Infosecurity Europe
4-6 June 2024
ExCeL London

Counting the Cost: Critical Cybersecurity Concerns in the Finance Sector

Financial services institutions (FSIs) in the UK recorded an 81% increase in cyber-attacks in the months following the invasion of Ukraine in February 2022. This is a reminder of the key role the sector plays in critical infrastructure (CNI), and that adversaries now include nation-backed as well as financially motivated cyber-criminals. Despite surging threat levels, an overwhelming majority (94%) of FSI IT leaders are confident in their cybersecurity posture.

Is this confidence well placed? Although FSIs spend more than most other sectors on cyber, the threat is arguably also higher. Where they focus this investment will be increasingly critical as the threat landscape evolves.

Why Are Financial Services Firms a Target?

A major driver for attacks is theft of customers’ financial and personal information – both things that banks and other financial services firms hold in large quantities. This information can be sold on various dark web marketplaces and then used in follow-on payment fraud, account takeovers, new account fraud and more.

Increasingly, log-ins for cryptocurrency wallets are also highly sought after, as savers and investors broaden their portfolios to include digital currency. In 2022, the FBI claimed that five times more SIM swapping attacks were reported in 2021 than during 2018, 2019 and 2020 combined. This is a popular way to hijack crypto-wallet accounts.

FSIs and cryptocurrency firms can also be targeted directly in a modern-day version of the old-fashioned bank heist. The first big-name incident of this kind was the 2016 attack on Bangladesh Bank in which North Korean state operatives swiped $80m from the bank in a sophisticated multi-stage operation. The heavily sanctioned autocracy targets the sector for currency to fund its nuclear and weapons programs. It’s believed to have amassed billions this way, mostly through attacks on crypto firms like Ronin Network.

There are probably a handful of cybercrime APT groups that also focus on the financial services sector – notably Carbanak and FIN7. They might monetize attacks by manipulating internal business processes to transfer funds out of the targeted bank, or issue cash via ATMs for money mules to collect. However, while these raids make the headlines, it is smaller scale breaches and compromises that comprise the majority of threats to the sector.

A Growing Attack Surface, the Cloud and Digital Transformation  

Banking CISOs are well aware of their organization’s growing digital footprint, which in turn has expanded the size of the cyber-attack surface. Three-quarters (75%) of financial services IT and business leaders polled last year say they’re concerned with the size of their digital attack surface and half admit it’s “spiralling out of control.”

Financial services is an unusual industry, in that many firms still use legacy mainframes to carry out back-end computing tasks. Yet on the other hand, it’s also at the centre of a new wave of cloud computing innovation, with an estimated 60% of North American banks planning to invest in the technology in the future.

Much of this is down to open banking mandates which, particularly in Europe, have forced digital transformation upon the industry. The new rules are designed to level the playing field among financial services providers by requiring traditional banks to allow third-party providers to access customer account information. This has led to a “skyrocketing” number of APIs in the sector, according to Imperva regional vice president of EMEA, Andy Zollo.

“Many large enterprises have over 1000 active APIs, and this easy access to applications and data represents a tempting target for hackers. The sheer number of APIs in use to connect applications has introduced a new problem – shadow APIs,” he told Infosecurity.

“Shadow APIs are undocumented, meaning they aren’t maintained by normal IT management and security processes. The scale of this issue should be a major concern for every organization – particularly financial services, where shadow APIs now make up around 30% of all API traffic. As they are outside of the security team’s visibility, cyber-criminals can remain undetected, and use them to connect directly to back-end databases where sensitive data is stored.”

Zollo points out that cyber-risk for FSIs also stretches to customer accounts, even if securing them is actually down to the individual user.

“If an army of bots sets their sights on a website, the owner risks huge costs from supporting victims and investigating fraud claims, as well as reputational damage for allowing accounts to be compromised,” he argues.

It should therefore be of concern that nearly 40% of all account takeover (ATO) attacks, a popular end goal for malicious bots, now target the financial services industry, according to Imperva.

How Bad Is it?

The vendor claims that financial services was the most targeted industry last year, accounting for over a quarter of all cyber-attacks – and double the next most-targeted sector, “general business.”

Separate data from Sophos is similar and reveals that 55% of FSIs suffered a ransomware compromise in 2021, and the same share reported an increase in attack volume and impact. Cyber Risk Analytics figures cited by Flashpoint claim the sector suffered the most data breaches of any vertical in 2022, with 566 incidents leading to 254 million leaked records.

This is all bad news for the bottom line. The financial services sectir comes second top in IBM’s Cost of a Data Breach report, after healthcare. Breaches now cost an average of nearly $6m globally, far higher than the average across sectors of $4.4m. That’s not to mention the reputational and operational impact of incidents

How can FSI cybersecurity leaders respond?

For a global market worth over $26 trillion, there’s no shortage of money to spend, even in a downturn. However, prioritizing the right areas to receive this funding goes will be key.

For Imperva’s Zollo, gaining visibility and control over bots and API threats will be critical.

“As this industry relies on APIs to provide the connective tissue between applications, it’s vital that CISOs prioritize being able to see what data is flowing through each one, and who’s got access. On top of this, effective API security processes should be implemented, including automated discovery and strong governance models to make sure each one is monitored and protected,” he argues.

“As bot operators continue to evolve their techniques to evade detection, security leaders must utilize advanced bot protection to detect automated traffic and mitigate it quickly, regardless of where it originates from.”

Chris Wilkinson, director at security consultancy BSS, also highlights insight as a foundational discipline for effective cybersecurity.

“Just as regulatory bodies have required greater levels of financial resilience from financial institutions, CISOs should take the same approach and devote similar energy developing their organization’s cyber-resilience, including the ability to prevent incidents occurring, as well as recovering rapidly if they do,” he tells Infosecurity.

“CISOs should aspire to a comprehensive understanding of the information flowing through their organization and the security measures currently in place. Once they have the whole picture and vulnerabilities are identified, CISOs should implement robust cyber-recovery measures including the use of cyber vaults.”

The bottom line for financial sector CISOs is it’s a case of “when” not “if” a breach occurs, Wilkinson adds. For that reason, layered defences and effective risk planning are critical.

Enjoyed this article? Make sure to share it!

Looking for something else?