Financial institutions and cyber crime – Between vulnerability and security

In the current world, financial institutions, like other companies, have become increasingly dependent on their information systems. These systems allow them to conduct business transactions (transfers, account management, withdrawals, etc.) and at the same time exercise control over the information exchanged. More and more, information is becoming the target of cyber attacks from different groups of cyber criminals. They use strategies such as social engineering (human intelligence, manipulation) or more sophisticated techniques (such as advanced persistent threats – see the case of Carbanak). 2015 was a major year for cyber security actors. The cyber crime events of that year were highly instructive for the banking sector, enabling them to adjust their defence tactics and increase their resilience. Despite the efforts of security companies and the evolution of CISOs’ (Chief Information Security Officer) strategies, cyber criminals are constantly updating their fraud methods. Security actors now have to increase their awareness of cyber crime techniques and enhance their monitoring in order to face the new threats to corporates, including those targeted at the banking sector. As observed last year, hackers have started to shift towards a strategy where they target financial institutions instead of end-users. There were many examples of attacks on point-of-sale systems and ATMs with a significant financial impact for the banks. The trend should be maintained over the coming years, with hackers increasingly trying to find breaches in stock markets and payment systems. In addition, cyber criminals are already shifting their focus to smartphones due to the growing use of smart mobile devices. On the one hand, alternative payment systems such as Apple Pay or Google Pay will push hackers to monetise fake stolen credit cards. On the other hand, the spread of transactional malwares on mobile devices is likely to increase markedly. Improving resilience is a major financial stability issue, as it is vital to prevent cyber attacks or IT failures from escalating into systemic crises. However, creating the best possible protection for financial institutions will never reduce to the risk of a cyber attack to zero. Financial institutions also need to have the best possible plans to resume their activities as quickly and efficiently as possible after a breach in their IT systems.