Episode 14: Alex Brunwin & Anthony Flemmer
AML Talk Show host Stephen Platt with guest speakers Alex Brunwin & Anthony Flemmer, chairman and CEO respectively of Defence Logic, a Jersey-based cybersecurity firm which provides cyber-awareness training, and cybersecurity consulting and solutions to clients around the world.
AML Talk Show Hosted by Stephen Platt
Transcript
Good afternoon, and welcome to this KYC360 AML Talk Show with me, Stephen Platt. I hope that you're all safe and well. Too many people seem to be acting as if the virus has somehow miraculously disappeared. It hasn't, of course. We must all do what we can not to jeopardize the sacrifices that we have all made over the past three or four months.
Today, I'm very excited to be joined by two people, Alex Brunwin and Ant Flemmer, both principles of the cybersecurity specialists, Defence Logic. Together, we'll be talking about cyber threats and the interrelationship between cyber risk management and anti-money laundering...
Stephen Platt:
Good afternoon, and welcome to this KYC360 AML Talk Show with me, Stephen Platt. I hope that you’re all safe and well. Too many people seem to be acting as if the virus has somehow miraculously disappeared. It hasn’t, of course. We must all do what we can not to jeopardize the sacrifices that we have all made over the past three or four months.
Today, I’m very excited to be joined by two people, Alex Brunwin and Ant Flemmer, both principles of the cybersecurity specialists, Defence Logic. Together, we’ll be talking about cyber threats and the interrelationship between cyber risk management and anti-money laundering.
Just by way of introduction to the two guests, Alex started his career in the city of London building technology solutions for financial modelling, automated trading strategies, market data delivery, and patent recognition, and also spent quite a bit of time in Tokyo doing similar things for banks there. Now chairman of Defence Logic and an executive board member of the quantitative hedge fund, Altis Partners, which was one of the most successful algorithmic hedge funds in its day.
Anthony Flemmer is the CEO of Defence Logic with many years of experience in the finance and tech industries around the globe, but principally in the offshore islands and also in South Africa.
I’m delighted that they’re able to join us. Gentleman, welcome, and thank you for taking the time to chat to us today.
Alex Brunwin:
Thank you very much. It’s a pleasure to be here today.
Anthony Flemmer:
Yeah, thank you.
Stephen Platt:
Alex, I want to start with you, if I may. It’s an interesting story. Or at least, it strikes me as being an interesting story, the transition from the world of hedge funds into cybersecurity. Could you just start by telling us how it is you came to be involved in cyber?
Alex Brunwin:
Yes, of course. I suppose hedge funds’ reputation and in reality tend to be quite sophisticated technology-wise. We have large teams of developers and quantitative researchers. By nature, our intellectual property also was deemed very valuable and needs to be protected. Secondly, in an environment where you’re quite strongly regulated, you’re encouraged to put in place a strong strategy for defensive measures against cyber attacks and against any kind of data breaches. That was the starting the point. Being in that environment, I began to understand what types of systems and defensive measures were really effective, what were good value, and what were not, and indeed could begin to identify gaps in that marketplace.
Stephen Platt:
It was your experience, really, on the buy side and your experience as a principle of a business that clearly had a very strong vested interest in ensuring that it had strong cyber defence mechanisms that caused you to see, as it were, a market opportunity.
Alex Brunwin:
Yes, I would say that’s the case, yes.
Stephen Platt:
I see. Now, I mean, pretty obvious, but nevertheless an unfair question, and there are a lot of businesses in the cyber space, when you were on the buy side what did you think you could do differently or better than existing cyber businesses? In other words, what is it you weren’t being offered when you were on the buy side that you thought you could be able to do well?
Alex Brunwin:
Well, it’s very much a case of one size didn’t fit all. Having an intimate understanding of the business itself and offshore financial services in general really was one of the missing links from people trying to sell products and services to us. They were too standard and too plain vanilla. Really, only we felt that we understood exactly what it was we needed. And so, it seemed like an opportunity to carry that industry knowledge onto the sales side and be able to offer much more of a bespoke service having understood well the requirements of our customers.
Stephen Platt:
I see. I see. Now, the reason I’m interested in this as a topic, is that I see, and I may be wrong about this, but from my limited understanding, I see similarities between the cyber threat and the threat of money laundering, in the sense that I think that the cyber threat, like the money laundering threat, is constantly evolving. It requires not only systems, good systems, but it also requires strong human interaction with those systems and buy-in. I mean, in the money laundering space, you can have phenomenal AML policies, procedures, controls, and so on, but if you haven’t won the hearts and minds of your people, such that they report as in when they have a suspicion about a transaction, or a relationship, or a customer, then the control mechanisms are worthless. This marriage of systems and people I think is also important from a cyber perspective. Am I completely wrong about that or is there something in what I’m saying there?
Anthony Flemmer:
Yes, Stephen. I see a lot of overlap between the areas. There’s a lot of volume in cyber. There’s a lot of events that need to be tracked down and decided on whether they are of good actors or bad actors. I think the cyber regulation, the pressure to get strong on your cybersecurity, is a little bit behind AML, but it is starting to catch up. There are leading jurisdictions that are starting to push that there actually are suspicious activity reports on cyber events. That is a new development that’s happening in cyber, which has obviously been in the AML market for a long, long, time. So, there is that overlap.
It’s always around the people, educating the people to look out for what are areas of concern. We’re all very aware of phishing attacks and simulated phishing attacks. Most organisations, or just about any reputable organisation, is doing that, is continuously doing that, getting the people up to scratch, because that is going to be one of the result of vulnerabilities. So, you’re getting your people, and then the processes of how to report it so you can actually start using that information and sharing that information, not just in your own company but across companies. Maybe today, you’re a legal company and you’re getting hit with a particular attack, and you share it across a platform, other legal companies they can use that to protect themselves. And then, maybe when they get attacked, they share it with you. It’s that tall, similar sized target of approach that AML also use.
Stephen Platt:
That’s very interesting, and I hadn’t considered that. Because, as you point out, the other similarity is, between AML and cyber, is the regulatory imperative, which in both the cyber and AML space is growing all of the time. I mean, a decade ago, people didn’t really understand terribly much about cyber. Now, I can imagine that it is, if not at the top, very close to the top of the risk management items that organisations need to be considering and addressing.
Now, I said that AML risk is evolving and cyber risk is evolving. You seem to be suggesting that I’m right about that. Could you explain to us, or give us an idea, of how the cyber threat is evolving at the moment?
Alex Brunwin:
Well, drawing on their similarities, one of the key differences is that the cyber threat landscape is increasing incredibly rapidly, because there are so many different drivers. One of the drivers is technology. As we all know, that moves at a very fast pace, so you end up rather in an arms race between the attackers and the defenders. One of the other major drivers on the attack side is the effect that a state funded cyber criminal activity has on the playing field. Because, you can imagine the huge resources that could be thrown into this from large nation states. That tips the balance.
On the defensive side, we are short of cybersecurity professionals globally. It makes it very, very, difficult to keep up with that fast moving landscape. I believe we are being successful, to some extent, in keeping up. But, it’s always quite challenging.
Stephen Platt:
I see. I see. I mean, can you be a little bit more specific about how the threat itself is evolving. I mean, for example, has the threat changed at all because of COVID? Are you seeing new forms of methodology being employed by cyber attackers?
Anthony Flemmer:
A very real story that’s happening, that’s just breaking over the last week, has been what’s been happening in Australia as a result of the Australian government wanting to point a finger at China but not wanting to point a finger at China around the origins of COVID. The Chinese have responded as they normally do, very subtly, in that you can’t really point a finger at them, but they’ve been attacking Australian government organisations and Australian private companies. If you want something as direct as anything coming out of COVID, that’s exactly what is happening in Australia at the moment. It’s pretty serious. It’s a bit of a tricky situation for the Australians, because about 40% of their exports go to China directly, and another 10% go to Japan, that then end up in China. So, they’ve got 50% of their export market is tied to the person who’s giving them a pretty hard time at the moment in cyberspace.
Stephen Platt:
I see. That’s interesting. That leads us on, actually, quite nicely to one of the questions that I had. I have to tell you, chaps, you’re not just educating our listeners, you’re also educating me about this. I find it really a fascinating topic. Who are the key threat actors? I mean, in the AML world, we spend a lot of time trying to define and identify the characteristics of principle threat actors. They can come in the form of individuals, of structures that exist for an illegitimate purpose, from certain types of financial instrument, and so and so forth. In your world, who is posing the threat?
