Banks work in the trust business. We’re selling trust. For that reason, and because we are frequently targeted by cyberattacks, financial institutions are ahead of the curve in terms of preparing for the worst. But we still have a lot to do.
Cyberattacks on banks are so common that leaders in our industry plan for them as a cost of doing business, along with other major components of risk, such as geopolitical instability. We ask, “What country is mad enough that it would want to do us harm for political gain?” Three main types of attackers target the financial sector: organized crime, which wants money and is often involved in identity theft; nation-states that sponsor cyberattacks to steal intellectual property, manipulate data, gain competitive advantage, and inflict political pain; and hacktivists on various sides of contentious debates, who frequently target companies that take stands on controversial issues.
Financial institutions, like other companies, are most likely to be attacked during mergers and acquisitions, during leadership transitions, and at times of geopolitical instability. In other words, when we’re not paying attention. So we must stay vigilant.
We’re making contingency plans and developing industry norms and procedures to respond to our new reality. For example, what happens if a nation-state takes down a bank? Or, what happens after a bank is crippled by a cyberattack and stops processing transactions—who certifies that it is clean to come back online and not infect others? There are 7,500 financial institutions in the U.S. alone. Who do you call?
We’re also working across industries, with government, to envision contingency plans for the nation. We all rely on power and telecommunications. If there is a blackout nationwide, who should the government turn back on first? Nuclear plants? Wall Street? Military facilities? A multisector group is looking at how we prioritize.
Financial institutions, like other companies, are most likely to be attacked during mergers and acquisitions....
In other words, when we’re not paying attention.
In addition, there’s a healthy debate at NATO and elsewhere on when cyberattacks qualify as acts of war. I would argue you need a different classification for cyber, as a form of economic warfare. The definition is important in light of our military commitments to defend allies who are under assault, and our agreements not to attack each other’s financial networks in times of peace or war.
These are all big questions, and while the financial sector has been the tip of the spear in addressing cybersecurity, we need a broader set of forces to collaborate and combat these threats.
Siobhan MacDermott, F13, is Bank of America's Global Cyber Public Policy Executive.
Coming to Terms with Our Digital Planet