Cyber(in)securities

Fresh thinking needed to protect the banking system

Illustration by: Ivan Debs

At the center of the cybersecurity issue in Lebanon resides, as with many issues in this country, an unfortunate and seemingly unmovable constellation. In one corner towers the banking sector as the primary force and primary concern for all things economic and also all things digital. The banking industry, as all the expert voices in conversations with Executive about the cybersecurity issue acknowledged, is the biggest target for cyberattacks and the most advanced in awareness, preparedness and spending on cybersecurity in Lebanon.

Crouching in the opposite corner is the public sector. It is limited by severe lack of information technology (IT) spending budgets in general, and cyberdefense in specific. Many ministries are not equipped with a single cybersecurity specialist in their IT departments. In the perception of experts on Lebanon’s cybersecurity, the public sector is in a worse state than the private sector and moreover gives the appearance of being engulfed in complete ignorance of advanced methods to maintain safety and simultaneously be on the cutting edge of internet usage.

Banks have undergone an evolution from a few years ago when they used to rely on having just one individual staff member with security responsibility who reported to the IT department. This was done to comply with a Banque du Liban (BDL), Lebanon’s central bank, requirement that mandated banks to have this security representative. Overall, in the experience of Iskandar Aoun, head of the security department at Banque Libano-Française (BLF), “it was a marginal function”.

According to him, this has changed in recent years as cybersecurity advanced from a marginal matter to the biggest threat for all banks and a major concern to their boards of directors. “This evolution occurred on different levels: the organizational level, the regulatory level, the media level and, of course, the technological level,” he says. On the important organizational level it is common, at least in the sector’s alpha group banks, that the security entity nowadays “is a complete entity with a minimum of five or six staff and reports directly to upper management,” Aoun explains.

The gauss Malware

Deputy General Manager Sleiman Maaraoui, head of Systems, Division Projects and Infrastructure at Société Générale de Banque au Liban (SGBL), tells Executive, via an emailed response, that maintaining first-class cybersecurity capabilities requires a “relatively significant percentage of IT spending” and quantifies the share of cybersecurity measures at around 10 percent of the IT budget. “At SGBL, we have a dedicated team [within Information Technology Security Evaluation Criteria (ITSEC)] to monitor cyberactivity and track any suspicious behavior using cutting edge tools. Alongside, IT teams have dedicated resources to support and maintain this infrastructure,” he says.

Maaraoui confirms that cybersecurity investments have gone up due to the necessity of implementing the latest tech tools and are expected to increase further. “This cost will increase over the coming years to meet targets set by top management and add new functionalities that will provide a seamless integration and an easier adoption by our customers,” he says, citing as an example biometric tools such as fingerprints, voice identification and face recognition.

It seems that the crunch moment in banks’ elevation of cybersecurity to the top in their list of priorities came after the 2012 discovery of the so-called Gauss malware, which had penetrated over 1,600 computers in Lebanon at several of the country’s top banks according to global security company Kaspersky Lab’s count. According to a Kaspersky Lab statement from August 2012, Gauss malware was a “nation-state sponsored cyberespionage toolkit designed to steal sensitive data,” specifically targeting online banking credentials and browser passwords. The malware was said to have been active for more than nine months before it was discovered on some 2,500 machines. According to Aoun at BLF, which was one of six major Lebanese banks which the statement mentioned by name. Several banks that were infected by the malware even refused to declare this fact.

Humble hacking past gives way to risk laden present

As Aoun tells Executive, the risk associated with cybersecurity breaches some 10 years ago was “relatively low” and this low risk was reflected in “humble topologies,” meaning simple physical or logical layouts of the computer networks at every bank. Hacking attacks were slow, often involving days of hackers poking around to find system vulnerabilities, and damage was of the kind that even successful breaches were hardly mentioned, i.e. any damage was below the cost of reputation loss if the breach was disclosed.

“Until now, we did not have a major breach in the area, especially in banks. We have the small [incidents] of fraud where an email sent by a customer asked to transfer money somewhere, and then the bank discovered that it was fake and the request was for a transfer to an unknown account. We did not have major breaches, touch wood,” he says.