Alex Brunwin:
It’s multi-layered. The threat starts at the bottom with independent hackers who might be of a technical wizardry profile. Working up, you’ve got hacktivist groups whose intention is to disrupt or perhaps conduct smear campaigns. Then you have organised criminal gangs who are becoming increasingly sophisticated, generally motivated purely for financial gains, and right up to state backed APT groups. These are state funded actors, who, for example in the Chinese case, there may be well over 100,000 full-time government employed state funded hackers. You need to look at the country itself who’s originating the attacks to understand what they’re motivations are. But, this space is evolving rapidly right across the board, government espionage, offensive weaponry, and military, or it could be defensive intelligence gathering, counter terrorism surveillance. It could be industrial espionage. Theft is always right up there at the top. If you look at, perhaps, the motivations of the North Korean attacks, very often to generate hard currency for the government to then spend on military or other things that they need.
Stephen Platt:
Essentially, what you’re saying is that this threat is posed by teenagers in basements, if I can characterize them in that way, all the way through organised criminal groups, organised hackers, up to nation states. If I got your answer correct, that’s what you’re saying.
Alex Brunwin:
That’s absolutely right. Yes. With the added complexity that there would be international hacking groups operating as mercenaries available for hire from nation states, this couldn’t be easier to cross territorial borders and make it much, much, more difficult to attribute attacks and also to hold those responsible to action.
Stephen Platt:
That is interesting. Can we just focus in on a couple of those threat actors. How is it that countries are involved in posing this threat? I mean, of course, I get the North Korean thing. I get the threat, as it were, posed by China. They, I presume, pose a threat not only to foreign state agencies, but they also, I presume, pose a threat to foreign commercial enterprises as well. Would that be right?
Alex Brunwin:
That is correct. There is a very large amount of state-backed industrial espionage for the main purpose of gathering information, blueprints, intellectual property that could be exploited in many ways in the future.
Anthony Flemmer:
Yeah, I mean, even getting back to your theme of COVID, Stephen, the Chinese have been quite busy snooping around in the research labs for the vaccines, trying to get information on what other countries are doing, what other organisations are doing, about the COVID vaccine, so that they can also get first in market advantage. People have seen a lot of activity around that and have been talking about that.
Stephen Platt:
It’s incredible. I’ve long been a John le Carre fan, having eagerly consumed all of his works of fiction, and the famous character of George Smiley. That’s a different trade craft. That’s human espionage, as it were, undercover agents. What you’re talking about is an entirely new form of state-backed espionage that takes place in the ether. That’s essentially what you’re saying.
Alex Brunwin:
That’s right. And so, it is much easier to carry out that activity without being caught red-handed, because you’re operating in cyberspace. You can be much more bold and you might also find many gray areas in international law, where you may just ignore law altogether, if you’re a powerful enough nation state.
Stephen Platt:
I mean, as opposed to the traditional, as it were, trade craft, it’s a much lower risk activity, because you can’t get caught. Or, you can get caught, but you can’t physically capture somebody who’s behind, as it were, enemy lines or secreted into an agency, stealing information, and so on. These people are doing it behind laptops thousands and thousands of miles away.
Anthony Flemmer:
Yeah, and in some situations, in Russia, as long as you’re not attacking any Russian organisations, the government will leave you alone. You’re quite welcome to have a pop at anyone in the West, as long as you just don’t touch any Russian organisations.
Stephen Platt:
You can actually be engaged in this kind of cyber threat, or you can pose the cyber threat, with impunity. I mean, that’s absolutely astonishing.
Anthony Flemmer:
Yeah, if you’re living in those particular countries, you can. You can actually, then, obviously if you’re really good, the government will employ you.
Stephen Platt:
Now, to come back to something that Alex said. He tried to define the nature of this threat. It’s clearly important to understand what it is, the criminal that’s posing the threat, that is trying to get. What is it they’re trying to achieve? You seem to be saying that their objective is generally either information, obtaining sensitive information, and/or obtaining money, I presume.
Anthony Flemmer:
Yeah.
