They may cause particular harm to banks’ data processing, and thus their business, for attacks on their IT systems jeopardise the availability, integrity, confidentiality and authenticity of the data.

In addition, these risks threaten to thwart the objectives of the Principles for Effective Risk Data Aggregation and Risk Reporting of 2013, which the Basel Committee on Banking Supervision (BCBS) had drawn up to highlight the importance of the processing of risk data by IT systems. In it, the Committee prescribes comprehensive new information technology and data architecture requirements for the banking industry because the financial crisis had proved that the existing systems were unable to provide adequate support for senior management and risk management. Accordingly, data must be available with all due flexibility, speed and reliability at all times.

Cyber attacks do not affect only the banking industry, but all industries. For that reason the Federal Government has presented a draft IT Security Act (IT-Sicherheitsgesetz, only available in German), which is intended to improve the IT security of all critical infrastructures. BaFin has been setting requirements for banks’ IT security management since as far back as 2006 in its Circular on Minimum Requirements for Risk Management (Mindestanforderungen für das Risikomanagement – MaRisk), which was last updated in late 2012.

This article outlines the vulnerability of financial institutions to cyber attacks and describes the requirements intended to minimise the risk. It thus follows on from an earlier article on BaFin’s expectations of banks’ IT security.

Targets of attacks in the banking industry

Information processing plays a vital role in banking. Almost all bank processes are initiated or controlled by computers using application systems. For hackers, whatever their motivation, data and the functionality of the applications are attractive targets.

Since the vital functions of banks are based on communicating with other banks and with their customers, their IT systems cannot be decoupled from public networks. For that reason it is essential that certain systems be afforded particular protection.

Major targets of attacks on banks

• Office and e-mail systems
• Corporate networks
• Databases and data files
• Accounting IT systems
• Upstream applications
• Management and control applications
• Risk management and risk reporting applications
• Payments systems
• Trading systems
• Interfaces with customers and business partners, for example web applications

Office systems and corporate networks

Institutions develop and operationalise their strategies with the aid of office systems. A great many management decisions are taken and documented on the basis of office systems and e-mail documents. Hackers can therefore see into the future business dealings of an institution and use this information to their own advantage.

Moreover, e mail systems are relatively “soft” targets which also make it easier to break into corporate networks. In this context there is a particular danger of hackers gaining an insight into an institution’s business and risk strategy or viewing documents used in the planning and implementation of these strategies. Hackers can also manipulate reports.

Accounting systems and upstream applications

For many processes the use of paper documents has become rare. For most banks the accounting books such as the trading book and the investment book are held only in electronic form, as are many other documents. The management of accounts and custody accounts, including all transactions, is carried out automatically, by computer; the same is true for the settlement of securities transactions. If hackers have penetrated to this level, they can alter account movements and custody account holdings. Although banks as a rule create back ups of accounting data by also saving another copy elsewhere, depending on the length of the attack the back-up data are more often than not worthless because they are as a rule generated as extracts of the data sets used for operational purposes. There is, therefore, a heightened risk of business documents being extensively manipulated.

However, direct attacks on accounting IT systems are not the only way to cause harm. For all transactions are generated by upstream systems and can also be viewed via them. Moreover, in most banks business processes are initiated by IT applications that not only manage the activities and generate key statistics but also carry out controls. The individual business process activities and controls are performed here automatically by a “business logic” or are at least partly carried out by computer and are also linked communication-wise. The business logic is embedded in applications known as workflows and takes many decisions with a great degree of autonomy.

Bank control and risk management systems

Bank control and risk management are carried out through separate systems which analyse accounting data extracts (data warehouses). Here, too, manipulation of upstream IT systems is enough to be able to spy on data or to manipulate risk or control data.

If hackers attack these systems, they can see into the whole or parts of the bank’s business situation. Hackers may also gain financial advantages by manipulating risk or control data, for example by short-selling the shares of a victim institution.

In the case of attacks on accounting systems, upstream applications and control and risk management systems, there is also the risk of the key statistics that banks need to comply with capital requirements and for reporting purposes being falsified – even if this was not the actual objective of the attack.

Examples of cyber attacks

In the summer of 2014 hackers attacked the US bank J.P. Morgan Chase & Co. According to press reports, they introduced specially designed malware into the bank’s IT systems which made it possible for them to control the systems remotely. To do this, they exploited security loopholes which the bank had not been aware of up to then – known as zero day vulnerabilities. It was not until two months later that the attack was discovered. According to J.P. Morgan, data on over 76 million personal and 7 million corporate clients were stolen. The data sets included names, addresses, telephone numbers and e-mail addresses as well as internal information on the clients. The hackers, who are still unknown to this day, did not use the data for either blackmail or fraud purposes. This suggests that the objective of the attack was actually to spy on the data in and of itself.

Because of the attack pattern (infiltration of malware), the objective of the attack (data theft) and the belated discovery of the attack, the J.P. Morgan case was typical of professional cyber attacks. It is only one conspicuous example among many others. For example, in 2013 criminals penetrated the IT systems of two Indian IT service providers and manipulated the payment account limits of two Arab banks. Accomplices withdrew around 45 million US dollars from ATMs in a number of countries within a few hours. In the same year a number of US banks were subjected for months to so-called DDOS (distributed denial of service) attacks aimed at causing the temporary failure of websites. The attacks were Islamist motivated and caused considerable disruptions in online banking. As far back as 2011 hackers introduced malware into the computer centre of a South Korean credit institution via the laptop of an external employee. This deleted data banks and caused damage in the computer centre that forced the bank to suspend operations for three days.

