Such threats are also of prime concern for banks. In a recent worldwide survey by management consultancy EY and the Institute of International Finance, 48% of banks identified cybersecurity as one of the three most important risks for their board to consider over the next 12 months. Some 68% said cybersecurity was receiving more attention at board level, and 75% said they had increased the number of staff focusing on the area.
Credit transfer scams are a threat to all companies and are wreaking havoc all over the world, with more than $3bn of known losses worldwide according to the FBI, including €550m in France according to the French judicial police. Fraudsters use social engineering techniques – the psychological manipulation of people – to dupe companies’ employees. A favourite technique is impersonation. Companies with insufficiently tight procedures could fall victim to a fake CEO who requests urgent confidential payment or a fake supplier who requests that an IBAN be amended.
Companies also hold valuable information about their customers such as contact details, invoices and credit card numbers, and scammers attempt to steal this data by penetrating IT systems and spreading malicious software, or by impersonating a customer or a public authority in an e-mail or by telephone. Data theft can have disastrous consequences for companies – particularly large billers such as telecoms groups, utilities, large property firms – such as vast amounts of unpaid invoices, loss of image and commercial risks.
Companies have also sometimes been the target of large-scale attempts to infect their networks with malicious software sent by e-mail. In 2015, hundreds of thousands of PCs were contaminated by the Dridex program, which took control of the PCs, launched credit transfers, and stole companies’ supplier and customer lists. In some cases the hackers demanded payment of a ransom to allow companies to regain access to their computers.
Firms look to banks for help in countering cybersecurity risks
Companies can pay a heavy price for cybersecurity breaches and are therefore looking to banks for help in countering these threats, says Jacques Levet, Head of Transaction Banking at BNP Paribas Corporate and Institutional Banking (CIB).Is it possible to quantify cybersecurity risks for companies? Can you give some examples of data breaches and the costs to the companies concerned?
It all depends on a company’s size and activity. Fake vendor scams can be devastating – a large company in the US was defrauded out of around $100m and a large French retailer was the victim of a €15m scam. It discovered the fraud but it could have lost way more.Fake CEO scams typically cost €0.5m-1.5m in our experience, but some much bigger cases have hit the headlines – the subsidiary of a US-based company suffered a $47m fraud in Hong Kong, a Belgian bank was the target of a €70m scam and an aircraft parts manufacturer was defrauded out of €55m in Austria. Beyond the financial damage, the human consequences can also be very serious. In France, an SME of 424 employees filed for bankruptcy because of a €1.6m fake CEO scam.
As for data theft, the average loss is generally a few million euros, according to the Ponemon Institute’s Cost of Data Breach Study for IBM. The theft of more than 70 million clients’ personal data and credit card numbers at US retailer Target was estimated by the company to have cost more than $100m. But it really depends on the volume and the criticality of the data stolen and how well known the company is. However, all payment frauds begin with information or data theft, so every company is at risk. And 70%-80% of cyber-attacks affect SMEs and have serious consequences even if they do not get into the media.
Do companies always report security breaches, or do they sometimes prefer to keep quiet?
It’s difficult to say because, by definition, we don’t know about companies who don’t declare it. But it is clear that more and more companies report it now. Global strategist and author Marc Goodman has said that 75% of Fortune 500 companies have been hacked and it took them an average of 211 days to identify the computer breach, which probably means that the other 25% have already been hacked and just don’t realise. Peter Singer, director of the Brookings Institution’s Center for 21st Century Security and Intelligence, has estimated that as many as 97% of Fortune 500 companies have been hacked.Does this mean that companies need to invest large sums in preventing such data breaches and hacks?
It depends on the size and the activity of the company. Before investing considerable sums, the company should first assess the criticality of its assets, the main risks it is facing, its main weaknesses and regulatory constraints. For example, some companies have to comply with Payment Card Industry Data Security Standard (PCI DSS) regulations.Beyond the necessary IT investments, it is just as important to invest in procedures and awareness raising, because cybercriminals and fraudsters almost always exploit human weakness to reach their goals. A holistic approach to the prevention of fraud, cyber-risks and data may be more important than investing huge amounts of money in specific areas.
Are corporates looking to banks to help them manage cybersecurity risks?
CFOs and treasurers know that it is something that they have to tackle internally, but they also want their banks to help them lower the risks. Our clients generally ask us for help in four areas in the cash management and payment area. They want advanced e-banking security, advisory services on payment fraud and cyber-risks, payment controls, and third party bank account verification services.What can banks offer to their corporate clients?
BNP Paribas and the banking community have been investing a lot in IT security and in the e-banking channel security for corporate clients. That is why fraudsters and hackers generally don’t succeed if they attack banks directly. More often they attack clients, with both social engineering techniques and cyber-attacks.BNP Paribas is also investing a great deal in awareness and advisory. We believe this is key to lowering clients’ risk exposure. We communicate through all channels, hold regular events for our clients and propose training sessions for accounting and treasury teams. And our relationship managers are trained to help our clients assess their risks.
As for bank controls, BNP Paribas offers a service called Secure Flow, which allows the client to define personalised multi-channel controls, such as country white or black lists and closed lists of beneficiaries. We are also investing to improve our fraud detection capabilities and processes, using new technologies such as big data and machine learning.
To help its clients authenticate counterparties, BNP Paribas is part of local schemes allowing the checking of bank accounts. For example, it is the first bank to offer a new service in France, called SEPAmail Verification, to check that account and corporate ID numbers match. Our longer-term ambition is to offer a more universal counterparty authentication service.
How are clients responding to such offerings?
The aim for the bank is not to sell more products, but to reduce risks for our clients, and strengthen the client relationship. Our clients generally show a great interest. They particularly appreciate our awareness and training sessions, and many are interested in our Secure Flow and SEPAmail Verification value-added services.However, we all have to be very humble. Cyber-fraud attempts are massive and in constant evolution. And some of our largest clients challenge us to do more to help them.
Can banks and their clients work together to learn from their experiences in this field?
Yes, definitely. Because we invest so much time in client awareness and advisory, through events and personalised meetings, we benefit from constant and very enriching exchanges with clients of all sizes, which helps us in our fight against fraud and cyber-threats. As for the cooperation between banks, I think that there is still some room for improvement. Fraud and cyber-risk are clearly not a field for competition.