Caught in the crossfire: How the Russia-Ukraine crisis is exposing firms to cyber risk and what they can do about it

As the conflict between Russia and Ukraine continues and no sign of resolution in near sight, the broader secondary implications are being felt far beyond the region’s borders. Amongst them are serious cyber implications that could have devastating and far-reaching consequences – not just for countries directly involved in or close to the conflict, but the global financial system.

by Guy Warren, CEO, ITRS Group

In particular, institutions critical to the infrastructure and running of their country are probably the most vulnerable. And when it comes to these criteria, financial institutions are at the top of the list. As such, it is critical for banks and other financial institutions to assess, thoroughly and quickly, their vulnerability to such attacks.

A global problem

Though some in the west might believe that the Russia-Ukraine crisis isn’t their problem, recent history indicates otherwise. NotPetya – a Russian-organised cyberattack targeting Ukrainian power, transportation, and financial systems – was less than five years ago. And while its intention was to destabilise Ukraine, NotPetya spread rapidly.

The consequences of the attack included massive operational disruption to countries across the globe – including the US, UK, France, Germany and India, with ripple effects hitting almost every corner of the global economy. The consequences were disastrous – with the White House estimating that the total worldwide cost of the attack exceeded $10 billion.

Now, both the threat and potential impact of a cyberattack are even higher. The US Cybersecurity and Infrastructure Security Agency (CISA) recently issued a warning of the risk of Russian cyberattacks spilling over onto US networks, which follows previous CISA warnings on the risks posed by Russian cyberattacks on US critical infrastructure. And the European Central Bank (ECB) has warned European financial institutions of the risk of retaliatory Russian cyber-attacks in the event of sanctions and related market disruptions.

Clearly, countries across the globe are anticipating the possibility of their critical financial infrastructures getting caught in the cyber-crossfire of the conflict. But what can they do to protect themselves?

Ultimately, this requires a two-phased approach: understanding the risk, and then putting measures in place to mitigate and minimise the impact, should they experience a cyberattack.

Understanding the risk

Firms have no hope of protecting themselves against cyberattacks unless they have a comprehensive understanding of the range of attacks that they can be subjected to.

And there are many forms of cyberattacks that banks are vulnerable to. There are attempts to crash a website (DDOS); hacking to penetrate the network; Trojan horse with software running inside the firewalls reaching out to the criminals; spam and attempts to fool someone to let them in; virus payloads that can encrypt the computers; and these are just a few.

When it comes to the impact, this can vary – from bringing down a critical service to stealing data, to ransom to de-encrypt, etc. However, because of the intertwined nature of the financial services industry, if one part is hacked, it can have ripple effects on other parts. For example, if payment processors were victims of a cyberattack, stock exchange transactions would be impacted.

Damage mitigation and control

While these techniques are known and understood, it is significantly harder to ensure that all means of access are not vulnerable – particularly as banks’ infrastructures are more complex than ever, and, for many traditional players, suffer from significant siloes.

Fortunately, there are techniques to prevent each form of cyberattack – but preparation is key. Firms must consider not only their ability but the ability of their third-party providers, to withstand cyberattacks.

Another effective tactic is raising staff awareness – including re-running staff ethical phishing campaigns and holding drills to ensure your firm is prepared. For example, in November 2021, the Securities Industry and Financial Markets Association, a trade association, led a global ransomware drill to practice fighting against such attacks, which over 240 public and private sector institutions, including financial firms and central banks. And banks often allocate significant budgets towards cybersecurity – Bank of America, for example, spends $1 billion annually on its cybersecurity efforts.

However, in a large, complex IT estate with many staff, as is the case for many banks, it is very difficult to prevent all techniques all the time. Teams looking at cybersecurity, geopolitical risk, and physical security should be working closely together, not in silos – and it’s far better to build communication and cooperation before disaster strikes, rather than in the face of a crisis.

Regulators around the world have increased focus on this of late – such as by introducing new Operational Resilience regulations (DORA in the EU for example). And the FCA recommends that firms report material operational incidents to them in a timely way in order to ensure that they can provide specialist expertise and work to minimise harm to consumers, markets and the wider UK financial sector.

Ultimately, totally escaping such consequences of the crisis is impossible. Cyberattacks remain a key risk, and a cyber or IT problem quickly becomes a business problem – so ensuring that you have measures in place to mitigate and protect against a worst-case scenario is crucial – not just for the firm itself, but when it comes to financial services, the stability of the entire country.