Академический Документы
Профессиональный Документы
Культура Документы
In the current world, financial institutions, like other companies, have become increasingly dependent on
their information systems. These systems allow them to conduct business transactions (transfers, account
management, withdrawals, etc.) and at the same time exercise control over the information exchanged.
More and more, information is becoming the target of cyber attacks from different groups of cyber
criminals. They use strategies such as social engineering (human intelligence, manipulation) or more
sophisticated techniques (such as advanced persistent threats see the case of Carbanak). 2015 was a
major year for cyber security actors. The cyber crime events of that year were highly instructive for the
banking sector, enabling them to adjust their defence tactics and increase their resilience.
Despite the efforts of security companies and the evolution of CISOs (Chief Information Security Officer)
strategies, cyber criminals are constantly updating their fraud methods. Security actors now have to
increase their awareness of cyber crime techniques and enhance their monitoring in order to face the
new threats to corporates, including those targeted at the banking sector.
As observed last year, hackers have started to shift towards a strategy where they target financial institutions
instead of end-users. There were many examples of attacks on point-of-sale systems and ATMs with a
significant financial impact for the banks. The trend should be maintained over the coming years, with
hackers increasingly trying to find breaches in stock markets and payment systems.
In addition, cyber criminals are already shifting their focus to smartphones due to the growing use of
smart mobile devices. On the one hand, alternative payment systems such as Apple Pay or Google Pay
will push hackers to monetise fake stolen credit cards. On the other hand, the spread of transactional
malwares on mobile devices is likely to increase markedly.
Improving resilience is a major financial stability issue, as it is vital to prevent cyber attacks or IT failures from
escalating into systemic crises. However, creating the best possible protection for financial institutions will
never reduce to the risk of a cyber attack to zero. Financial institutions also need to have the best possible
plans to resume their activities as quickly and efficiently as possible after a breach in their IT systems.
45
46
1| From cyberspace
to cyber security
First, why use the word cyber? The Greek
word kubernan means to guide and govern.
Yetcyberspace is to a great extent a territory without
frontiers, or at the very least appears to be without
controls and without rules. The word cyberspace was
coined in 1984 by the novelist William Gibson, one
of the leading figures of the cyberpunk movement.2
His novel Neuromancer depicts cyberspace as a
dystopian and abstract world where information
flows freely, and the lines between reality and fiction
are sometimes blurred. In real life, cyberspace is
where dematerialised flows are stored and traded
(Chawki, 2006). John Perry Barlow, the founder of
the Electronic Frontier Foundation, went so far as to
issue the following Declaration of the Independence
of Cyberspace in February 1996: Governments of the
Industrial World, you weary giants of flesh and steel, I
come from Cyberspace, the new home of Mind. On behalf
of the future, I ask you of the past to leave us alone. You
are not welcome among us. You have no sovereignty
where we gather.
In this sense, cyberspace is a kind of utopia, without
government and without controls. But cyber crime
also thrives in cyberspace. Indeed, it is clear that
cyberspace is used by all sorts of criminals for all
sorts of purposes, and even if it is not without rules,
it is extremely difficult to control it, to track down
criminals and to impose sanctions. Moreover, the issues
related to cyberspace cannot always be adequately
understood and tackled at national (i.e.State) level.
APT: advanced persistent threat (a network attack in which an unauthorised person gains access to a network and stays hidden and undetected for a long period
of time, monitoring the network and/or stealing data.
Cyberpunk is a current of science fiction set in a near future, in a highly technologically advanced world.
47
3
4
48
IBM (2015).
Vormetric (2015).
Examples : http://www.dailymotion.com/fbffrance
https://static.societegenerale.fr/ent/ENT/Repertoire_par_type_de_contenus/Types_de_contenus/01-Pages/00-perennes/espace_securite/commun_
pdf/ingenierie-sociale.pdf
Different public administrations make awareness for companies (Intelligence service, police, Gendarmerie nationale, etc.).
49
6
7
8
9
50
4| Going further:
ensuring financial stability
in the face of cyber crime
At the international level, cyber crime has been
taken on board by the Committee on Payments and
Market Infrastructures (CPMI) and a first report
was published for consultation in November 2015.7
Market infrastructures are critical to the functioning
of the financial system and could generate significant
systemic consequences if they were affected
bycyberattacks.
The work on financial institutions and banks
in particular, is not as advanced. The Financial
Stability Board has identified and regularly updates
a list of global systemically important banks (so
called G-SIBs)8 and a list of global systemically
important insurers (G-SIIs).9 A list of non-bank
non-insurance systemic financial institutions is
also currently being considered. The financial
http://www.kaspersky.com/about/news/virus/2015/Carbanak-cybergang-steals-1-bn-USD-from-100-financial-institutions-worldwide
https://www.bis.org/cpmi/publ/d138.htm
www.fsb.org/wp-content/uploads/2015-update-of-list-of-global-systemically-important-banks-G-SIBs.pdf
http://www.fsb.org/2015/11/2015-update-of-list-of-global-systemically-important-insurers-g-siis/
Conclusion
In the real world, financial institutions are increasingly
shifting their operations to cyberspace, and this
new world reflects todays society. No country, no
company, no organisation, no financial institution,
no one can escape this reality. And, as in the world
around us, there are criminals lurking in cyberspace.
Just as a sovereign state is required to protect its
territory and guarantee the security of its residents,
so an entrepreneur must protect his/her company by
taking the necessary steps to defend its information
systems and make them resilient to cyber attacks.
Financial institutions are no exception to this
rule. Cyber attacks against financial institutions
generally take advantage of a mix of technical and
human vulnerabilities. Most financial activities are
dematerialised but carried out by human beings.
And humans use computers, smartphones, social
networks, etc. and the internal information systems
of their employers. In addition to the technical
aspects of cyber attacks, there are human frailties.
The need for sensitive information in order to launch
a technical attack involves human intelligence. Both
are intimately linked.
Fighting cyber crime requires the involvement of
all financial institutions. This means organising
awareness campaigns for employees and management
staff, so that they can detect suspicious activities. The
dissemination of information and good practices
on cyber security is crucial. In this regard, we can
highlight a number of government initiatives. 10
Financial institutions are taking steps in the same
direction. For example, clubs such as Luxembourg
for Finance organise conferences on digitalisation,
financial technology and security. There is a real
awareness of the issues at stake, but more can still
be done. In particular, putting human beings back
at the centre of things and keeping them there is
absolutely crucial. At international level, more work
is needed to coordinate efforts towards resilience.
10 France: http://www.ssi.gouv.fr/uploads/IMG/pdf/guide_hygiene_informatique_anssi.pdf
Belgium: http://vbo-feb.be/fr-be/Publications/Telechargeable-gratuitement-/Belgian-Cyber-Security-Guide/
Netherlands: http://english.nctv.nl/Images/cybersecurityassessmentnetherlands_tcm92-520108.pdf?cp=92&cs=65035
51
References
Carter (D. L.) (1992)
Computer crime categories: How techno-criminals
operate, FBI Law enforcement Bulletin.
Chawki (M.) (2006)
Essais sur la notion de cybercriminalit, IEHEI, July.
De Villenfagne (F.) and Dussollier (S.) (2001)
La Belgique sort enfin ses armes contre la cybercriminalit:
propos de la loi du 28 novembre 2000 sur la criminalit
informatique, Auteur & Mdia, No.1.
IBM (2015)
Security Trusteer Report.
52