Canada needs to better protect its financial data. Equifax, the company that suffered a massive data breach in 2017, is now concerned Canadians aren’t doing enough to keep their financial data secure.
The financial industry is part of Canada’s critical infrastructure; as such, cyber threats facing the sector impact both Canada’s financial sector as well as the prosperity of all Canadians. Tara Zecevic, VP of fraud prevention and identity management, Equifax, said, “It seems that complacency is setting in for some people when we actually need to be more vigilant than ever in the fight against fraud.”
The Cybersecurity Vulnerabilities of the Financial Industry:
Internet vulnerabilities from online banking and financial transfers between banks and other units. Threats include phishing, fake bank portals and imposter apps, debit and credit card capture, insecure apps for mobile devices, ransomware, delays in transfer and denial of service.
The Internet has no borders, making it hard for businesses to control where its data resides and how its communications travel. Data-rich organizations like banks are therefore susceptible to data outages, data breaches, and interruptions to communications that begin, either accidentally or purposefully, in other countries.
Security threats to the SWIFT network affect institutions around the world. The SWIFT network is a global, borderless property. SWIFT system weaknesses have been exploited to significant loss; for example, $12 million cyber-robbery from Ecuador’s Banco del Austro.
Multi-hour outages have also impacted the SWIFT network, leading banks to be unable to meet payment deadlines. During an outage, customers can not pay for products and services or transfer money.
The financial sector is vulnerable to insider actions sometimes knowingly, sometimes coerced. A report presented to The House of Commons Committee on Public Safety and National Security states that “Insiders often have inside knowledge that makes them vulnerable to coercion by outside criminals. Given that up to $2.5 trillion is laundered around the world each year, organized crime, in particular, has powerful incentives to corrupt bank employees to maintain these cross-border flows.”
Weaker cybersecurity regulations outside of Canada also impact financial institutions. Banks strive to keep data in national repositories, but this is challenging to guarantee because the institutions are frequently multinational. Therefore, financial institutions are vulnerable to breaches in jurisdictions outside of Canada with less strident laws.
Data Breaches Impacting Canadian Financial Institutions
Earlier this year, a U.S. Senate subcommittee released a critical report evaluating the 2017 Equifax Inc. data breach where criminals made off with 145 million Americans’, and 19,000 Canadians,’ financial data. The scathing report accused Equifax of failing to follow its software patching policy. In addition, vulnerability scans of their system failed to identify that the desperately needed patch for Apache Struts web framework had not been installed — partially because the IT department was unaware that a server was using a vulnerable version of Apache Struts.
The subcommittee stated that Equifax’s response to the vulnerability that enabled the breach “was inadequate and hampered by Equifax’s neglect of cybersecurity. Equifax’s shortcomings are long-standing and reflect a broader culture of complacency toward cybersecurity preparedness.” “In addition,” the report stated, “Equifax did not have basic tools in place to detect and identify changes to files, a protection which would have generated real-time alerts and detected the unauthorized changes the hackers were making.”
Equifax’s CEO said, “The fact that Equifax did not have an impenetrable information security program and suffered a breach does not mean that the company failed to take cybersecurity seriously.” He went on to say that Equifax plans to spend $1.25 billion more between now and 2020 on security and IT as a result of the breach. Equifax learned a hard lesson and is making cybersecurity a priority.
Similarly, also in 2017, Canadian banks BMO and CIBC had their security breached impacting the financial records of approximately 90,000 Canadians. These banks were not alone, statistics Canada reported that one in five Canadian companies faced a cyber attack last year. Canada had the third most cyber incidents in the world in 2018, which is remarkable considering Canada’s smaller market size.
It’s Not Just the Big Banks
More attention needs to be paid to small and medium-sized financial institutions, states a report presented to The House of Commons Committee on Public Safety and National Security. “The Canadian Cyber Threat Exchange as well as the global financial intelligence network of which the Bank of Canada is part provides critical cyber intelligence and domain awareness that shores up the resilience of Canada’s financial industry. However, that holds true only for the large banks. Many small and medium-sized players remain quite vulnerable because they do not benefit from this intelligence, yet are tied into the industry in ways that could generate cascading failures.”
The size of the financial institution is not what is important, reported The Canadian Standing Senate Committee on Banking, Trade and Commerce. “The growing global reach of financial service providers, be they major financial institutions or an Internet-based money service provider, means one weak link in the chain can import risk into the broader financial system if not well governed and coordinated.”
Every financial institution needs to ensure that it has robust cybersecurity measures in place, or the entire system is weakened.
The following are steps toward robust cybersecurity that your financial institution can take:
- Create a culture of cybersecurity in your organization – making cybersecurity a priority.
- Allocate additional cybersecurity funding.
- Partner and communicate with a cybersecurity specialist.
- Conduct a vulnerability assessment.
- Provide cyber hygiene training and cybersecurity education to all employees.
- Develop and follow a cybersecurity incident response plan.
- Conduct organization-wide cybersecurity exercises to keep staff sharp.
- Stay current on the changing threat landscape and adapt your incident response plan accordingly.
“The high degree of interconnectedness between institutions means a single attack against a financial institution could spread to the broader financial system. As a result, cyber threats have become a key vulnerability that both financial system participants and regulators will have to confront for a long time to come,” stated The Canadian Standing Senate Committee on Banking, Trade and Commerce.
Protecting financial technology and financial data is of vital importance with cyber attacks increasingly targeting financial institutions. The industry needs to respond with network fortification measures and industry-specific incident response plans.
Talk to the cybersecurity solutions specialists at ISA who have over 27-years of demonstrated industry excellence about how to protect your financial organization from a cyber attack.