This article in the New York Times does a great job describing the top-level efforts conducted by payment networks and large banks to build a defense against hackers. The cost associated with just these top-level efforts becomes obvious in this article. While trying to extrapolated these costs across the full breadth of the financial sector is mind numbing! The full article is worth a read, but here is the point I found most interesting:
“The military sharpens soldiers’ skills with large-scale combat drills like Jade Helm and Foal Eagle, which send troops into the field to test their tactics and weaponry. The financial sector created its own version: Quantum Dawn, a biennial simulation of a catastrophic cyberstrike.
In the latest exercise last November, 900 participants from 50 banks, regulators and law enforcement agencies role-played their response to an industrywide infestation of malicious malware that first corrupted, and then entirely blocked, all outgoing payments from the banks. Throughout the two-day test, the organizers lobbed in new threats every few hours, like denial-of-service attacks that knocked the banks’ websites offline.
The first Quantum Dawn, back in 2011, was a lower-key gathering. Participants huddled in a conference room to talk through a mock attack that shut down stock trading. Now, it’s a live-fire drill. Each bank spends months in advance re-creating its internal technology on an isolated test network, a so-called cyber range, so that its employees can fight with their actual tools and software. The company that runs their virtual battlefield, SimSpace, is a Defense Department contractor.
Sometimes, the tests expose important gaps.
A series of smaller cyber drills coordinated by the Treasury Department, called the Hamilton Series, raised an alarm three years ago. An attack on Sony, attributed to North Korea, had recently exposed sensitive company emails and data, and, in its wake, demolished huge swaths of Sony’s internet network.
If something similar happened at a bank, especially a smaller one, regulators asked, would it be able to recover? Those in the room for the drill came away uneasy.
“There was a recognition that we needed to add an additional layer of resilience,” said John Carlson, the chief of staff for the Financial Services Information Sharing and Analysis Center, the industry’s main cybersecurity coordination group.
Soon after, the group began building a new fail-safe, called Sheltered Harbor, which went into operation last year. If one member of the network has its data compromised or destroyed, others can step in, retrieve its archived records and restore basic customer account access within a day or two. It has not yet been needed, but nearly 70 percent of America’s deposit accounts are now covered by it.”
Along with Cybercrime, financial institutions also run simulations of disaster scenarios such as earthquakes or an outbreak of a virulent strain of flu. Vigilance is expensive!
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group