Payments systems

Attacks on payments systems may cause fraudulent transfers or directly restrict the ability of a bank or its customers to pay. In the worst case scenario, the adequate liquidity required of a bank by section11 of the German Banking Act (Kreditwesengesetz – KWG) may even be threatened. Moreover, hackers may spy on the payment behaviour of a bank’s customers.

Hackers may trigger extremely high fraudulent transfers. Effectively, this represents a credit risk for a bank, for on the one hand it is liable to its customers and on the other it must itself take legal steps to recover the funds that have been credited to another institution.

Trading systems and interfaces

In trading, orders are transmitted to the exchange by computer systems which produce as optimal a denomination of the orders as possible. The orders themselves are often generated by algorithmic trading systems, without any human intervention. Spying on trading data is attractive for hackers because they can lay the groundwork for insider dealing in this way. But attacks on a bank’s trading systems not only enable trading strategies to be reconstructed, they also make it possible to create orders that restructure the bank’s portfolio to its detriment. For example, short squeezes may be created in this way or a bank’s liquidity may be impaired by switching liquid positions into illiquid positions. Furthermore, cyber attacks may aim to delay the transmission of orders. In this way the hacker gains a very brief but effective advantage in trading (front running).

In 2013 the International Organization of Securities Commissions (IOSCO) and the World Federation of Exchanges (WFE) carried out a joint study of cyber attacks on financial market infrastructures. In the working paper that sets out the results of the study, Rohini Tendulkar of the IOSCO Research Department specifically warns against such attacks. According to 89% of the exchanges that took part in the study, such attacks represent a systemic risk. In 2012, 53% of exchanges are said to have been affected by at least one cyber attack. The attacks were mostly directed at disrupting the operation of the exchanges. However, banks’ access to financial market infrastructures – for example, exchanges, clearing houses and settlement systems – may also be disrupted by cyber attacks on the interfaces operated by the banks.

Banking supervision requirements

In view of the vital role played by information technology in banks, BaFin’s MaRisk also specify requirements for banks’ IT processes and IT systems. Although section 25a (1) of the KWG requires financial institutions to undertake contingency planning for their IT systems, the usual contingency measures, for example alternative computer centres, offer only a certain degree of protection against natural disasters and bomb attacks but none at all against cyber attacks. Protecting banks against cyber attacks takes a different approach.

The MaRisk make it incumbent upon banks to base their IT systems and IT processes for protecting the availability, integrity, confidentiality and authenticity of data on widely used standards. User authorisation procedures, in particular, are demanded. The banks must examine regularly whether their IT systems and processes meet these requirements. Furthermore, the MaRisk stipulate that software development processes have to be put in place. These are also to be designed so as to be secure.

These requirements apply irrespective of whether the IT systems and processes are managed by the banks themselves, whether they have outsourced them or are provided with the service by outside organisations in any other way. They are essential in order to ensure a proper business organisation.

Protective measures

Specifically, BaFin requires banks to take the following protective measures against cyber attacks:

• IT security management, based on the standards of the International Organization for Standardization (ISO), in particular ISO 27000, or those of the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI), especially BSI 100-1 to 100-4
• Careful planning, safeguarding and monitoring of IT systems and networks
• Testing of IT systems and processes for security loopholes, for example by way of audits, vulnerability scans or penetration tests
• Effective patch management that ensures in particular that security-related software updates and any configuration changes that may be required are carried out in a timely and secure manner
• Security measures in software development
• Taking due account of IT security in the outsourcing of activities and the purchasing of IT systems

In addition to the foregoing, BaFin has also published a Circular setting out requirements for systems and controls for algorithmic trading by institutions. It prescribes special protective measures because a successful attack on such a system may cause potentially huge losses within an extremely short time. For systems with external interfaces, for example, institutions must conduct regular penetration tests.

BaFin’s activities

In their supervisory interviews and special audits BaFin and the Deutsche Bundesbank constantly address the subject of bank IT security, sometimes also focussing on cyber security. There has been a separate section within BaFin since 2011 that deals with bank IT infrastructures and cyber security. It is quite conceivable that cyber risks will also come to be considered within the framework of the Single Supervisory Mechanism (SSM).

BaFin is a member of the national Cyber Response Centre (Cyber-Abwehrzentrum – Cyber-AZ), a platform operated by the Federal Office for Information Security (BSI) for the exchange of information between federal authorities on the latest threats. For several years now there have been voluntary BSI reporting channels open to various sectors, including parts of the banking industry, although the use that is made of them varies.

What is expected of financial institutions

If banks are affected by cyber attacks, BaFin expects to be informed. Spotting cyber-attacks and reacting sufficiently quickly to them is a challenge for banks in itself. If a cyber attack was successful, it is important for the institution to establish the scale of the damage for legal certainty purposes in order to prevent liability risks. For that purpose it may be a good idea to call on the services of IT forensic experts.

After an incident, comprehensive reports, from the bank’s IT forensic analysts or its IT security officer, for instance, are also valuable sources of information for all parties involved, including BaFin. They can address deficiencies in the design and maintenance of IT systems as well as inadequate planning in the IT organisation or the IT budget underlying the deficiencies.