Citibank: Protecting Against Cyber Threats
In an age where digitalization has been introduced into everyday items and the most important elements of our national infrastructure such as financial institutions and electrical power grids, how are private sector firms like Citibank protecting against cyber security threats?
Digital technology has crept into nearly every aspect of society, offering unprecedented access to information and services while also creating massive cyber security challenges that leave many of the most personal and most important aspects of our lives vulnerable to cyber attack. In an age where digitalization and interconnectivity has been introduced into everything from everyday items such as watches to thermostats through the “Internet of Things” to the most important elements of our national infrastructure, including financial institutions and electrical power grids, it is imperative for the private and public sectors to take action and protect the underlying structure of our society.
Over the last decade, we have seen several examples of the vulnerabilities in an increasingly digitalized world such as the 2007 coordinated cyber attacks on Estonia1, the 2014 hack of Sony Pictures2, and the 2015 attack that disabled a regional power grid in Ukraine.3 Cyber crime alone is estimated to cost businesses $400 billion per year and British insurance company Lloyd’s estimates that amount to quadruple to $2 trillion by 2019,4 and businesses are taking notice. For example, IBM’s CEO, Ginni Rometty stated last year that “cyber crime is the greatest threat to every company in the world.”5 In this environment, Citibank is taking action to mitigate cyber threats.
New Business Model, Vulnerabilities Exposed
Like others, Citibank has increasingly migrated services onto digital platforms for efficiency, speed, and customer convenience. This represents a massive shift in the business model which originally relied heavily on personnel and infrastructure. Now, instead of depending on methods like writing physical checks or visiting a teller, customers have 24/7 access to account information from virtually anywhere and access to services electronically.
However, that transition has not been without challenges. For example, in 2011, Citibank was hacked and “the financial data of more than 360,000” credit card holders was exposed.6 A month later, Citibank revealed that “about $2.7 million was stolen” from a portion of those accounts.7 The chart below shows the financial services industry has the second highest average annualized cost of cyber attacks demonstrating the scale and cost consequences of the threat.8 Cyber attacks will continue to target the industry and Citibank needs to adapt its operating model to this challenge.
Innovation and Adaptation
Citibank has adapted its operating model to address the vulnerabilities of that digital transition to add protection and thus, value for customers that can trust the integrity of their bank. These measures include:
- Common-sense and oversight: implementing common-sense measures to protect against “insider threats” by controlling information access, requiring “multiple levels of approval,” monitoring transactions, and training staff to recognize and respond to threats.9
- IT Discipline: maintaining “discipline and vigilance by IT and end-users” such as ensuring up-to-date software.
- Three Pillars of Defense:
- Channel Protection: enabling Citibank’s systems to “[block] an attacker’s entry to a platform” through tactics like “strong log-in credentials” and encrypted data transfer.
- Vigilance About Payment Outliers: using resources likes Citi’s Payment Risk Manager to detect payment outliers that may identify a compromise of Citibank’s systems.
- Data Privacy: protecting the most valuable and confidential data on Citi’s networks through a “data privacy policy and data governance function” that ensures appropriate levels of information access and security.
Separately, Citibank has emphasized innovation in cyber security because “cyber-crime is constantly evolving as current attacks become known and dealt with.” In this spirit, Citibank has partnered with Microsoft to implement “next generation identity technology” for its employees and users.
Inter-Bank Cooperation
Beyond its individual efforts, Citibank has joined forces with seven other banks, including J.P. Morgan, Goldman Sachs, and Bank of America, to form a group within the non-profit Financial Services Information Sharing and Analysis Center (FS-ISAC) to “share cyber crime data” and collectively gain the benefits of shared information.10 Citibank explains, “Sharing knowledge of anomalies or updates, or even of attackers’ activities, makes every part stronger. [. . .] Real-time highly-detailed, analysis enables banks and companies to detect patterns and stay (at least) one step ahead of attackers.”9 Strengthening and investing in this group’s development will benefit all partners through sharing of data, experience, and best practices.
