top of page

Cybersecurity is the biggest technology risk for banks

Cyber security is the biggest IT risk faced by banks today. According to recent surveys, cyber security issues rank at the top among the risks and facing Global Systemically Important Financial Institutions (G-SIFIs). The trend over the past few years confirms this, with three major cyber-attacks on banks becoming public.

In two of these attacks, banks lost about $100 million each. This made people worry about how safe banks' digital networks are. The hackers found vulnerabilities in the systems that connect banks to the big SWIFT network, which lots of banks use to move money around the world.

According to recent surveys, cyber security issues rank at the top among the risks and facing G-SIFIs.

In January 2015, Banco del Austro (BDA) in Ecuador was attacked. The attack lasted for 10 days and caused the bank to lose $12 million. When the bank looked into it, they found that some transactions had strange things in them that should have made the employees worry. But the bank didn't tell anyone about the attack for 15 months, probably because they didn't want to hurt their reputation.

In December 2015, hackers attempted to use fraudulent SWIFT messages to transfer over EUR 1 million from Vietnam's Tien Phong Bank (TP Bank), but the bank was able to stop the attack. The attackers sent fraudulent messages through an outside vendor who connected the bank to the SWIFT messaging system.

In February 2016, hackers stole $101 million from Bangladesh Central Bank. They did this by making malware that stopped the system from checking money transfers. This malware is hard to find, and it can take up to 146 days for a company to realize they've been hacked with this kind of malware.

All three banks were attacked in similar ways, where the attackers obtained valid credentials of SWIFT operators unlawfully and initiated transactions by sending fraudulent SWIFT messages on behalf of these operators. The banking community should uncover new unforeseen attack patterns to prevent further attacks.

Real-time alert database

Banks are often unaware of cyber threats due to the lack of a sophisticated threat intelligence scheme. To address this issue, the European Central Bank (ECB) has been collecting data on significant cyber incidents at the largest 18 banks in the Eurozone since February 2016.

The goal of this initiative is to develop an early monitoring, warning and analysis system for banks by spotting patterns and warning other banks of emerging threats. During the pilot phase, the ECB is using the information collected to create a database to register incidents that present serious security dangers.

Once this pilot phase is completed, the cyber database will be rolled out to the 129 banks that the ECB directly supervises. Furthermore, the ECB plans to share the information it collects with other central banks, including the US Federal Reserve and the Bank of England, through regular meetings with fellow regulators.

Cyber Stress testing

Many banks presently do not carry out advanced cyber-attack simulations to test the cyber-risk of their systems. ECB officials are investigating the Bank of England's (BoE) initiative of conducting "ethical hacking" exercises to stress test the cyber defenses of the UK's major banks. The BoE has also been working with US regulators to perform transatlantic cyber exercises that simulate the impact of a large-scale attack on the financial system.

Guidelines and best practices

There are many frameworks, standards, and guidelines that exist to improve cyber risk management. However, there may be overlaps, gaps, or discrepancies between them. Efforts are being made to harmonize existing guidelines, such as:

- The FFIEC has issued several Information Security booklets, which provide uniform principles, standards, and recommendations.

- On June 21, 2013, the Monetary Authority of Singapore gave out Technology Risk Management Guidelines (TRMG). These guidelines were made to help financial institutions get better at managing and securing their technology and dealing with risks.

- In June 2003, the Monetary Authority of Hong Kong added a new part to the Supervisory Policy Manual. It's called "General Principles for Technology Risk Management." This part helps financial institutions by giving them advice on the main things they should think about when managing risks related to technology and cybersecurity.

- The European Central Bank (ECB) is creating rules and sharing tips to help banks keep their information safe. Both banks and governments really like this idea. They believe that having a special rule just for Europe would make sure that cyber risks are watched and managed better, along with security practices.


◼ Click here to learn more about the training we offer:

◼ Click here to learn more about the training for cyber security managers:


Join our WhatsApp group to connect with experts, share insights, and stay updated on the latest trends.

Let's secure the digital world together!


bottom of page