We aren't prepared for the next wave of cybersecurity risks

The traditional way regulators motivate the financial industry is by seeking consensus among the constituents on best practices, but that is too backward looking. The cyber risk threats of today pale in comparison to the cyber risks to come.

Immediate investment is needed even though the payoff is perhaps a decade or more into the future. The collective action problem that always rears its head in the competitive financial industry must stand aside to protect our national treasure — our global financial system — from cyber attacks. Our government must lead the way.

ADVERTISEMENT

Financial industry cyber threats have become a real concern to all financial institutions. The World Economic Forum’s Global Risks Perception Survey (GRPS) lists data fraud or theft and cyber attacks among the top five most likely risk events, after environmental risks. Data fraud and disruptive cyber attacks are manmade and technology driven.

Technology continues to play a profound role in shaping the financial risk landscape. In 2018, there were massive data breaches, new hardware weaknesses exposed and research that pointed to the potential uses of artificial intelligence to engineer more devastating cyber attacks.

A large majority of respondents in the World Economic survey expected increased risk in 2019 of cyber attacks leading to theft of money and data (82 percent) and disruption of operations (80 percent).

5G mobile network technology is currently being rolled out. Once adopted, far more devices will be connected to the internet. This will lead to a massive increase in data collection by businesses, causing cybersecurity risks to multiply.

Add to this the concerns of cyber risks from the advent of quantum computing, a game-changing computer technology that will have an immense impact on current methods of cryptography that underlie all cybersecurity.

Data on cyber risk is notoriously scarce since there is no common standard to record it, and firms have no incentive to report risks. For example, in the U.K., only 49 cyber attacks were reported in 2017 to U.K. financial authorities, pointing to significant under-reporting of successful cyber attacks in the financial sector. 

In the U.S, in 2018 the Securities and Exchange Commission clarified disclosure of cyber risk for listed firms. Among the 4,000 annual reports published in 2017, only 7 percent included a reference to cyber risk, mainly in the finance and services sectors. 

Overall, financial institutions in more than 50 countries have been victims of cyber attacks. Banks account for the bulk of the attacks (91 percent), followed by insurance companies (7 percent). Among banks, retail banking activities (39 percent) and credit cards services (25 percent) were the main business lines targeted.

The World Economic Forum’s Global Risks Perception Survey cites further evidence that cyber attacks pose risks to critical infrastructure. This, the report states, prompted countries to strengthen their screening of cross-border partnerships on national security grounds.

For example, China’s cybersecurity law presents a significant challenge for other countries. It requires them to store sensitive data in China and to favor Chinese network equipment over foreign ones.

As a result, U.S. firms operating in China, whether American technology firms or banks, have to keep their networks’ data in China and in many cases have to source servers, routers and other equipment and products from Chinese suppliers. Companies found in violation could have their business permits and licenses revoked.

Now a new threat looms. Born out of the quantum physics world, quantum computers possess traits and abilities that both defy logic and inspire the imagination. It appears that quantum computers will eventually be able to solve some of the mathematical problems previously thought to be unsolvable, including crypto code breaking.

The advent of the quantum computer poses a serious threat since most encryption in practice today is dependent on unsolvable mathematical problems based on today’s computers’ computational capacities.

Today, computer-driven encryption is thought to be so secure that a classical computer is estimated to take 6 quadrillion years to break current key encryption codes. However, some researchers estimate a large quantum computer could break the code in minutes.

Cybersecurity threats from quantum computers are undeniably an obvious danger. The National Institute of Standards and Technology (NIST), as part of its standardization mandate within the U.S. Department of Commerce, is now looking ahead to the security threat from quantum computing.

With quantum computing will come the capability to defeat the data encryption that protects information transmitted over credit card, e-commerce and other secure networks.

In 2012, NIST launched a Post Quantum Cryptography (PQC) standards project to promote development of encryption systems that will work with current, classic machines, while also being resistant to the capacity of quantum machines.

The Institute for Quantum Computing, University of Waterloo (Canada), has said that there is a one-in-seven chance that public key cryptography will be broken by quantum computing by 2026. 

Other initiatives are underway. The Financial Services Information Sharing and Analysis Center (FS-ISAC) was established by the financial services sector in response to 1998's presidential directive — later updated by the 2003 Homeland Security Presidential Directive, which mandates that the public and private sectors share information about physical and cybersecurity threats and vulnerabilities to help protect the U.S. critical infrastructure.

The World Economic Forum asks the question: “Is the world sleepwalking into a crisis? Global risks are intensifying but the collective will to tackle them appears to be lacking.”

Inevitably, when standards bodies and governments do sign off on quantum-secure encryption, the U.S. financial industry may find itself unprepared to deploy it quickly.

It may lack the investment and forward thinking necessary to keep its networks secure and, thus, concede leadership to others. Our government must lead the way.

Allan D. Grody is president of Financial InterGroup Advisors, a strategy, research and acquisition consultancy.