Friday, 2 December 2016
Tesco cyber-attack provides regulatory food for thought
Every little helps when it comes to controlling the financial system, but Giles Kenwright of Delta Capita explains why the Tesco cyber-attack will hopefully trigger banks and regulators to look at the bigger compliance picture
A cyber-attack that wiped £2.5 million from a major supermarket’s client accounts in just a few hours, should ring alarm bells across the boardrooms of Britain’s biggest banks. While the damage to Tesco’s brand reputation may be substantial, more significant still is that this attack could be a sign of things to come for the wider banking sector.
It is not as if the major players have been burying their heads in the sand. Eight of the largest firms, including JP Morgan, Bank of America and Goldman Sachs, teamed up earlier this year to tackle the growing cyberthreat. While still in its infancy, the group is already sharing information with eachother about where future threats could materialise. The trouble is that, at the same time, these conglomerates are entangled in the weeds of other regulatory issues, which is eating into time that could be spent developing a longer-term plan to tackle cybercrime.
So the key question is, what is the next big threat to the financial system and can the regulators be more proactive? Many senior banking executives are already well aware of the risk of cybercrime. But while a bank can get its own house in order, can it be sure that their counterparts are following suit? The global banking system is highly connected but only as strong as the weakest link. And there is more than one type of hostile actor at play, each with different objectives. While a criminal gang is likely to have profit as the primary motive, a ‘hacktivist’ group may want to obtain confidential data, and a rogue foreign state may want to delete or corrupt data without being detected, which may lead to greater disruption in the long-term.
Unfortunately, cyber regulation didn’t arrive in time to stop the Tesco breach, but what if the next instance were to involve a banking behemoth. Also, what if the amount of money involved couldn’t be absorbed by shareholders? Cybercrime has the potential to eclipse the Lehman Brothers collapse. There is a start at least; on 13th September, New York’s Department of Financial Services announced a new series of cyber security regulation, coming into effect in 2017. It only applies to New York state and is unlikely to be rigourous enough to protect the global banking system but it is a step in the right direction.