It's good to talk, UK banks told after massaging cyberattack figures

Top techies at British banks are being encouraged to share information about cyberattacks following revelations that the financial sector is under-reporting breaches to regulators.

According to the UK's Financial Conduct Authority, only five attacks were reported in 2014, a figure that has soared to 75 so far this year. But the numbers fail to give the full picture. US regulations oblige banks to disclose breaches, and reporting is more consistent as a result. In the UK, only breaches that have a material impact need be revealed – something open to interpretation.

Jacob Ginsberg, senior director at Echoworx, argued that the EU’s General Data Protection Regulation (GDPR) directive, which comes into force before Brexit, will remove banks’ ability to keep quiet about some security problems.

“Articles 31 and 32 of the GDPR would bring EU regulation more in line with US banking regulation, with forced disclosures shoving these conversations out into the open, hopefully to everyone’s benefit,” said Ginsberg, who argues banks could benefit from increased openness and sharing about security problems.

“Hackers communicate with each other, they share tools and are constantly learning. With banks unwilling to disclose the attacks they’ve come under, we are missing out on the opportunity to collaborate and learn about what is and isn’t working, which would help us gain useful insights. In fact, many bank security officers would prefer attacks to be more openly discussed, as they see the obvious value."

A security supplier who declined to be named told Reuters: "Banks are dramatically under-reporting attacks, they do what's legally required but out of embarrassment or fear of punishment they aren't giving the whole picture."

Attacks on banks linked through the SWIFT banking messaging system have increased concerns about the resilience of UK financial institutions even though hackers seem to be concentrating on attacking banks in the developing world.

Mark James, security specialist at ESET, expressed some sympathy for the dilemma banks face. “Financial organisations suffer cyberattacks on a daily basis,” he said. “Reporting every one of those attempts would indeed clog systems with lots of unnecessary information.

“However, the problem of course is perceived security, as more and more breaches happen and more malware is being used to target financial systems, then the damage caused when things go wrong can be so great decisions will be made to keep it quiet.”

Troels Oerting, group chief information security officer at Barclays and former head of Europol's Cyber Crime Unit, told Reuters that Barclays shares all its relevant information on attacks with regulators.

Banks' sharing of information with authorities has improved over recent years, he added. ESET’s James agreed that sharing information – something senior techies at merchant banks have practiced informally for years – is key to staying ahead of the growing number of threats financial services firms face.

“Sharing information enables better defences,” James explained. "It provides authorities and regulators a better understanding of the wider picture and should help investment in the correct placement of funds to combat future attacks. In addition to this, the public have a right to know what a company is doing regarding security and privacy, because only then can they make an informed decision based on facts.”®