Digital technology has crept into nearly every aspect of society, offering unprecedented access to information and services while also creating massive cyber security challenges that leave many of the most personal and most important aspects of our lives vulnerable to cyber attack. In an age where digitalization and interconnectivity has been introduced into everything from everyday items such as watches to thermostats through the “Internet of Things” to the most important elements of our national infrastructure, including financial institutions and electrical power grids, it is imperative for the private and public sectors to take action and protect the underlying structure of our society.
Over the last decade, we have seen several examples of the vulnerabilities in an increasingly digitalized world such as the 2007 coordinated cyber attacks on Estonia1, the 2014 hack of Sony Pictures2, and the 2015 attack that disabled a regional power grid in Ukraine.3 Cyber crime alone is estimated to cost businesses $400 billion per year and British insurance company Lloyd’s estimates that amount to quadruple to $2 trillion by 2019,4 and businesses are taking notice. For example, IBM’s CEO, Ginni Rometty stated last year that “cyber crime is the greatest threat to every company in the world.”5 In this environment, Citibank is taking action to mitigate cyber threats.
New Business Model, Vulnerabilities Exposed
Like others, Citibank has increasingly migrated services onto digital platforms for efficiency, speed, and customer convenience. This represents a massive shift in the business model which originally relied heavily on personnel and infrastructure. Now, instead of depending on methods like writing physical checks or visiting a teller, customers have 24/7 access to account information from virtually anywhere and access to services electronically.
However, that transition has not been without challenges. For example, in 2011, Citibank was hacked and “the financial data of more than 360,000” credit card holders was exposed.6 A month later, Citibank revealed that “about $2.7 million was stolen” from a portion of those accounts.7 The chart below shows the financial services industry has the second highest average annualized cost of cyber attacks demonstrating the scale and cost consequences of the threat.8 Cyber attacks will continue to target the industry and Citibank needs to adapt its operating model to this challenge.
Innovation and Adaptation
Citibank has adapted its operating model to address the vulnerabilities of that digital transition to add protection and thus, value for customers that can trust the integrity of their bank. These measures include:
- Common-sense and oversight: implementing common-sense measures to protect against “insider threats” by controlling information access, requiring “multiple levels of approval,” monitoring transactions, and training staff to recognize and respond to threats.9
- IT Discipline: maintaining “discipline and vigilance by IT and end-users” such as ensuring up-to-date software.
- Three Pillars of Defense:
- Channel Protection: enabling Citibank’s systems to “[block] an attacker’s entry to a platform” through tactics like “strong log-in credentials” and encrypted data transfer.
- Vigilance About Payment Outliers: using resources likes Citi’s Payment Risk Manager to detect payment outliers that may identify a compromise of Citibank’s systems.
Separately, Citibank has emphasized innovation in cyber security because “cyber-crime is constantly evolving as current attacks become known and dealt with.” In this spirit, Citibank has partnered with Microsoft to implement “next generation identity technology” for its employees and users.
Beyond its individual efforts, Citibank has joined forces with seven other banks, including J.P. Morgan, Goldman Sachs, and Bank of America, to form a group within the non-profit Financial Services Information Sharing and Analysis Center (FS-ISAC) to “share cyber crime data” and collectively gain the benefits of shared information.10 Citibank explains, “Sharing knowledge of anomalies or updates, or even of attackers’ activities, makes every part stronger. [. . .] Real-time highly-detailed, analysis enables banks and companies to detect patterns and stay (at least) one step ahead of attackers.”9 Strengthening and investing in this group’s development will benefit all partners through sharing of data, experience, and best practices.
- Cyber security is a complex, large-scale issue that cannot be solved by one company or the government acting alone. Because of the interconnectedness of the private and public sector and shared vulnerabilities, it is vital that Citibank and other financial firms demand, but also commit to closer cooperation with each other as well as with government to find solutions.
- The group of eight banks should share information and lessons learned with smaller banks when appropriate. While they banded together because of their relative size and system complexity, the industry as a whole can benefit from their work.
- Finally, Citibank should focus on developing talent to provide critical innovation and expertise in the coming years.
 Washington Post. 2016. Cyber Assaults on Estonia Typify a New Battle Tactic. [ONLINE] Available at: http://www.washingtonpost.com/wp-dyn/content/article/2007/05/18/AR2007051802122.html. [Accessed 18 November 2016].
 Washington Post. 2016. U.S. attributes cyberattack on Sony to North Korea – The Washington Post. [ONLINE] Available at: https://www.washingtonpost.com/world/national-security/us-attributes-sony-attack-to-north-korea/2014/12/19/fc3aec60-8790-11e4-a702-fa31ff4ae98e_story.html. [Accessed 18 November 2016].
 WIRED: WIRED. 2016. Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid | WIRED. [ONLINE] Available at: https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/. [Accessed 18 November 2016].
 Forbes. 2016. Forbes. Cyber-crime Cost Projected to Reach $2 Trillion by 2019. [ONLINE] Available at: http://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#6ff24583bb0c. [Accessed 18 November 2016].
 Forbes. 2016. Forbes. IBM’s CEO on Hackers: Cyber-crime is the Greatest Threat to Every Company in the World.[ONLINE] Available at: http://www.forbes.com/sites/stevemorgan/2015/11/24/ibms-ceo-on-hackers-cyber-crime-is-the-greatest-threat-to-every-company-in-the-world/#47d09fd93548. [Accessed 18 November 2016].
 WIRED: WIRED. 2016. Citi Credit Card Hack Bigger Than Originally Disclosed | WIRED. [ONLINE] Available at: https://www.wired.com/2011/06/citibank-hacked/. [Accessed 18 November 2016].
 CNNMoney. 2016. Citi: Last month’s credit card hack attack stole millions – Jun. 27, 2011. [ONLINE] Available at: http://money.cnn.com/2011/06/27/technology/citi_credit_card/. [Accessed 18 November 2016].
 Giles Turner. 2016. Cybersecurity Index Beats S&P 500 by 120%. Here’s Why, in Charts – MoneyBeat – WSJ . [ONLINE] Available at: http://blogs.wsj.com/moneybeat/2015/09/09/cybersecurity-index-beats-sp-500-by-120-heres-why-in-charts/. [Accessed 18 November 2016].
 Citibank Treasury and Trade Solutions Article, “Fighting cyber-crime together,” December 2014. Available at: https://www.citibank.com/tts/about_us/articles/docs/…/article_fighting_cybercrime.pdf. [Accessed 17 November 2016].
 Fortune. 2016. Wall Street’s Biggest Banks Are Banding Together Against Cybercrime. [ONLINE] Available at: http://fortune.com/2016/08/10/wall-streets-biggest-cyber/. [Accessed 18 November 2016].