A state-backed cyber attack could secretly corrupt the records of financial services providers over a period of months, according a senior Bank of England policymaker, which could pose a risk that many would probably struggle to guard against on their own.

Anil Kashyap warned against the falsification of transaction records during a select committee hearing responsible for reappointing him to the Financial Policy Committee, adding that banks have mainly focused on stopping service outages.

“If you think it is a state actor, I don’t know if you think any particular firm can defend itself,” he commented, noting that it would not be easy to identify which records were accurate and which had been corrupted.

“You have this difficult situation where you have to restore the system, where you could be restoring a corrupt system,” said Kashyap, a finance professor at the University of Chicago.

“I don’t really care if bank ‘x’ is offline for a week, even if it’s disastrous for their share price, if the services that they provide, that are critical, can be delivered in some other way,” Kashyap commented, referring to the risks inherent in institutions all using the same few cloud providers.

“What is tricky is it could be the case that the board’s incentives of what to worry about are misaligned with the general incentives.”

Kashyap also stated that the BoE would continue to monitor the market share of BigTech firms looking to break into the financial services market, as Facebook announced its plans for a cryptocurrency digital wallet.

Andy Heather, vice president at cyber security provider Centrify, responded by noting a key trend he has seen across Europe is malicious parties gaining access to critical systems using legitimate log-in credentials, which have either been stolen or sold illegally.

“This scenario can allow criminals to operate within an organisation’s infrastructure, seeking to gain access to privileged accounts, opening up a goldmine of data, right under the nose of the IT security team.

“Banks and financial services organisations need to wake up to this rapidly growing threat, adopting a zero trust approach to all users, at all times – this means never assuming employees are who they say they are, using layered security procedures and authentication through location, passwords and other factors to ensure the bad guys are restricted, before they can do serious damage,” he added.

Share Story: