Silvio Schembri, Parliamentary Secretary for Financial Services, Digital Economy and Innovation
There is no doubt that financial institutions across the globe are becoming the honeypots for cyberattackers. The recent cyberattack on Bank of Valletta cannot go unnoticed. It is a wake-up call for businesses, institutions and entities to step up their game and invest heavily in cybersecurity.
The importance of cybersecurity, further underlined by the threats and disruption that cyberattacks can bring to businesses in this increasingly technologically driven environment, is evidently becoming an important priority for the board of
directors of companies operating not only in the financial services industry but in other economic sectors.
Cyberattacks are becoming more sophisticated, making it difficult for financial institutions and entities to shield themselves in a digital world. Cyberthreats can never be completely eradicated despite the significant investment in cybersecurity measures.
Subsequently, cyberattacks may take place in different forms from phishing, whereby sensitive information is fraudulently obtained using electronic communications by persons posing as trusted agents, taking on extensive and elaborate forms similar to the attack sustained by BOV.
Cyberattacks are often a result of not simple technical vulnerabilities but rather the exploitation of human weaknesses through social engineering. Stakeholders and parties in the field have often described cybersecurity as a cat and mouse game, which forces the hands of financial institutions to rethink every now and then their cybersecurity strategy, meaning that it must be nimble and agile to evolve rapidly according to its whereabouts, while diminishing the risks of an attack.
The cyberattack on BOV has highlighted the importance of business continuity and disaster recovery plans, and within this context the ability for institutions that are hacked to resume operations in the shortest time possible to minimise disruptions to the business and inconvenience to clients.
This has been the case with BOV, which has managed to resume normal operations in a relatively short time frame.
While we upgrade, we must protect, and in an area as sensitive as finance, companies, entities and institutions need to protect themselves by choosing trusted technologies. Extensive investment in IT infrastructure and latest technology is key and even so, one must explore responsibly the opportunities provided by disruptive technologies such as blockchain technology as well as systems based on artificial intelligence.
In a globalised world, it is crucial for institutions to constantly adapt security systems to new emerging threats, thus the continuous analysis of data and information with regard to the relevant cyberattacks aimed at financial organisations is ascendant. The future is digital and it has to be across the board.
As a government, cybersecurity was always at the top of our agenda, in order to protect our thriving economy and the day-to-day business operations, and we will keep doing so in the best interest of our future.
Michael Mercieca, Nationalist Party candidate for European Parliament election
On February 13, our largest bank was the target of a cyberattack, with hackers attempting to withdraw €13 million. Bank of Valletta immediately shut down its systems, closing branches and ATMs and suspending mobile and internet banking and internal e-mail. Its website also went offline.
Hackers attempted to transfer funds to banks in the Czech Republic, Hong Kong, Britain and the US. Later, the bank issued a statement claiming that customer accounts were “in no way impacted or compromised” and normal services would resume as soon as possible and that the transactions had been traced and were “being reversed”.
But what lessons have we learnt from this negative experience? Up to the financial crisis of 10 years ago, bankers around the world have focused on strengthening up banks’ ability to withstand financial shocks, including cyberattacks. We have seen how these attacks cause disruptions to payments systems instantly.
Such an attack shakes the confidence not only in the targeted financial institution but in all the financial services industry including banks, businesses and consumers, resulting in a major negative impact on economic activity. We have seen that in such a major cyberattack the damage could be substantial.
ATM networks were blocked, credit card and other payment systems failed across the entire nation, online banking became inaccessible: no cash, no payments, no access or information about bank accounts. We had widespread panic and chaos even though it was for a short time. How can we prevent such a situation happening again?
We have seen and heard that the bank in question does have systems that help it to resume operations as rapidly and smoothly as possible. However, what happens if such a situation occurs again on more
than one bank or financial institution at the same time? The local financial services industry needs to agree on a coordinated response and recovery strategies.
Regulators in Malta must work diligently to prepare for and curtail cyberattacks, but they need to look further away than just Malta and introduce regulations, laws and cooperative frameworks in unison, like the Network and Information Security Directive.
Many of these steps are being undertaken but, as we have seen, much more still needs to be done. Such an attack undermines the reputation of our fiduciary systems and the confidence in our financial systems which will result in terrible consequences on the flow of money between consumers, businesses and financial institutions around the world.
Mark Zerafa, Democratic Party Local Council candidate
February 13 left an indelible mark on the history of banking in Malta. Cyber criminals launched a coordinated and well-executed attack on one of Malta’s major banks and siphoned off €13 million into overseas accounts. Bank of Valletta swiftly responded by entering safe-mode and effecting a blackout of its online operations. Its website, ATMs and ePOS payments were unavailable for many hours.
This dark episode serves as a grim reminder of the dangers inherently lurking in the online world. Bank robbers no longer need a firearm and to don a hood to carry out a modern bank robbery. The modern criminal is an expert in information technology, masterfully penetrating through the various layers of protection that the banks most certainly have
Banks need to keep abreast of evolving tactics and technologies employed by criminals so that they may be better prepared for future attacks. This is a veritable arms race between the hackers and the financial institutions; this heist underscores the importance of research into the identity of the enemies and their modes of action, allowing banks to respond more efficiently and effectively, thereby minimising and mitigating the damage inflicted.
Despite all efforts, hackers may always exploit limitations and undetected vulnerabilities of banking systems and the possibility of an attack may never be completely eliminated. Contingency plans need to be designed and implemented at short notice.
I witnessed hapless customers, unable to conclude their purchases at retail stores, sheepishly holding BOV debit cards that simply refused to comply. Cooperation and agreements between rival banks to facilitate and allow the processing of payments on
their respective ePOS machines in the event of a cyberattack may alleviate or altogether eliminate the chaos that would naturally ensue.
The heist was promptly followed by a statement from the Prime Minister that the fraudulent transactions had been traced and were being reversed. Unfortunately, this is an oversimplification as recovering the funds is no mean feat. In fact, the bank ever recovering the entire €13 million seems an unlikely scenario, as technical and administrative limitations may prevent this from being achieved. A post-mortem analysis of this attack may however serve as a valuable learning experience and further strengthen the bank’s robust security system.
Despite falling victim to an attack of such unprecedented magnitude, the bank – one of the major pillars of the country’s economy – has weathered the assault remarkably well. Its services were restored to normal functionality within an impressively short time and, to the relief of all, personal accounts were untouched.
The attack may have highlighted the vulnerability of a bank to massive (albeit unlikely) cybercrime. In contrast, it has also provided reassurance of the bank’s extraordinary resilience.
This is a Times of Malta print opinion piece
CommentsComments powered by Disqus
Do not have an account?Sign Up