Moving Forward
- Cyber security is a complex, large-scale issue that cannot be solved by one company or the government acting alone. Because of the interconnectedness of the private and public sector and shared vulnerabilities, it is vital that Citibank and other financial firms demand, but also commit to closer cooperation with each other as well as with government to find solutions.
- The group of eight banks should share information and lessons learned with smaller banks when appropriate. While they banded together because of their relative size and system complexity, the industry as a whole can benefit from their work.
- Finally, Citibank should focus on developing talent to provide critical innovation and expertise in the coming years.
(799 words)
Sources:
[1] Washington Post. 2016. Cyber Assaults on Estonia Typify a New Battle Tactic. [ONLINE] Available at: http://www.washingtonpost.com/wp-dyn/content/article/2007/05/18/AR2007051802122.html. [Accessed 18 November 2016].
[2] Washington Post. 2016. U.S. attributes cyberattack on Sony to North Korea – The Washington Post. [ONLINE] Available at: https://www.washingtonpost.com/world/national-security/us-attributes-sony-attack-to-north-korea/2014/12/19/fc3aec60-8790-11e4-a702-fa31ff4ae98e_story.html. [Accessed 18 November 2016].
[3] WIRED: WIRED. 2016. Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid | WIRED. [ONLINE] Available at: https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/. [Accessed 18 November 2016].
[4] Forbes. 2016. Forbes. Cyber-crime Cost Projected to Reach $2 Trillion by 2019. [ONLINE] Available at: http://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#6ff24583bb0c. [Accessed 18 November 2016].
[5] Forbes. 2016. Forbes. IBM’s CEO on Hackers: Cyber-crime is the Greatest Threat to Every Company in the World.[ONLINE] Available at: http://www.forbes.com/sites/stevemorgan/2015/11/24/ibms-ceo-on-hackers-cyber-crime-is-the-greatest-threat-to-every-company-in-the-world/#47d09fd93548. [Accessed 18 November 2016].
[6] WIRED: WIRED. 2016. Citi Credit Card Hack Bigger Than Originally Disclosed | WIRED. [ONLINE] Available at: https://www.wired.com/2011/06/citibank-hacked/. [Accessed 18 November 2016].
[7] CNNMoney. 2016. Citi: Last month’s credit card hack attack stole millions – Jun. 27, 2011. [ONLINE] Available at: http://money.cnn.com/2011/06/27/technology/citi_credit_card/. [Accessed 18 November 2016].
[8] Giles Turner. 2016. Cybersecurity Index Beats S&P 500 by 120%. Here’s Why, in Charts – MoneyBeat – WSJ . [ONLINE] Available at: http://blogs.wsj.com/moneybeat/2015/09/09/cybersecurity-index-beats-sp-500-by-120-heres-why-in-charts/. [Accessed 18 November 2016].
[9] Citibank Treasury and Trade Solutions Article, “Fighting cyber-crime together,” December 2014. Available at: https://www.citibank.com/tts/about_us/articles/docs/…/article_fighting_cybercrime.pdf. [Accessed 17 November 2016].
[10] Fortune. 2016. Wall Street’s Biggest Banks Are Banding Together Against Cybercrime. [ONLINE] Available at: http://fortune.com/2016/08/10/wall-streets-biggest-cyber/. [Accessed 18 November 2016].
Great post! It is interesting that the banks are working together to fight cyber crime. I wonder if there is any risk to competitors sharing this information, and if not, are there other industries that would also benefit from it? Could they possibly work with the Energy & Utilities or Technology sectors to increase man-power and share even more lessons learned?
Thanks for writing on this topic! I find it really interesting. Last year I participated in a conference that had two security startups, and I found it interesting that the vast majority of hacks occur through social hacking – having people on the inside of the company reveal information that they shouldn’t. It’s no longer necessary to penetrate a company by forcing your way through a firewall. In fact, as the digital age has shifted banking to different platforms, it’s almost certain that those platforms will have new vulnerabilities that can be breached. By focusing now on putting up walls around those systems, it’s almost too late. Two of the most interesting companies I talked to at the conference were Pindrop (https://www.pindrop.com/) – a company that attempts to stop social hacking by providing a phone-based security system, and Tanium – a company that provides almost instantaneous notifications about the status of every endpoint on a network (https://www.tanium.com/).
