Das Online-Magazin der Schweizerischen Bankiervereinigung
04. April 2019


"The cyber world represents the future. "

"The cyber world represents the future. "

Today, countries around the world are exposed to the risk of cyber-attacks. Martin Clements, Senior Advisor to Credit Suisse Group on Digital Technology and Cyber Risk, explains how banks are affected and which steps they can take to combat cyber-crime.

Insight: Cyber security and cyber risks are a huge topic – in banking and elsewhere. How is Switzerland exposed to these threats?

insight 119 Foto Clements Cyber Security.jpg
Martin Clements, Senior Advisor to Credit Suisse Group on Digital Technology and Cyber Risk
Martin Clements: Today, the risk of cyber attacks concerns all countries– whether they are launched by groups of individuals for criminal purposes or by states that have a different agenda. When it comes to cyber-threats, there are no borders. That said, I don’t believe Switzerland and its companies are usually the main targets of malicious cyber activity. This may be due to the fact that the country tends to avoid becoming involved in international tensions and disputes. It is also important to bear in mind that a lot of the harm caused by cyber-attacks is actually collateral damage, when unintended targets are hit.

These threats have been there for some time now. Have banks paid enough attention?

Several aspects are new. First: the speed at which cyber-attacks can now spread around the world has increased, in particular when a novel technique or variant is involved. The second is the greater risk to the general infrastructure in the banking sector. Cyber-attacks can, of course, be directed specifically at individual institutions but they can also target the very cement that holds the entire system together. Third, attacks can now focus on providers of services to multiple banks. This means that a single, successful attack has the potential to harm not just one but a number of banks simultaneously. The fourth and final aspect that has changed is the increased involvement of certain nation states that appear to be supporting the development of new cyber techniques for malicious purposes.

Can you give an example of a cyber-attack and its possible consequences?

Let’s start with what I would describe as an indiscriminate attack that reveals weaknesses in basic controls – where software has not been kept up to date, for example. This was the case with the 2017 NotPetya attacks. Many companies were impacted because they had not installed the latest patches. This particular incident caused enormous reputational harm and resulted in financial losses around the world.
Next, there is the attack on an individual company that has a specific hole in its defenses – such as the attack on the UK-based communications provider TalkTalk in 2015. That incident cost the company tens of millions of pounds. Finally, there are the constant attacks on clients of banks involving online or cyber fraud. In all these cases some form of social engineering is used to persuade them to make a payment they should not. This appears to be the kind of attack that causes the greatest financial losses overall, even if it is often less dramatic than the other examples I mentioned.

Is there such a thing as a cyber MCA (maximum credible accident)? If so, what can we do about it?

It is an interesting idea to apply the MCA concept, or a design-basis event, in the cyber context. I think the worst type of event that could affect a bank anywhere in the world is an incident that combines a cyber-attack with internal misconduct. In such circumstances, the in-built resilience of an enterprise’s technology systems and the effectiveness of its internal controls would really be put to the test. I believe that it should be possible to integrate sufficient control mechanisms into a system to enable it to survive a credible worst case scenario. However, we have already seen more than one renowned global business crippled by a cyber event. In the cases I am thinking of, that could probably have been avoided.

Can a banking association (e.g. SBA or BBA) contribute to combating cyber risks?

Yes, they can. Cyber security is a subject where there is no real competitive advantage in going it alone. The truth is that everyone’s interests are so interconnected nowadays that close cooperation in the sector benefits everyone. Industry associations can support by organizing and overseeing that cooperation. That includes defining and promoting best practice, lobbying government on the subject of cyber security, organizing training and information events for the sector, and encouraging companies to expand their expertise.

Do you see a need for increased collaboration among banks?

Yes, I see scope for greater collaboration. The management of individual incidents is a key example. If banks rapidly share information about threats, this benefits all the players in the sector. Banks in other countries find peer-to-peer support most effective – whether it is a case of rapidly sharing tactical information about emerging threats or pooling technical or more strategic information over time. Equally, if banks identify systemic issues they can solve collectively, they are greatly reducing their own risks.

The Swiss federal government has recently decided to strengthen military and civil cyber defenses. What steps do you expect the government and the authorities to take in order to combat cyber-crime?

Action to manage cyber risks is needed at all levels: from individual firms to sectors within a single country, as well as across industries internationally and between states. Individual states must protect their national infrastructure and develop and enforce national strategies and standards. They can also provide important advice about risks, such as advance warnings of new threats – especially those from other nation states. Naturally, Switzerland cannot do this alone. A key role of national authorities is to ensure they contribute to and benefit from partnerships with their counterparts in other countries.

What do you consider to be the most important success factors in the fight against cyber-crime?

Getting the fundamentals right. There are highly sophisticated cyber criminals out there. The truth is, however, that most harm is caused by basic cyber-attacks that succeed because some fundamental aspect of an organization’s cyber defenses is inadequate. Cyber security is not just about technology. Employee education is a critical requirement. Most attacks still begin with a member of staff inadvertently clicking on a malicious link or file. I would urge all businesses to keep refreshing their training and to monitor whether the workforce is acting with the necessary vigilance.

And finally: Having learned how dangerous cyber risks are, do you think living offline would be a better option?

Believe it or not, a large proportion of the world’s population is still offline – and much the worse off as a result. It is important to remember that while cyber-threats pose a continued risk to business, they are eclipsed by the vast benefits that digitization has brought to the world. If you asked the three billion people without proper Internet access what they wanted, I suspect almost all of them would give a great deal to go online, irrespective of the risks involved. The cyber world represents the future.

Martin Clements had a long-standing career with the British Government, retiring in 2016 as Director General for Technology and Transformation at the UK’s Foreign and Commonwealth Office. His brief there included the management of cyber risk, and he now has a portfolio of non-executive and advisory responsibilities in the field of technology and its associated risks. Martin is a senior adviser to the Alan Turing Institute (the UK’s national institute for data science and artificial intelligence) as well as to Credit Suisse Group on Digital Technology and Cyber Risk.