcement of laws against cyberattacks was weak across the board.

According to that report, the cost of cybercrime in Latin America and the Caribbean was estimated to be close to $90 billion a year. Yet 80% of countries in the region did not have cybersecurity strategies.

Working together as a community will help boost resiliency and reduce costs for all players, EY’s Beer said.

"We are going to have to come together as a community to address these tough problems," Beer said. "What we are talking about and here is where I really see a challenge in Latin America is building trust and confidence (among players in the financial sector)."

An IMF staff modeling exercise showed the average annual losses from cyberattacks could reach US$ 100 billion, or 9% of banks’ net income globally.

"In a severe scenario—in which the frequency of cyber-attacks would be twice as high as in the past with greater contagion— losses could be 2½–3½ times as high as this, or US$270 billion to US$350 billion," IMF Chief Christine Lagarde wrote in June.

On a more technical level, the delay in the detection of attacks remains a major issue. Dwell times, or the number of days from the first evidence that an attack on a network is underway before it is detected, vary widely from region to region. According to Mandiant’s M-Trends 2018 report, the global median dwell time was 101 days last year, compared with 99 days in 2016. In the Americas, the median dwell time fell to 75.5 days in 2017 from 99 days in the previous year. That survey includes several economic sectors and not just financial companies. 

A more united front

The good news is that organizations across the globe are increasingly identifying attacker activity on their own rather than being notified by an outside source. That’s an indication of a more proactive attitude when dealing with cyber threats.

Globally, financial sector players are upping their game and cooperating more. Some of the world’s biggest institutions have joined forces to design cybersecurity standards for fintechs and data aggregators. Several of these new financial companies have partnered with large banks, and the concern is that attackers will use the fintech’s channels to access big banks’ data and funds. 

The World Economic Forum (WEF) announced in March the creation of a consortium including Citigroup, Zurich Insurance Group, fintech lender Kabbage, information technology company Hewlett Packard Enterprise, and financial infrastructure provider The Depository Trust & Clearing Corporation (DTCC). "Its aim is to create a framework for the assessment of cybersecurity in financial technology," according to WEF.

“Cyber risk is the No. 1 threat to the financial services industry and its infrastructure, so it is critically important that we work together to share insights and drive best practice,” said Michael C. Bodson, CEO of DTCC, USA, in a statement. “This initiative will further strengthen cyber resilience and foster greater collaboration with our colleagues across the public and private sectors globally.”

Latin America must think more progressively about collaboration and realize that an attack on one player is an attack on the entire system, Mandiant’s Dana agrees.

Latin American players also need to boost investments in education to prepare a more skilled labor force. Over the next four years, the number of unfilled cybersecurity jobs will rise to an estimated 1.8 million, a 20% increase from 2015, according to a survey by the International Information System Security Certification Consortium, a non-profit organization that specializes in training and certifications for cybersecurity professionals.

"Countries must consider cybersecurity as a top strategic matter on the regulatory level, but also in terms of education," Contreras says. "We can’t let the threat of cybercrime hinder the progress we’ve been making in the digital revolution in Latin America."