Before Tanium came along, if you asked Citibank how many computers they had on their network, they probably would have given you a range of 100,000-500,000 or something similar (not to pick on Citibank in particular). So you can imagine it’s pretty difficult to manage your internal security system when you don’t even know what the available endpoints are for hackers. Tanium can tell them exactly all the nodes on their network, and the security update status of all these machines.
Maybe rather than trying to develop security systems internally, these behemoth banks should quickly form partnerships with the new cyber security startups coming out of Silicon Valley in order to stay one step ahead of the game.
Great post, thank you! I think you bring up a very important suggestion regarding closer cooperation in the future. Cyber security scares me! Largely because I don’t fully understand the vulnerabilities and safeguards that are in place, or how to assess efficacy from one company to another. I think many of us take for granted that our information is protected, but as more cyber attacks have made international news, this is becoming harder to do. I understand the benefit of sharing information and analysis of attacks between banks, but like you, this feels like only a first step in a much bigger challenge! Banks, and other industries for that matter, would benefit significantly from also sharing best practices and maybe even new technology innovations. I understand there is also a competitive advantage if one company is “more secure” than another – but considering the wide-spread impacts of cyber security threats, across every sector and industry – it seems to me that the government and every company has a moral and social responsibility to be as cooperative as possible. Would we have a free-rider problem in this case? Possibly, but the alternatives seem even worse given that this is a global threat.
Great post!
Like AHM I’m very interested in the questions this raises around cooperation with both other banks and with the government. On the government piece in particular, I know that DHS (https://www.dhs.gov/ciscp) has tried to take the lead as companies’ go to when an actual or attempted cyber attack takes place, but I would be interested to know more about how the banks (and other companies view them as a partner. A particularly difficult aspect of going to DHS or another part of the government would be the likelihood that a breach would then become public knowledge — I imagine that for many companies the incentive is quite strong to bury minor breaches rather than admit that they have occurred (which then creates the opportunity for those minor breaches to occur across many institutions). It is exciting to see that the banks have taken the step of forming their own knowledge sharing cooperative — hopefully their efforts and DHS efforts are integrated rather than duplicated/ at odds!
Art Vandilay made a great point at the end of his comment: banks should partnerships with silicon valley cyber security startups. I agree, and can report that my previous employer, J.P. Morgan, has done this to some extent. Rather than a formal partnership, a security manager at JPM would approach a fledgling company with a good product, and offer to be the first buyer of the product. This may seem like a big risk for JPM; after all, what if the product doesn’t work? This risk however is mitigated by a couple rewards: the startup often offers a very low price on the product, and the startup is often willing to work with JPM to build out the product further to match JPM’s desires. Once the product is built out, the startup can sell to other customers based on its relationship with JPM, resulting in a win-win for everyone.
Art’s point may be that these kind of partnerships should be the norm for big banks rather than the exception. This point very well may still stand. However, knowing that the partnerships have been shown to be viable by at least JPM, the others should consider adopting similar practices.
Thank you for the fascinating article. I have always been interested in the cyber security threat and in particular the ability of firms to protect themselves. There are two additional challenges I find particularly unique in terms of the threat that companies face:
• Cyber attacks are not always profit motivated: High capability groups such as Anonymous often engage in hacking for issues of principles, rather than profit. As such, firms must not just ensure that they have high security measures, but they must also ensure that they are consistent and authentic in their messaging, as there is a high risk that they could be exposed otherwise
• The market for talent is skewed against firms: The best talent requires a high price tag in this industry, and in addition some of the best talent may have been engaged in illegal cyber activity in the past. This presents a substantial challenge. How many employees should Citi hire when the investment is purely preventative? Should Citi consider employees who have previously conducted illegal activity, especially if some are they are some of the most talented or does this raise ethical objections for their hiring practises?
As such, firms must be extremely aware of the need to invest in and support other firms cyber-security prevention measures. In particular, given the costs involved, the role for large firms to support smaller firms and for cyber-security service firms to grow is substantial given how difficult it will be for smaller firms to justify the cost of hiring in-house talent.