Sometime last year, during a discussion with a colleague on the rise of Financial Technology (FinTech) companies, I conceded that further development and increasing usage of digital platforms for financial transactions can help boost financial “inclusion” and bring the “unbanked” to the fold.
But I also raised my concern that such attempts at financial inclusion can also result in a corresponding increase in technology-based financial crimes. Not all such crimes need to be a high-technology heists, anyway. It can be as simple as one “losing” small amounts from an e-wallet. After all, even the nefarious are not blind to opportunities in emerging digital trends.
At that time, nobody saw the eventual digital explosion resulting from COVID-19 closing country borders, locking down cities, and restricting the local economy since last March. With physical distancing becoming the norm, digital platforms became urgently necessary for processing orders and payments, among others. Practically overnight, the economy became lighter on cash.
Online shopping became more than a fad and broadly expanded to include grocery items, produce, hardware, and other “essential” goods. Internet and mobile device use began to transcend generations, with more seniors becoming “digital immigrants” as they utilized internet-based platforms to purchase medicine or even fresh fruits and vegetables.
Since the imposition of various levels of quarantine or lockdown as a way to curb the spread of COVID-19 since March, more companies have had to accelerate their “digital” strategies. Even an industry as basic as cement manufacturing went online. Holcim Philippines, for one, developed a portal to process orders and delivery. Most clients have reportedly migrated to the new system.
And from all indications, the digital trend is here to stay. COVID-19 will be temporary, for sure, but e-commerce is for the long haul. And with this, I believe FinTechs, online payments, and digital financial transactions will be the norm — sooner than later. Along this line, however, some analysts now fear that “cyber risk is the new threat to financial stability” worldwide.
In a blog by Jennifer Elliott and Nigel Jenkinson of the International Monetary Fund (IMF), they noted that “as we become increasingly reliant on digital financial services, the number of cyberattacks has tripled over the last decade, and financial services continue to be the most targeted industry. Cybersecurity has clearly become a threat to financial stability.”
Jennifer Elliott is Division Chief of Technical Assistance Strategy in the IMF’s Monetary and Capital Markets Department, while Nigel Jenkinson is Division Chief of Financial Regulation and Supervision in the IMF’s Monetary and Capital Markets Department. Recall the Bangladesh heist not too long ago when large amounts from the Bangladesh central bank, owned by the Bangladeshi government, were pilfered and transferred electronically to various territories? A big part of that robbery ended up here, as bank deposits, and later withdrawn and laundered in one of the country’s popular casinos.
“Given strong financial and technological interconnections, a successful attack on a major financial institution, or on a core system or service used by many, could quickly spread through the entire financial system causing widespread disruption and loss of confidence. Transactions could fail as liquidity is trapped, household and companies could lose access to deposits and payments. Under extreme scenarios, investors and depositors may demand their funds or try to cancel their accounts or other services and products they regularly use,” Ms. Elliott and Mr. Jenkinson wrote in their IMF Blog.
“Hacking tools are now cheaper, simpler and more powerful, allowing lower-skilled hackers to do more damage at a fraction of the previous cost. The expansion of mobile-based services (the only technological platform available for many people), increases the opportunities for hackers. Attackers target large and small institutions, rich and poor countries, and operate without borders. Fighting cybercrime and reducing risk must therefore be a shared undertaking across and inside countries,” they added.
The pair noted that “daily foundational risk management work — maintaining networks, updating software and enforcing strong ‘cyber hygiene’ — remains with financial institutions.” And while individual companies are doing what they can, and what they should, to ensure the integrity of their systems, “individual firm incentives to invest in protection are not enough.”
“Regulation and public policy intervention are needed to guard against underinvestment and protect the broader financial system from the consequences of an attack. In our view, many national financial systems are not yet ready to manage attacks, while international coordination is still weak,” they wrote in the IMFBlog.
Just this week, the New York Times reported that a top cybersecurity company based in Silicon Valley — which was usually called upon by major companies to investigate hacking incidents — was itself hacked. “FireEye revealed… that its own systems were pierced by what it called ‘a nation with top-tier offensive capabilities’,” and that hackers stole a “tool kit, which could be useful in mounting new attacks around the world.”
“It was a stunning theft, akin to bank robbers who, having cleaned out local vaults, then turned around and stole the FBI’s investigative tools. In fact, FireEye said on Tuesday, moments after the stock market closed, that it had called in the FBI,” the New York Times reported in an article by David E. Sanger and Nicole Perlroth.
They also noted that for years, “FireEye has been the first call for government agencies and companies around the world who have been hacked by the most sophisticated attackers, or fear they might be… Now it looks like the hackers — in this case, evidence points to Russia’s intelligence agencies — may be exacting their revenge.”
What was stolen from “a digital vault that FireEye closely guards” was what the $3.5-billion cybersecurity company referred to as “Red Team tools” — described as “essentially digital tools that replicate the most sophisticated hacking tools in the world.”
The New York Times noted that FireEye would use the tools — with the permission of a client company or government agency — to look for vulnerabilities in their systems.
“The hack raises the possibility that Russian intelligence agencies saw an advantage in mounting the attack while American attention — including FireEye’s — was focused on securing the presidential election system. At a moment that the nation’s public and private intelligence systems were seeking out breaches of voter registration systems or voting machines, it may have been a good time for those Russian agencies, which were involved in the 2016 election breaches, to turn their sights on other targets,” the New York Times reported.
The FireEye incident should be a concern not only for the company itself, or just the United States. The fact that sophisticated hacking tools are now out there poses a threat to any country or company with digital technology platforms for financial transactions. For thieves, it can be the way to untold riches. And for terrorists, such a hacking tool is perhaps better than acquiring a nuclear device.
I am not in a position to comment on the government’s — as well as the financial system’s — capacity to effectively guard against cyber threats. However, a country that encounters great difficulty even in implementing a cashless tollway system is perhaps highly vulnerable to cyber risks as well as digital financial crimes by hackers, with or without “Red Team tools.”
Marvin Tort is a former managing editor of BusinessWorld, and a former chairman of the Philippines Press Council