Last week, the chair of the Securities and Exchange Commission called cybersecurity the biggest risk facing the global financial industry.
"Cyber risks can produce far-reaching impacts," said SEC chair Mary Jo White.
For example, cybercriminals recently stole $81 million from a bank in Bangladesh by using Swift, the global money transfer network.
The SEC promises to step up regulation and Swift itself is expected to launch a new cyber security initiative this week that includes independent security audits of its customers. Meanwhile, top finance officials from G-7 nations met in Japan to discuss plans to improve global cybersecurity coordination.
It's a historic moment for global financial cybersecurity, said Tom Kellermann, CEO at Washington, DC-based Strategic Cyber Ventures and former member of the World Bank's security team. A decade ago, he wrote a prescient report for the World Bank outlying potential cyber risks that was ignored by many financial companies.
"They pooh-poohed the reality, that this would never be a wide-spread problem," he said. "But the criminals have caught up to the worst-case scenario espoused in that report and have operationalized them."
But three aspects of the financial system will make improving security more difficult, experts say. One is that the security of the system as a whole depends on its weakest member, who may be located anywhere in the world. Second, some victims might not even be aware they were hacked. And, finally, the move to real-time processing reduces some of the checks and balances that used to be in place.
Who's the weakest link?
The global financial system is highly interconnected but the level of security varies significantly among the member organizations, said Vikram Bhat, leader of the strategy and governance practice for Deloitte Cyber Risk Services at Deloitte & Touche LLP.
"The bad actors work through the weakest link in that ecosystem," he said. "The institutions that don't have cyber programs up to the level that they should be need to be shored up."
And it's not just financial organizations that are potential targets. These organizations use outside vendors for everything from legal and marketing services to trade processing.
"They often outsource all kinds of activities by giving outside parties a real-time way to access internal systems," said Gary Roboff, senior adviser at Santa Fe Group. "If systems aren't properly segregated, once somebody is in the system, they can access all kinds of data."
Banks, particularly large global banks, typically have the strongest cybersecurity.
But according to a KPMG survey released today, 12 percent of CEOs of large banks didn't know whether they were hacked in the past two years, and neither did 47 percent of vice president and managing directors, and 72 percent of senior vice president and directors.
Sign up for CIO Asia eNewsletters.