He noted that while market players may include cybersecurity as part of an overall operational risk management strategy, cyber should be dealt with separately as 'it can move much faster'. Voormeulen said that common principles and frameworks are required to combat cyber-attacks rather than specific rule-sets, as the latter can become out of date very quickly. He recommended three key principles for financial institutions to apply when dealing with cybersecurity: governance, scope and range.
Governance: Voormeulen stressed that each bank needs comprehensive governance in place to prevent cyber-attacks. Cybersecurity is more than an IT issue and requires all members of staff to be engaged in the approach: 'The worst thing an organisation can do is say that cybersecurity is the fault of the IT department, because the communication factor tends to be the weakest link in the cyber business.' He suggested that banks should organise a professional hacker to target the top management. This exercise involves sending an email with some attachments that have malware in them to the bank's top management to see whether they click on it. This was to prove that it only takes one person to click on an attachment for an attacker to get into the bank's system, and all staff must be aware of this, he said.
Having a good 'cyber-culture' within an organisation requires training, awareness and an open environment, Voormeulen said, where staff feel comfortable bringing forward any concerns they may have. He added that cybersecurity should not be a competitive issue and that it is important for all market players to work together to make sure they all know what is going on. 'A cyber-attack to one player is bad for the whole sector,' he stated.
Scope: Voormeulen remarked that banks can suffer different types of cyber-attacks: confidentiality from when information is stolen from a bank's system; availability such as when a bank's service suffers a distributed denial-of-service (DDoS) attack; and integrity, when an external attacker manipulates a bank's internal data. Whilst all of these scenarios can be viewed as cybersecurity issues, Voormeulen said, each 'may require a different defence strategy' to combat any problems. In the case of a DDoS attack a bank may hire mitigation services, but for an integrity attack a different approach would be required to tackle the issue, such as the deployment of different software in the bank's primary and back-up system.
Range: The last principle, Voormeulen said, is the range of measures that a bank needs to take to prevent, detect and recover from cyber-attacks. He said: 'Whilst a clear prevention strategy is crucial, it is not enough.' Organisations also need to pay particular attention to the monitoring of threats, implement proactive detection processes, and have a clear recovery plan in place. Questions that need to be asked include: Is the bank able to detect exactly what stage this attack took place? Is there a stage where the data and systems are intact and not manipulated? Is it possible to go back to that stage? Do you need clean data from other players, profilers or customers to ensure your business goes back to normal?
Voormeulen closed the discussion by saying that cyber threats are very important issues for the financial services market. 'Banks shouldn't worry about such threats, but they should certainly act,' he said.
Follow Chloe on Twitter