In the 2017 environment, however, hacking tools are far more advanced. “All the hacker has to do is send a nice-looking email that contains an attachment or malicious URL link, and all that the end user needs to [do] is double click on the attachment or the URL with the result that malware is installed on the system, and the hacking job is done. The whole environment is infected,” he says, adding that the great increase in risk is reflected in banks having deployed advanced topologies to deal with this risk. 

The adjustment to greater cyber risks on the technological level was mirrored in regulatory developments. According to Aoun, every bank has been obliged by the central bank to declare any incident that occurs on its premises, and the central bank evaluates all this information and incorporates it in updates of circulars related to security. He says, “Whether it is physical, a downtime of the system, a cyberattack, data theft, fraud, operational risk or anything [else], you are obliged to declare it to the central bank. We have to declare, and we also have to have a policy to inform our customers about an attack. I can also say that it is better for the bank to inform its customers rather than them finding it out over the internet or through media reports.”

According to SGBL’s Maaraoui, the rising importance of cyber risk has led to its embedding in the bank’s thinking, in addition to all other requirements that occupied the attention of banks, such as anti-money laundering regulations and recent rules on financial standards. “Cybercrime is no less important than compliance pressures or local and international regulatory tightening. This importance has been growing year after year thanks to digitalization,” he says.

In Maaraoui’s words, cybersecurity may not be on the agenda of every board meeting at the bank, but he confirms, “board members are fully aware of threats and challenges faced with cybersecurity.” Moreover, he implies that amidst a whole array of measures to enhance customer protection in contemporary banking, the issue of protection against theft of their banking data and other forms of cybercrime is possibly the most sensitive one. “If sensitive information is stolen or otherwise misused, the public will not see that the financial institution is a victim of a malicious actor, only that it did not properly protect that which was entrusted to it. Regulations enforce severe penalties for non-compliance, while the organization’s public image can be irreparably damaged,” he says.

Banking roads to better security

By the perception of perhaps the most potent company that Lebanese can turn to as a global powerhouse and authority in IT and cyberdefense, Microsoft, Lebanese banks have taken the national lead in cybersecurity measures, but often did so in ways that do not allow them to be on the forefront of digital innovation, warns Microsoft Country Manager for Lebanon Hoda Younan. 

“Organizations in Lebanon, even in industries that we believe are advanced, like financial services, are very conservative and do not build on innovation because of fear [of being connected]. They sometimes cut off their people from the internet to protect themselves. We saw this as a reaction to the attack that three or four years ago that reached all banks. If you disconnect, this will definitely protect [you in one way], but it prevents you from innovating. Speaking from the perspective of a Lebanese person who feels responsible, I see that we have a lot to do. We need to build on the experience that the multinationals are giving us when they come into the country, so that we can be more aware and more protective,” Younan says.

According to Microsoft experts, local organizations face challenges that relate to a mindset of placing trust in static concepts of perimeter defense. In choosing a physical gap approach for their cybersecurity, they tend to bet their fortunes, and their lives, on erecting huge walls – in a way that resembles the approach of medieval castellans who build ramparts that were seemingly impenetrable. That approach worked only until trebuchets were invented (as the Microsoft-published game Age of Empires 2 already taught its addicts some 18 years ago).

For Nasser Kettani, Microsoft’s chief technology officer in the Middle East and Africa, to have online banking today is not enough for a bank to be innovative. For them to be able to innovate, he advises banks to develop a mindset for cybersecurity that is adapted to the current time, meaning to focus not on perimeter defense of their networks, but on technology and intelligence that can be obtained from the cloud. Moreover, perimeter defenses can be ineffective against internal hacks, he adds, citing the example of the National Security Agency (NSA) in the United States.

“The ability of banks to innovate in terms of Artificial Intelligence, Internet of Things, blockchain and a lot of things that you can do [is limited] because they have not changed their security posture. What we are finding is that you can expose yourself to the internet and be safe, but you have to change your way of doing things,” Kettani tells Executive. This requires a new security posture, he says, citing gains in security that companies and entire countries can achieve through collaboration.