Alex Brunwin:
Yes, either or both.
Stephen Platt:
Either or both. In the process, you’re overriding objective, if you’re a state actor, may be to undermine democratic processes, obtain an economic advantage for your own jurisdiction, or whatever the case may be. There is actually a huge amount at stake here, isn’t there?
Alex Brunwin:
Yes, it’s an enormous diversity of types of threats and the motivations behind those threats. That’s why the resources put into it are huge and why it’s such a difficult business to stay on the defensive side.
Stephen Platt:
I’m loathed to say it, and I’ll no doubt be criticised for this, but when you look at the anti-money laundering threat, most individuals or customers that pose that threat are not necessarily looking overtly to do the financial institution through which they’re laundering their ill-gotten gains any harm. They just want to abuse its products, its services, in order to launder the money or to facilitate a particular crime. Now, of course, in doing so, they can damage the organisation enormously, I get that. But, they’re not really necessarily looking to steal anything from the organisation. In the cyber world, they’re looking to steal from you. They’re really looking to do you some damage. In all honesty, I hadn’t really considered it in that way before.
Now, we talked about state agencies posing the threat. Do companies also engage in this? I mean, can companies be threat actors? Is that something that you see?
Alex Brunwin:
I think that, as Anthony pointed out, it depends on the jurisdiction in which you’re operating as to how far you would be comfortable breaking the law. It seems like, in certain countries, you can engage in industrial espionage to your heart’s content without any fear of recourse from your local authorities, and with a very, very, difficult process for foreign entities to hold you to account.
Anthony Flemmer:
If you’re talking about western industrial companies wanting to spy on other western industrial companies, and if they didn’t want to get caught, they would engage these commercially available hacking gangs that would do it for them. They would pay them in bitcoins, engage them, and there would be no way of attributing that attack back to their company. That’s a very difficult one to prove. I wouldn’t say we’ve seen a lot of that, or evidence of that. I’d imagine that it could go on, definitely.
Stephen Platt:
Well, that really is fascinating. One of the questions I wanted to come on, and you’ve beaten me to it, was who does this stuff? What you’re saying is that there are literally guns for hire. How could we describe this? Sort of cyber mercenaries that are essentially open for business, who will actually engage in these attacks on behalf of others. Have I understood you correctly there?
Anthony Flemmer:
Yeah. That’s 100% correct, Stephen. That’s exactly how it works. Pay them with bitcoins, tell them what you want, and they’ll figure out a way in.
Alex Brunwin:
There’s a large amount of advertising for these services going on in the dark web and also advertisements for data that has already been stolen for sale. Keys or password lists are indeed cases where someone may have established a breach within an organisation but not abused it yet, so they can sell an open back door to another group for large sums of money.
Stephen Platt:
They also engage in, as it were, speculative attacks so that they can identify what you describe as a back door or a weakness. And then, they go out into the market and seek to sell that, as it were, intellectual property to people who are prepared to pay for it. Is that right?
Alex Brunwin:
That’s right. That creates a much more scalable approach to stumbling across opportunities. Many of, I guess, our smaller businesses believe that they might be immune to these sorts of attack, because they’re slightly under the radar. They’re not really in the public eye. They don’t appear to be super wealthy. How is a hacker sitting in a tower block in North Korea going to stumble across them? Well, unfortunately there’s a process of largely automated reconnaissance going on all the time to probe for weaknesses in all people and all companies’ perimeters. And then, that information, any weaknesses discovered, can ripple up to the top and be sold if there appear to be lucrative or opportunities.
Stephen Platt:
So, that they have coded technology which systematically seeks to identify weaknesses in the defence perimeters of organisations. And presumably, that’s then automatically flagged to them, as in when a weakness is identified. They analyse it, and then they sell the information about that to the highest bidder, presumably, with some sort of offer to actually engage in further exploitative attack work on behalf of whoever’s prepared to pay them the money. It’s absolutely remarkable. I had never considered this threat in that way. The idea that there are cyber mercenaries who specialize in this in the digital space is incredible.
