When Cyber Crime Becomes Cyber Hype

When the first deadline for Form PF came rolling down the pike in 2012, most every vendor that geared itself toward the buy side launched aggressive marketing pushes touting their wares as being the tool that could help conquer this new requirement that stemmed out of the Dodd-Frank Act.

In 2013, vendors focusing on banks jumped onto the Basel III credit valuation adjustment (CVA) bandwagon to spread the good word about their risk modeling and risk analytics tools. A new term of art—XVA—was eventually born.

Last year, the investment book of record (IBOR) took hold amongst large asset managers and a sea of vendors began distributing information about their IBOR capabilities.

This is not to say that all of these vendors were full of it ─ most were simply seizing on a new challenge to market a product that they fully believe in. That's fair. But other vendors were simply slapping lipstick on a pig. More accurately, you can put a Porsche body on a $15,000 starter car, but if there's no a twin-turbo engine underneath then while it may look like a high-end sports car, it won't perform like one.

Now we're on to cybersecurity. And the hype ─ some might say, fear-mongering ─ has been impressive.

Let's start this discussion with the acceptance that cybercrime is the one of the most-challenging issues facing financial institutions, if not the most-challenging. ...But the headlines are getting ahead of the actual damages.

What, Exactly Happened?

Don't get me wrong, cybersecurity may just be the most important, challenging issue facing financial IT today, but when it comes to financial services and, specifically, the capital markets, there's been a tendency to blow events out of proportion. At least that's my opinion.

Last week, my colleague Dan DeFrancesco looked at the massive Carbanak cybergang hack that made the front page of the venerable New York Times.

The article sited Russian security vendor Kaspersky Lab as saying that an unknown number of hackers may have infiltrated over 100 banks and various other financial institutions across 30 nations, stealing in excess of $300 million ─ and possibly three-times that amount, according to the NYT article.

That is eyebrow-raising stuff, right there, especially when it's written on the front page of the Times.

BUT IT'S ONLY A MATTER OF TIME!

Again, let's start this discussion with the acceptance that cybercrime is the one of the most-challenging issues facing financial institutions, if not the most challenging. I've talked with enough CTOs, CISOs and CIOs to not belittle the issue.

But the headlines are getting ahead of the actual damage, or in the very least not being very clear about context. The article says that "the group impersonated bank officers, not only turning on various cash machines, but also transferring millions of dollars from banks in Russia, Japan, Switzerland, the United States and the Netherlands into dummy accounts set up in other countries."

The problem here is that there is no proof whatsoever that money was actually hacked out of a US bank, nor any bank residing in Western Europe. (If proof is ever presented, I'll take back these words.)

Dan spoke with Chris Doggett, who is the managing director of Kaspersky's North American branch, and Doggett said that at least three dozen US banks were targets of the attack, but he couldn't say how many of those banks were successfully breached due to "non-disclosure agreements and ongoing investigations," which is also what the organization told the Times.

Dan also spoke with Bill Nelson, CEO of the Financial Services Information Sharing and Analysis Center (FS ISAC), a group comprised of over 5,000 financial firms that shares and analyzes cyber attacks. He said that this attack was "old news" and that the group has known about the attack for months. Nelson said that no banks in the US or Western Europe have been affected, with most of the targets being Russian banks.

"Yes, some of these banks were scanned, but they successfully defeated it. They weren't breached and for me, it's not a story," Nelson told Dan.

Headline Problems

For the November issue of Waters I profiled Neuberger Berman chief information security officer Bob Ganim about the dangers that lurk in increasingly internet-dependent markets.

He noted that one of the toughest aspects of his job is the fact that every hack and every newly discovered vulnerability makes the front pages of national papers, which, in turn, leads to questions from the CEO and various other business leaders, board members and even investors.

From that article:

The scale of Ganim's job can be daunting. Neuberger Berman has an office in Dallas-Ground Zero for the Ebola scare in the US. It also has an office in Hong Kong, where the protests for election reform with China have unfolded. And when your job involves information security, every hacker headline is a major concern, since client information is an asset manager's lifeblood. The Shellshock bug was just the latest threat.

"That Thursday, I was involved with every headline in the newspaper as both a CISO and global head of BCP. ...We must be ready for anything," he said.

But he also noted that you can't freak out at every threat and every headline:

"Don't make the mistake of feeling so overwhelmed that you just throw your hands up in the air and ask, ‘Why bother?' Don't make the mistake of being so rigid and controlling with policies to the point that it might impede your organization's ability to do what they do best-and that is to serve your clients," he says. "The most resilient, successful organizations will be the ones that are both realistic and proactive regarding the threats and risks that might leave their organization vulnerable."

Wanted: Partner, not a Promoter

Let me say that Kaspersky is well-respected and no one has ever bad-mouthed them to me. This is not a hit piece against that firm, because there clearly was a hack that led to lost money.

This is more generally aimed at the security-vendor industry, because I get A LOT of press releases with bold-faced headlines, and here's what I believe: While you might win a good deal of early business by crying that the sky is falling after every attempted hack or new vulnerability, eventually firms are going to stop listening. The boy who cried wolf, and all that.

Be proactive, but be a partner. Don't embellish...the threat is real and scary enough, as it is.

To finish, this whole ordeal reminded me of an episode of the animated-comedy, "Archer", which is one of the greatest television shows ever. (That's a fact, not hyperbole or opinion.)

Here's the synopsis of the episode:

Tired of his colleagues constantly calling him a failure, [one of the central characters] Cyril agrees to help George Spelvin, a mysterious computer security expert, inject a pirate virus into the ISIS [not the terrorist organization, but the name of the CIA-like security outfit, that has since changed its name] mainframe so Cyril can defeat the virus and be seen as a hero. Not surprisingly, the plan goes awry.

Basically, this whole article was just an excuse for me to link to this one great YouTube clip from the show. Enjoy.

Oh yeah, speaking of cyberhype, the entire April issue of Waters will be dedicated to cybersecurity (how's that for a bait-and-switch!). If you have any thoughts or insight into the art of patching ─ which is what I'll be focusing on ─ then shoot me an email or give me a call (646-490-3973)