In the case of Microsoft, the company – which at all times in digital history was a target of hackers – is now more than ever subject to cyberattacks since it moved a few years ago to become a major provider of services on the cloud. It responded to the threat with huge investments in cybersecurity – in 2016 it spent over $1 billion purely on cybersecurity according to Kettani – and also leveraged the data insights it obtained from operating about 200 cloud-based services with 100 billion user logins per month.

“Data collection gives you more insights than you can get otherwise. This volume of data that we see from around the world helps us to get intelligence that nobody else can,” he says. Microsoft uses these insights for building new security tools to protect itself and its customers through different units inside the Microsoft organization and also partners with other IT companies and law enforcement operatives in many countries – for example through national Computer Emergency Response Teams, or CERTs – to extend the umbrella for protection against cybercrime.

Under the common perception of most crime choosing the road of least resistance, the best defense will be one that elevates the criminals’ risk of detection and punishment when caught. Implementing such a strategy in Lebanon, however, transcends the capabilities of banks and other private sector entities. It necessitates legal measures and organized cybersecurity collaboration of private sector players with the state and with one another.

Calls for more government actions

This important need for interaction is reflected in the views of the cybersecurity specialists at BFL and SGBL. Of the important measures that the government should undertake in Aoun’s perspective, one prudent initiative would be to give companies tax incentives on investments into cybersecurity systems to make it as affordable as possible and help smaller players beef up their defenses. According to Aoun, “the government should not impose any tax [on cybersecurity systems]. This will reduce the equipment cost and encourage the banks to invest in security products.” In parallel to incentivizing cybersecurity investments, he advocates secondly, that the government should enforce cyber insurance as mandatory for banks, and thirdly that it should develop national cybersecurity infrastructure. Specifically, Aoun advocates for the creation of a CERT for Lebanon.

“A CERT will issue guidelines, monitor risks and inform banks of attacks. This has become an urgent matter for Lebanon,” Aoun reasons, adding that having a national team will also provide faster information on attacks that happen elsewhere because CERTs communicate with one another across countries. “If there is a threat in one country, they will communicate the information to all countries and every local CERT will communicate with the companies in its jurisdiction to take precautions – this needs government action to legislate. A CERT team will also minimize the phenomenon by which everybody refuses to say what is going on,” he says.    

Regarding collaboration among cybersecurity officers of Lebanese banks, Aoun maintains that this issue was raised by BLF in the drafting of a letter to the Association of Banks in Lebanon and was also mentioned in discussions with the Banking Control Commission. The call is for regular meetings or a convention of CIOs (chief information officer) so that these professionals may share their experiences and exchange information with one another, meaning that all stakeholders are provided with immediate information on new risks and incidents.

Also in Maaraoui’s view, there is urgent need for government action on comprehensive legislation. He says, “The Lebanese government is urged to pass a new law that facilitates online transactions, yet ensures its security and authenticity by enabling [the] digital signature and extending it to full digital identity.”

He also recommends that laws to fight cybercriminals should be put in place and that legislative actions in those two regards should be coupled with other laws and central bank circulars to guide banks forward toward “true secure omni-channel experience. The guidance of banks toward ever-increasing cybersecurity should furthermore be accompanied by actions of the Banking Control Commission of Lebanon (BCCL),” Maaraoui opines.

“BCCL should mandate an external, internal and overall ‘security assessment’ to be performed by third-party companies with expertise and certification in cybersecurity, [similar to that of a financial auditor], the results of which are then sent to the bank, but also directly to BCCL,” he argues, citing a similar practice in Luxembourg as an example before adding that not only banks, but the entire enterprise-level environment in Lebanon needs directing toward measures that will prevent or at least minimize “potential financial, but more importantly reputational damage.”