A lot of our listeners, obviously, very aware of the risk of money laundering being posed by organised crime groups who are involved in the commission of sorts of predicate crime types, drug trafficking, human trafficking, frauds, illicit gaming, et cetera, et cetera. Is there any evidence that organised crime groups that have classically been involved in those sorts of activities are also entering this territory, the territory of cyber crime? The reason I ask that question is that it strikes me that this is an easier and safer way to make money than shipping tons of white powder across border and then having to deal with the cash. If you can sit behind a computer and engage in this and get paid in bitcoins, which are much easier to launder than cash, then why wouldn’t you choose the easier option. Is there any overlap there between organised crime gangs and this cyber threat?
Anthony Flemmer:
Well, there are definitely organised crimes that are involved in the cyber threat. Whether your traditional drug smuggler has now branched out into cyber crime, I’m not 100% sure about that. I mean, there are large organised crime units that will be hitting organisations. That sort of level of activity, the organised crime fits just below the state actors. So, they’re not quite as sophisticated, but they’re pretty good at, say, taking down a law firm and encrypting all their clients’ data, and then selling it back to them for a small fortune. That’s the area where they work at that level. Then, generally, as you say, it’s a lot safer for them than moving drugs around, and a lot easier to get their money out when they need it, because it’s bitcoins. If someone pays the ransom quite easily, you can just increase the price and make the ransom double what they paid the first time. It all depends. Some of these criminal gangs have got reputations of being honourable to their ransoms and some of them haven’t. There’s a whole different world when you get into that area.
Stephen Platt:
You’ve raised there the issue of ransoms. Now, some of these threat actors, as we’ve explored, will effectively perform a service on behalf of somebody that wants information. That’s one type of threat. Presumably, what you’re also suggesting there is that they go about this in a speculative way by stealing information, which they’re effectively hijacking information which they hold to ransom. Unless the victim organisation ponies up, what do they do? They threaten to release the information? Is that how it works?
Anthony Flemmer:
If it’s sensitive information, there’re two things that they can be doing. They can either be holding all your sensitive information or they could just be blocking up your systems, like they’ve done in a number of government organisations in the States. They just bring your whole system to a grinding halt, your municipality comes to a grinding halt, until you actually pay the money. And then they release the keys and you can get back to business as usual.
Anthony Flemmer:
I think it’s Alabama just now paid something like $300,000 in bitcoins just to get themselves released so they can actually get back to business. When I was reading about that, their advisors were saying to the city council, “These guys that have ransomed you, they’ll honour it. So, pay them the $300,000.” So, clearly this criminal gang had a reputation of honouring the ransom, but not all criminal gangs will do that. Some of them will go, “Okay. Well, I’ve got my $300,000, I wouldn’t mind another $300,000.” So, there are different standards that operate as far as getting your data back or getting your systems back and operating again.
Alex Brunwin:
Yes, and some businesses or governments with the most comprehensive incident response plans actually have on standby professional negotiators, perhaps ex-hostage negotiators for law enforcements’ agencies, on-call ready to be that conduit between the business and the ransom demanders.
Stephen Platt:
How interesting. I mean, this resonates with me. I was involved in the World Bank study investigating illicit financial flows from Somalian piracy. That was a fascinating study to be involved in. There, of course, they’re hijacking vessels causing enormous problems for commercial shipping. In those circumstances, it wasn’t guaranteed that you were going to get your ship, and your crew, and your goods back. But generally, you would be assured of it. In this situation, the victims are unable, even, to identify who the perpetrators are, let alone be able to trace the money by way of ransom that they’re paying with a view to identifying who they are. This is a wholly different sort of risk and almost a completely different threat level for organisations. Genuinely fascinating.
Now, just to bring it back down to earth a little bit. Many of our listeners will be tuning in from corporate service provider businesses, fund administration businesses, and so on. They might be thinking, “Well, this is all fascinating. It really, really, is. But, what have we got that’s of interest to a cyber attacker?” The reality is that this isn’t really that relevant to us and this is unlikely to happen in my backyard.” I suspect you’re going to say they’re wrong about that. The obvious question is, how does this risk manifest itself in and for organisations of that type?
