Discovering the ‘Unknown Unknowns’ of Financial Services Supply Chain Cyber Risk
- Cyber security risks to the financial services sector are rapidly increasing due to the Ukraine war and rising geopolitical risks generally.
- State-sponsored or -affiliated hackers have set out to disrupt the western financial system.
- Supply chain attacks remain a major blind spot, and the risks are amplified by the drive for digital transformation and accelerated moves to the cloud.
- Managing third party risks is difficult enough, but there is a total lack of visibility into risks in 4th, 5th and n-th parties further down the supply chain.
- Find out how a tier-1 bank used Risk Ledger to uncover potential blindspots, and within 48 hours was able to identify 36 fourth parties, 175 fifth parties, 15 sixth parties, and 27 seventh parties, as well as 7 potential concentration risks.
Geopolitics is changing the global threat environment
We are seeing major technological, geopolitical and regulatory changes, which have sped up significantly since the global pandemic and the war in Ukraine, and which have further intensified the cyber risks to our critical national infrastructure, and the financial services industry in particular. Hostile state actors and affiliated hackers are increasingly intent on disrupting the western financial system. As the New York State Department of Financial Services (NY DFS) rightly warned in the wake of the Solarwinds hack, “the next great financial crisis could come from a cyber attack.”
Just recently, the well-known Russian threat actors REvil and KillNet, together with Anonymous Sudan, announced over Telegram the creation of what KillNet termed the ‘Darknet Parliament’, made up of the three groups. In what they called Decision No. 0191 and Solution No. 0191, they announced that they will be imposing ‘sanctions’ in the form of cyber attacks on the countries and institutions that are carrying the financial sanctions against Russia and are supporting Ukraine. They announced in early June that they will be targeting the western financial system.
As reported by SOCRadar, their intended targets include US and European financial institutions, the Federal Reserve System, as well as crucial financial messaging and payments infrastructure providers such as SWIFT, IBAN, SEPA, IBAN, Wire money transfer service, and Wise. Only days later, the European Investment Bank announced that it was experiencing a DDOS attack, becoming the first victim of the groups’ campaign.
While financial services firms commonly have strong cyber defences in place, not least because of the stringent compliance and regulatory requirements the industry has to meet, there remains a clear weak spot: their supply chains. Financial services companies have seen a 63% increase in cyber attacks that originated through their supply chains and supply chain attacks have become the second most prominent cyber threat facing organisations today. Nonetheless, according to recent research, only 40% of organisations say they thoroughly understand their third-party cyber and privacy risks.
The SolarWinds attack has somewhat driven home the inherent dangers lingering in supply chains. As a direct result of the attack, the NY DFS saw a potentially major threat to the financial system and thus immediately required all New York financial institutions to report any impacts the attack had on them.
While this attack drew a lot of attention because of its massive “blast radius”, and because evidence suggests that Russia was behind it, there are hundreds of other attacks against the financial services industry through their supply chains that receive far less attention. For instance, the recent ransomware attack against ION Trading Technologies’ cleared derivatives unit. The attack, which forced ION to take its systems offline, resulted in financial institutions suddenly having to manually confirm trades, causing ripple effects and reporting delays across the sector.
Why the financial services industry is highly vulnerable to supply chain attacks
The industry’s strong dependency on interoperation with often thousands of suppliers, clients, intermediaries and other organisations that they share information with or whose services or systems they use, means that IT security but also procurement and compliance teams face an arduous task in trying to secure their unwieldy supply chains.
The task is further complicated by the major digital transformations that the global economy, including financial institutions, are currently undergoing. As a major European Central Bank’s Banking Supervision research into the digital transformation of the financial services sector has revealed, 90% of financial institutions are making increasing use of APIs and cloud computing as the foundation for their digital transformation strategies. 60% of banks now use AI in their services and operations, including for chatbots, credit scoring and algorithmic trading. These innovations, while essential to boost productivity and growth, also mean a continuously growing dependence on often less cyber mature Fintech companies and other suppliers.
The ‘unknown unknowns’ of supply chain risks
But if the risks emanating from immediate third party suppliers would not be difficult enough to manage, there is an entire additional layer that very few organisations are aware of, namely the risks further down their supply chains, from 4th, 5th and 6th parties, and even beyond.
Dan Jones, risk manager in the group sourcing and supply chain management team at Lloyds Banking Group, told a recent CIPS Supply Management Forum that “never before have supply chains been such a high profile risk, and supply chain resilience is top of the agenda with our regulators and our senior execs”, as well as adding that “to identify ‘fourth-party’ risk had proved invaluable”.
And this is exactly the point. Without greater awareness of what is happening further down the supply chain, it becomes almost impossible to anticipate potential threats that might suddenly surface at 4th, 5th or 6th parties and beyond, but then ripple up and come to affect a financial services client directly. These broader supply chain risks, and the current general lack of visibility into them, remain a serious problem.
Identifying concentration risks to enhance your operational resilience
Apart from extensive manual surveys, there are really only two ways your organisation can currently achieve significant breakthroughs with regard to gaining greater visibility across your entire supply chain, and thus a more in-depth understanding of existing risks. The first is by using a data mapping tool that pulls together data from the open web to try and infer what your supply chain might look like.
The second option is to use a platform like Risk Ledger. Risk Ledger’s approach is based on creating a network of clients and suppliers all working together to Defend-as-One® through its platform, which provides clients not only unparalleled and continuous insight into their direct suppliers’ security posture, but also deep visibility into the relationships and risks beyond third parties. This allows organisations to understand where they sit within the wider supplier ecosystem, how different security incidents may impact their organisations, given those interdependencies, and where concentration risks might lie.
During a Cyber Innovation Challenge, led by the City of London and Microsoft, a tier-1 bank used Risk Ledger to uncover potential blindspots, and within 48 hours was able to identify 36 fourth parties connected to 14 direct suppliers, 175 fifth parties, 15 sixth parties, and 27 seventh parties, as well as, most important of all, 7 potential concentration risks.
Operational resilience has been on everyone’s mind, not least since the Bank for International Settlement’s Basel Committee on Banking Supervision published its Principles for operational resilience (the POR) in 2021. Identifying concentration risks in your wider supply chain should be a key component of enhancing your operational resilience. This means finding out who the key organisations are in the wider financial sector supply chain ecosystem that are so important (based on interdependencies) that if they were to have a major cybersecurity incident, this would not just affect a few of their immediate clients, but could ripple up the supply chain and directly affect not only your organisation, but potentially even the wider industry.
With this new visibility into an ever-growing threat surface, you have the information and opportunity to collaborate with your internal risk and resilience team(s), and the high risk suppliers you were able to identify, to address and reduce these risks and demonstrate to regulators that effective risk awareness is guiding your security governance and operational resilience efforts.
If you want to learn more about how to identify and address risks in your wider supply chain ecosystem, including concentration risks, drop by the Education Seminar “How concentration risk in your supply chain affects operational resilience and what to do about it.”, facilitated by Risk Ledger’s Chief of Staff, Emily Hodges, at the conference on Wednesday, 5th July.