30 Days after WannaCry – what can the UAE financial services sector learn?

Charles Habak

Written by:

  • Charles Habak: Vice President at Booz Allen Hamilton MENA
  • Wayne Loveless: Principal at Booz Allen Hamilton MENA
Charles Habak
Wayne Loveless

WannaCry or Wcry represents the latest version of a growing threat called Ransomware – a tailored piece of malware designed to exploit specific vulnerabilities in the operating systems of its victims’ computers.

Malware outbreaks are not infrequent, but Wcry spread so rapidly that it revealed vulnerabilities in the business planning, employee preparation and internal procedures of organizations all over the world. A majority of affected systems were running outdated versions of software, with no access to updates because the vendor had phased out support to these legacy systems.

The financial services industry sector is no stranger to the phenomenon of outdated software. Many of today’s financial systems still run on UNIX based platforms developed in the 1980s and 1990s, which often are no longer supported by vendors.

What the financial sector can learn from the Wcry fallout is the importance of investing in a sound risk management framework that involves technology change management as well as updated software – all of which could have prevented Wcry.

Investing in a sound backup and continuity plan can also enable organizations to quickly rebuild and recover systems in the event of a cyber-attack or ransomware impact and eliminate any need to pay ransom. Most law enforcement agencies and cyber experts would caution against paying the ransom as it may open the victims up to further exploitation and potential identify theft.

Financial services organizations and their leadership have a duty to protect their customers’ financial interests as well as their own institutions. This begins with a dedicated cyber agenda at the Board level along with the formation of a cybersecurity action committee reporting directly to the CEO.

Bank-wide vulnerability assessments across all of the business units that are C-level driven and business-aligned should be prioritized. Additionally, a dedicated cyber security business unit should be formulated with the goal of assessing and implementing new types of capabilities, processes and functions to combat growing threats.

Finally, encouraging bilateral and multilateral communication mechanisms with other banks in the marketplace, and interfacing with regulators to inform of threats and share information of potential breaches as well as threat intelligence from local, regional, and international partners can provide the contextual understanding needed to proactively defend institutions from future threats.

About Booz Allen Hamilton:

Booz Allen Hamilton has been at the forefront of strategy and technology for more than 100 years. Today, the firm provides management and technology consulting and engineering services to leading Fortune 500 corporations, governments, and not-for-profits across the globe. In the Middle East and North Africa (MENA) region, Booz Allen builds on six decades of experience partnering with public and private sector clients to solve their most difficult challenges through a combination of business strategy, digital innovation, data analytics, cybersecurity and resilience, operations, supply chain, organization and culture, engineering and life-cycle project management expertise.

With regional MENA offices in Abu Dhabi, Beirut, Cairo, Doha, Dubai and Riyadh, and international headquarters in McLean, Virginia, the firm employs more than 23,300 people and had revenue of $5.80 billion for the 12 months ended March 31, 2017. To learn more, visit mena.boozallen.com. (NYSE: BAH)