Alex Brunwin:
Well, I guess many of the audience will be related to offshore financial businesses or fiduciary businesses. It’s very clear that they fall under the points of discussion we’ve just covered as a very, very, rich target. The quantity of data they hold on customers and customer accounts, and the confidentiality of that data, is sacrosanct to the business model engaged in. They are very, very, large targets for that sort of ransom either to potentially release lists and breach confidentiality or release to the public PI type information, which could incur large fines, or indeed simply have their data locked up and not unlocked unless they pay. They are very, very, high on the target list, because they’re wealthy and they want to protect the confidentiality of that data more than almost any other type of business.
Stephen Platt:
That’s interesting. Again, I don’t know whether or not this is relevant, but we have seen from the financial services industry a number of leaks of data. Some people applaud those leaks, because they think the leaks have revealed information that should be in the public domain. For example, about the way in which corrupt politicians might’ve been laundering their money and so on and so forth. But caught up in those leaks has been a lot of information about perfectly legitimate customer relationships, I’m sure as well. Do you, when you think about the nature of this threat to financial services businesses, also consider, or should they also consider this in the context of something like Panama Papers or Paradise Papers? Is that part of the risk?
Anthony Flemmer:
Yeah, that’s definitely part of the risk. It’s wherever people can leverage you. I mean, those ones are made publicly available, those two, Paradise and the Panama Papers. I suspect there’d been other ones that have been happening, which we haven’t heard about, where the ransoms have been paid, because I can’t believe that those have been the only two cases that would’ve hit the offshore jurisdictions in the last five years. We are very juicy target to the criminals. And the criminals also know that the organisations in these jurisdictions have got the money to pay. They will be able to stump up £100,000, £200,000 of ransom if required. So, why would you not go after us? The other thing that plays quite nicely for the criminals is we’ve got this view that we live on these very safe islands and these safe jurisdictions, but we’re not safe from cyber attacks. We’re just as vulnerable as anyone on the continent or anyone on mainland Europe. Sometimes, our psyche doesn’t quite kick in to the fact that we’re that vulnerable.
Stephen Platt:
That’s very interesting. Now, what is it you’re seeing in industry, generally? I mean, how well prepared is the finance industry? I’m here not talking about offshore, I’m talking about the financial services industry globally. I know that you do operate both on and offshore. What is it you’re seeing about how well prepared industry is for this?
Alex Brunwin:
Well, quite a variety, really. Of the top hand, many of the businesses engaging in the financial services sector are really quite sophisticated and well prepared. They’ve been working under a strongly regulatory environment for decades. Part of that regulation requires them to understand the process of risk assessment to the business. Cybersecurity has not been integrated into that risk assessment process. If you combine that preparedness with the corresponding stick corresponding to the carrot, you’ll find that potentially fines are going up for companies who have breaches. They’re well aware that their reputational risk carries a heavy price as well. Those businesses can be really quite well prepared.
As you go down in size, you get into the problem of budgetary constraints. Defensively, it really is like an arms race. I mean, you have to invest considerable amounts of money and effort into your defences. Following on from my comments about there being a world shortage of experts, it’s very difficult and very expensive to build a team in-house that’s capable of defending your business to the right extent.
Stephen Platt:
I see. Now, what, from your work with industry, are the common weaknesses or mistakes that businesses are making? I mean, again, to draw on a parallel in AML, I mean, if I had a pound for every time I spoke to a senior board member who said to me, “Oh, yes, no we’ve got the AML risk completely licked,” when in fact the opposite is true. Is that something you’re also seeing in the cyber space, people have got a false sense of security? They don’t really understand the true nature of the risk and the way in which it manifests itself within an organisation. I don’t know, I don’t want to put words into your mouths. What are the common weaknesses or mistakes that businesses are making that you’re seeing?
Anthony Flemmer:
So, Stephen, it’s very similar to what you got. A lot of people will say, “Yes, we’ve got it sorted. We’ve got multifactor authentication,” meaning, no one can ever hack into us. We’re absolutely sorted. The big mistake that I think businesses are making are actually believing that firewalls and antiviruses can protect their internal systems or their systems. It is so easy to breach a firewall or antivirus. It takes a certain amount of skill, but we’re not talking state actors or criminal gangs, we’re talking somewhere around two or three years in cybersecurity playing around with networks, and you’ll be able to work your way around there. These are people that know something about cybersecurity, but they can easily get through it. I think, that is probably the biggest mistakes is assuming your firewall and antivirus is going to help you and your perimeter is going to work. You’ve got to do a lot more around that. You’ve got to sort out your people and your process to get on top of this whole problem that you’re dealing with.
