A conversation withThomas Schumacher, Accenture

Hackers report banks to the supervisory authority

Banks are facing more and more professional cyberattacks, says IT expert Thomas Schumacher. The brazenness of the perpetrators is also increasing. In the USA, a hacker group recently reported a bank it had attacked to the SEC for allegedly not reporting the incident.

Hackers report banks to the supervisory authority

Cybercriminals are striking more and more frequently, using more inventive methods and sometimes even posing as whistleblowers: These are the observations made by Thomas Schumacher, Head of IT Security at the consulting firm Accenture in Germany, Austria and Switzerland. "The cyber threat has tended to increase for banks," he says talking to Börsen-Zeitung. He is experiencing professionalisation and industrialisation. Cybercriminals are outsourcing processes and using a division of labour right down to the hotline service.

Although regulation has led to banks having to meet higher cyber security standards than companies in other sectors, and banks are basically well positioned, this is not enough. "It is only a deceptive sense of security because there is no such thing as 100 percent security."

Brazen cyber criminals

The perpetrators are becoming increasingly bold. Schumacher refers to an exceptional criminal case in the USA that took place in November. After a hacker gang called AlphV broke into the computer system of Californian financial services provider Meridian Link and stole data, they threatened to publish it if the company did not pay money.

While such blackmail is commonplace, the group's following actions were unusual. Meridian Link refused to pay and was summarily denounced by the hackers to the regulator for allegedly failing to fulfil its cyber incident reporting obligations. The perpetrators filed their complaint about their victim with the whistleblower office of the Securities and Exchange Commission (SEC), according to the New York commercial law firm Debevoise & Plimpton. It remains to be seen how the SEC will deal with this and whether the method will catch on.

Abuse of regulation

According to Debevoise & Plimpton, cybercriminals are becoming increasingly aggressive, which is also due to the fact that fewer hacked companies in the US have been willing to pay ransom.

In order to increase the pressure, perpetrators have, therefore, repeatedly threatened to alert supervisory authorities in the past or have turned to the public via social media. "The threat actor is trying to use SEC regulation to their advantage by increasing the cost to their target if they refuse to pay a ransom," writes Debevoise & Plimpton about AlphV's approach.

The criminals capitalised on the fear of the expense associated with regulatory investigations into a cyber incident. Such proceedings can be extremely costly, time-consuming and damaging to a company's reputation and business, the lawyers point out.

Every second company pays

"Criminals are putting a lot of pressure on banks that have been attacked," says Schumacher. "I have your data, if you want to get it back, pay a ransom. If that doesn't help, I'll report you to the regulator because you didn't report the incident." Those who are blackmailed are faced with tough decisions, he says. In his experience, around half of the companies and banks under pressure end up paying a ransom in the hope of averting worse reputational damage.

Schumacher recognises a race against the attackers and against time. In his opinion, ransomware attackers in particular, who capture or encrypt data and demand a ransom in return, have learnt a lot. In the past, they would have sent an unspecific email to as many recipients as possible and attacked as soon as someone fell for it.

Intruders waiting in the IT system

In the meantime, however, the intruders would wait undetected in the network for a while in order to switch off or disable protective mechanisms such as backup systems and consider when and where to strike. "Ransomware attacks are easy to carry out and often successful," summarises the Accenture IT expert. "We will continue to see such attacks in the next two to five years, and they will become better, more targeted and more frequent."

We will continue to see such attacks in the next two to five years, and they will become better, more targeted and more frequent.

Thomas Schumacher, Head of IT Security, Accenture

According to Schumacher, it is common practice for perpetrators to post stolen customer data on the darknet, as in the Majorel case. The Luxembourg-based account switching service provider, to which the German Kontowechsel24 belongs, was the victim of a hacker attack last year in which 144,000 data records, including customer names and account numbers, were stolen and later surfaced on the darknet. According to the Handelsblatt, a good 60,000 data records related to Postbank, more than 17,000 to ING Germany and 13,000 to Deutsche Bank. Over 5,000 of its subsidiary Norisbank were also affected.

Cybercriminals brag about their deeds

"Cyber criminals often brag about their deeds on the darknet," Schumacher observed. For example, they publish screenshots that show data being compromised. "They then demand a ransom from the attacked bank and threaten to publish the stolen data if they don't pay."

The days when banks were fortresses are over.

Thomas Schumacher, Head of IT Security, Accenture

As banks have opened up to third-party providers in recent years, and these have had to gain access to customer accounts via application programming interfaces (APIs), defending their own IT systems has also become more complex, says Schumacher. "The days when banks were fortresses are over." Attacks on third-party providers such as Majorel as part of their own value chain pose additional security problems for financial institutions.

Banks need to take a more strategic approach to cyber resilience

"If banks involve suppliers, they must ensure that the supplier's route to the bank is just as secure as their own defence," the Accenture expert explains. The new regulation on IT security in the financial sector – the Digital Operational Resilience Act (DORA) – also requires banks to secure their own value chain. It is to apply to banks from 17 January 2025. Schumacher says that he particularly appreciates the fact that banks need to take a strategic approach to cyber resilience.

In addition, DORA prescribes permanent monitoring, which is essential to prevent damage to the bank after a successful attack from a hacker's perspective. "Monitoring is essential. Because if I can't prevent cyberattacks, I have to recognise as quickly as possible when someone has penetrated and take countermeasures," says Schumacher.


Meet the person

Thomas Schumacher is Head of Security at Accenture in Germany, Austria and Switzerland. He has been working for the consultancy firm since 2001 and supports companies and banks in IT security issues. A qualified banker, he studied economics at the University of Siegen.