Cyber Gangs Threaten Asset Managers, Watchdog Warns

Attacks on financial institutions are real and rising.


Underground criminal networks pose an increased threat to banks and fund management groups, according to a warning issued Monday by the U.K.’s financial regulator.

These groups carry out reconnaissance on financial organizations, plant ransomware on their network assets, and destroy data backups to inflict maximum damage on their victims, the acting chief operating officer of the Financial Conduct Authority (FCA), Nausicaa Delfas, said at an industry conference. “Over the course of 2014, we had five reports of cyber attacks from the firms that we regulate,” Delfas said. “In 2015, this rose to 27 and in 2016 we had 89 reports. This significant increase indicates more attacks are occurring....There is no shortage of criminal networks continuing to attempt to compromise the corporate networks of our financial institutions. We have seen a rise in the risk of targeted network attacks being carried out against firms.”

Jonathan Luff, co-founder of cyber security firm CyLon, which advised the Bank of England, called criminal networks “the biggest single threat” to most organizations in terms of cyber risk. “Sophisticated criminal networks are the most real and present threat to City institutions in financial services,” Luff told II in an interview. “Yes, there are other significant threats, but the sophistication and intent of advanced criminal networks is a real threat to sophisticated industries.”

Luff was among those cyber security experts to welcome the FCA and Bank of England’s recent coordination on monitoring criminal cyber activity, but warned that the figures for reported incidents are likely only a fraction of the number of actual attacks witnessed. “The number of reported incidents and detected threats are probably under-estimated for two reasons: 1) People don’t always know they have been attacked and quite often it is a long time until it is discovered. 2) There are concerns about disclosing a breach or a compromise,” Luff said.

Despite evidence that attacks are ramping up, detection — or admission — has failed to keep pace, according to a report from consultants PwC. In the company’s Global State of Information Security Survey 2017, financial services companies said the number of detected incidents has remained flat since 2013 at between 4,600 and 4,900 annually. The report found that while detected incidents had not significantly increased, security spending had risen 67 percent between 2013 and 2016.

Speaking in Luton, U.K., Delfas said awareness needed to improve. “We need to also have good detective capabilities, to be able to recover and respond, getting back to business as usual. This is where we need to move the dialogue on.” She urged firms to carry out “robust and comprehensive risk assessments” based on the Cyber Essentials security scheme. The U.K. regulator has also built a series of cyber coordination groups to enable organizations to share information about cyber attacks.

Hugo Thorman, former chief executive of investment platform Ascentric and CEO of Seccl Technology, welcomed the introduction of working groups to share experiences. “As far as detection is concerned, there is often very little sharing,” he told II. “Organizations don’t want to say where they have had difficulties because, by alerting, they may undermine client confidence. As a result, you often operate in isolation.”