Stephen Platt:
What you’re essentially saying is that complacency is a factor that’s at play here. The fact that you’ve got a firewall or three factor authentication is not enough. It’s a bit like, just because you verify the identity of a customer when you onboard them, don’t think that they don’t pose the money laundering threat to you. It’s an interesting analogy. Beyond complacency, you’re saying that really policies, procedures, the human element, these are all absolutely critical. Can you tell us a little bit more about the policies, the procedures, the cultural dynamic that you would expect to see in an organisation that is doing this well. I mean, to put it differently, what does good look like in an organisation that’s taking cyber threats seriously?
Alex Brunwin:
Okay, I can answer some of that. In terms of policies and controls, really what you’re looking to achieve is to make sure the interaction between the people and either the computer systems, and the data, and valuable assets are sensible. That covers all very, very, common elements such as password controls, least access, privilege so that, for example, if one workstation is breached there’s no reason why it should be easy to go from there to another machine with more privilege and more sites to the network.
The other one is really understanding the assets that you have on your network and keeping those well managed, updated, and patched, because the list of vulnerabilities that become known about is increasing very, very, rapidly. If you want to be in a well protected situation, you have to keep up to date with those lists. Unfortunately, it’s very difficult to do that for a number of reasons. One is you may have so many systems. Another might be that you have legacy systems which are very, very, difficult to patch without retesting them. You’ll find many systems in around the aircraft industry, or hospital equipment, or lift equipment can’t actually be patched, because of the difficulties in recertifying after every corrective software release.
Understanding the vulnerabilities that you have and that you have to live with, segregating those from your main networks, segregating areas which don’t need to be connected to the internet, and segregating access of your staff from areas that they don’t need access to. These are really all important points.
Stephen Platt:
Very interesting.
Anthony Flemmer:
I think that the policies and the procedures, they need to be continuously reviewed. There’s quite a common sort of thing, we’ve got our policies and procedures and they’re left in the drawer. They’re not kept up to date with what’s actually changing out in the real world, and how quickly things are changing in the cyber space. They have to keep up with the pace of change.
Stephen Platt:
Now, in conducting some research before today’s interview, I read that the most common, and I quote, “attack vector,” is through social engineering. I think I know what that means, but can you educate me? What does that mean?
Alex Brunwin:
Well, the general definition, I guess, would be trying to get somebody to grow a change in their behaviour, trying to entice them into a change of behaviour, so that you can gain something, quite possibly access to a system or access to a password. In the context of cybersecurity, it tends to mean mainly through phishing emails, encouraging your users to click on links or open attachments. These are very well known techniques. It could also be as simple as making a phone call pretending to be from the technology support group and asking someone to type their password in or reveal some information that they wouldn’t feel comfortable revealing to a stranger, but you’ve enticed them into some sense of trust with you.
One of the things that companies do very regularly is obviously train their staff in basic cyber hygiene and their understanding of the ways in which they can be socially engineered. As I said, the number one element there would be to try and identify and not click on phishing emails. That needs to go right up to the top of the business, where unfortunately some of the senior executives perhaps have a worse track record than the employees.
Stephen Platt:
How interesting. Now, when you consider the risk governance framework of an organisation, I mean, if we take a financial services business, as an example, there are lots and lots of risks trying to manage. Its becoming an ever more complex landscape from a risk management perspective. What do you think is the best approach to the design of an effective risk governance framework in terms of the interrelationship between cybersecurity and anti-money laundering? Should, for example, organisations be integrating cyber events into their AML program? How do the two best fit together, in your opinion?
Anthony Flemmer:
So, Stephen, you’re talking to a trend that’s starting to come out of America now in that they’re wanting the cyber events to be reported like we report size to the regulators. You’re talking two very different groups of people. You’ve got your cybersecurity people and you’ve got your AML specialists. The cybersecurity group are not that familiar with a reporting to regulator regime at the moment. That would be a new concept for them to learn from the AML guys. And then, the AML people wouldn’t be very aware of the volume of incidences that are actually hitting the cybersecurity part of the organisation on a continuous basis. These groups need to start moving closer together to start actually understanding how each other’s worlds work, but without creating too much overlap so that they can leverage up on their specializations.