Scenarios faced by insurers

While banks face the dual need to embellish their security – at the same time constantly enhance and evolve their online accessibility and digital services in order to respond to changing customer expectations – and also remain competitive in the face of disruptive fintech startup companies, insurers need to approach digitization and cybersecurity under a somewhat different paradigm. On one hand, they are, just as banks are, financial companies, and thus, attractive targets for cybercrime-syndicates and individual hackers. They therefore must adapt to the digital world in their distribution strategies. On the other hand, they have the mandate to harness cybercrime as an opportunity for providing new insurance services. Moreover, their function extends to demanding that insured parties comply with preconditions for insurability, whether in the form of fire doors in a building or firewalls in a data center.

In the multi-faceted context of being stakeholders in their own cybersecurity and insuring risks of others, Lebanese insurers could find a new boom in cyber insurance premiums, says Max Zaccar, chairman of Commercial Insurance and president of the Lebanese Insurance Association. “In future, cybersecurity could be a huge portion of overall business for insurance, with estimates going as high as 50 percent of premiums to be generated by cybersecurity,” he declares.

Zaccar concedes that there is yet limited understanding of insurance for cyber risks in Middle East. He points, however, to a factor that should make cyber insurance a welcome addition to the product offerings of local insurers. “Most of the cyber insurance risk, if underwritten by local companies, will be reinsured abroad, so companies will not face too much risk of having to pay out of their own pocket,” he explains.

Lebanese insurance companies have some demand from banks for cyber insurance policies, says Fateh Bekdache, general manager of BLOM-Bank affiliated Arope Insurance. “Cybercrime is a delicate subject that is becoming very important. A lot of insurers were reluctant to consider cyber coverage because it is very complicated,” Bekdache tells Executive.

He adds that it is a complex and challenging task to draft standard cyber insurance policies, which will stipulate the coverage terms of such contracts. This is a development in the domain of international reinsurance giants that local insurers observe from the sidelines. “There is a race among reinsurers as to who will draft a contract that is more advanced than that of the other. We are sitting and watching,” Bekdache says.

Another challenging issue is the fact that many companies are reluctant to declare if they have experienced a breach or quantify losses from intrusions, which makes claims management even more delicate. As Zaccar and Bekdache concur, the reported growth of breaches in Lebanon is high, but it is only the tip of the iceberg and statistics suggest that local organizations, just as companies everywhere, in their vast majority do not report their breaches.   

Numerous recent reports by international consultants, banks and insurance players have highlighted cybersecurity as a growing area of business and insurance. Bank of America Merrill Lynch was quoted as estimating the cybersecurity business to represent on average 6 percent of IT expenditures, which was worth $75-77 billion in 2015 and projected to reach $170 billion by 2020. A 2015 report by PricewaterhouseCoopers sees cyber insurance as a “potentially huge but untapped opportunity for insurers and reinsurers,” estimating worldwide annual gross written premiums as set to grow from $2.5 billion in 2014 to $7.5 billion at the end of the decade.

Lloyds of London said in a 2016 report that over 90 percent of large European businesses surveyed had experienced a data breach, and 51 percent were worried about being hacked by cybercriminals for financial gain. However, only about 50 percent were aware that cyber insurance coverage for a data breach is available and many were equally unaware that cyber insurance not only provides a pay-out after a cyberattack, but also helps with expert consultancy during a crisis.

Moreover, most of the market, up to 90 percent, is currently in selling cyber insurance to companies in the United States. Given that cyber risk is a globally universal growth phenomenon, the estimates for future cyber insurance needs seemingly cannot be overstated.   

To take the discussion of cyber insurance in Arab countries forward, the Lebanese Insurance Association and the General Arab Insurance Federation are collaborating to convene a digitization conference this May in Beirut. According to Zaccar, the first day of the two-day event will be dedicated to new digital distribution channels and the related issue of digitizing insurance services, while the second day will be dedicated to cyber insurance and the Lebanese law enforcement perspective on cybercrime.

Thomas Schellen

Thomas Schellen is Executive's editor-at-large. He has been reporting on Middle Eastern business and economy for over 20 years.

*

Top