Mr. Krämer, to what extent has the significance of IT risks changed for banks in recent years?
Nearly weekly incidents in the public eye show that the share of IT risks in the overall risk of banks has increased significantly. This increase has also been recognized by the supervisory authorities, as can be seen in the regulations—such as the BAIT and EBA ICT Guidelines—and the focus of the on-site audit.
That sounds as though IT risks can be managed just like other kinds of risk?
Yes, that is correct. We advise our customers to manage IT risks professionally, just as they manage credit or interest rate risks. For these risks too, some actions are not executed when the risk is too high in relation to the return—in one case you don’t close deals, in another case you might want to reduce comfort to increase security or postpone a release.
Why do you think banks are the focus of cyber attacks?
Banks are extremely lucrative targets. What we are witnessing here are virtual bank robberies. In addition, profits can be made from criminal manipulation through cyber attacks—for example in trade. As it is often not possible to reveal the perpetrators, they are rarely brought to justice. As a result, the risk for the perpetrators is significantly lower than for a physical robbery. Of course, the financial sector is treating the topic of cyber security with the necessary seriousness to protect itself from such attacks. Due to technological progress, this is, of course, a constant struggle.
Why are IT risks apparently becoming more and more frequent?
Attackers are using increasingly sophisticated methods in their attacks from outside and are specifically exploiting weaknesses in employees and in the bank’s software components—for example, through social engineering and trading in zero-day exploits. Once they have penetrated the systems, they do not exploit this immediately, but “explore” data streams and employee behavior, sometimes over months. That way, they can hide their attacks better afterwards. In addition, threats within the organizations can still be observed, e.g. deliberate data theft or negligence from the use of simple passwords. In addition, many banks have built up relatively complex IT landscapes over the years. The necessity to produce updates and extensions in ever shorter periods of time increases the risk of human and technical errors.
Is there any way to protect against such attacks?
There is no surefire protection, but you can raise the threshold above which damage occurs. A first step towards this is to provide the individual applications and the organization with a comprehensive way to manage the protection requirements and analyze the ongoing risks. Afterwards, the organization can then move on to the risk-oriented implementation of active and prognostic defensive measures as well as reactive measures. Reactive measures in the event of a successful attack include forensic safeguards, emergency and crisis management and the prevention of subsequent damage.
What advice do you give your clients to improve their defense?
As a matter of principle, all defensive measures must be constantly reviewed by regularly updating and expanding them. In particular, this includes “white hat hacking”, which involves identifying and closing existing gaps. Furthermore, “threat hunting”, i.e. the search for already infiltrated attackers, must be expanded. If an attack occurs and is detected, so-called encapsulations of the IT architecture or evasion strategies must be implemented in order to keep the subsequent damage as low as possible. Last but not least, it is important to raise employee awareness through training and encouraging employees through incentives to identify hazards and close gaps. With regard to threats from within and the stability of operations, awareness needs to be raised that systematic information security management may sometimes seem “disruptive”, but is an essential building block in stopping the loss of trust in banks. We have corresponding implementation plans for all these measures, which we offer together with specialized partners in so-called 360-degree support.