From a risk management perspective, yeah, your head of risk needs to understand both sets of risks. Your AML risks that are coming into your organisation or starting to appear, and also your cyber risks that are getting maintained on a daily basis, and how they’re getting managed.
Stephen Platt:
I mean, it strikes me also that this cyber risk can manifest itself not only through the risk that it poses to sensitive customer information, but also highly sensitive information about an organisation’s internal policies and procedures. Because, if you can understand how an organisation manages a particular risk, let’s say money laundering risk, then you’re in a really strong position to know where the weaknesses are and how to exploit it in order then to successfully launder money through that organisation. It’s a multidimensional risk this. It clearly, it seems to me, needs to be at the very least a very strong line of communication between those people in an organisation responsible for managing fin crime, including of course AML, and cybersecurity. Would you agree with that?
Alex Brunwin:
Yes. I think the key point would be that the anti-money laundering legislation came in probably earlier than the regulations around cybersecurity. People have been taking those very seriously for a long time now. But, it was quite a challenge to get senior management to take the risk of cyber breaches seriously. I believe that was quite a change for the regulators. Really, they have to elevate the culpability in some ways to the executive level before they could really get people to engage with it, rather than saying, “Oh, the IT team deal with that. If we have a breach, we can fire the head of IT.” Well now, it’s actually the stakeholders and the executive board who have ultimate culpability for these breaches. They’re taking it a lot more seriously.
Stephen Platt:
So, they’re holding individuals as well as the institutions to account when things go wrong. What you’re saying, essentially, is that in order to put yourself in the best possible position for that fate not to befall either you or your organisation, you need to understand that however sophisticated your infrastructure is, your weakest link is normally your people, and in particular your senior people. This is behavioural as well as an issue that can be simply addressed by reference to systems of control.
Alex Brunwin:
That’s right. And, it can also be an insider threat, because that can be a simpler way of breaching a very, very, large sophisticated organisation. With all of those threats in mind, businesses have to not only rely on a very, very, secure perimeter, but they actually have to adopt an assumed breach model. They have to imagine that they will get breached at some point and put in place adequate intrusion detection, logging and correlation monitoring systems, as well as to have well-prepared and rehearsed instant response plans. Those complete the puzzle in some way. If you’ve got all the basic controls in place plus the ability to detect very quickly the possibility of a breach and respond to it, then you’ve really got your umbrella up, when it comes to investigations.
Stephen Platt:
Now, in the AML world, it’s an infinite problem that organisations have only got finite resources to try and protect themselves against trillions of illicit dollars washing around the system. It seems to me, from what you’ve been telling us today, that the cyber threat is also massive, that there are illicit automated systems that are testing perimeters, there are teams of online mercenaries, activists, and so on, and even state sponsored actors that are engaged in this. Would it be fair to say that it’s not a question of if this happens to an organisation, but when? Would that be the right approach for senior risk managers to think about this? It’s not if, it’s when you’re going to be the subject of some sort of attack?
Anthony Flemmer:
Yeah, that’s definitely the right mindset to have. It is just a case of when, and also how big it’s going to be. Yep, if people think like that, they can get themselves prepared to deal with it and mitigate against an attack happening, when it does happen.
Stephen Platt:
Well, gentlemen, this has been both enlightening and, I think, sobering. It’s genuinely fascinating topic. I think, as a relatively, as it were, new risk management discipline, there is much that can be learned by people responsible for cyber risk management, from the mistakes that we’ve made over the course of the last 30 or 40 years in financial crime risk management. I think we can learn a lot more from each other and from those different, as it were, disciplines. So, thank you very much. We could talk for much longer, but we’re, I’m afraid, up to our time limit. It’s gone very fast, and I hope our listeners think it has too. I want to thank you both on behalf of all of listeners and KYC360 members for taking the time to share your experiences and indeed your insights and expertise with us.
If you like what you’ve heard today, please spread the message about KYC360 and the AML Talk Show. This recording will be available as a podcast on KYC360 and many other platforms from tomorrow. For now, please do stay safe. Thank you and good-bye.
You can claim CPD minutes for this content, by signing up to our CPD Wallet
