The scope of cyber security for financial institutions has expanded in recent years and will continue to become even more complex this year.
According to a joint report by the Financial Services Information Sharing and Analysis Center (FS-ISAC) and internet infrastructure firm Akamai, DDoS attacks have increased by 22% in 2022. Additionally, financial institutions in Europe experienced a 73% increase in DDoS attacks.
Teresa Walsh, the global head of intelligence at the FS-ISAC, explains that DDoS attacks are used as a decoy for more damaging cyber breaches, such as the infiltration of systems and the installation of malware. She adds, “While DDoS attacks themselves tend not to cause large windows of downtime due to a wide array of standard defensive measures available to financial institutions, the same practices are not as readily available for DDoS used as a smokescreen.”
Cybercriminals use techniques such as SQL injections, ransomware, phishing, supply chain attacks, and more to threaten financial services.
There have been updates to the rules for the cybersecurity landscape for financial services. Ransomware attacks on the derivative service provider ION Group have demonstrated the fragility of the financial supply chain.
Tom Kellermann, the senior vice president of cyber strategy at Contrast Security, says that although financial firms have some of the best cybersecurity, attackers continue to find ways to succeed. “They have invested much more than other industries in cybersecurity, they have the best technologies, and they have some of the very best people in the world,” he says. “But they’re being hunted by the most organized and sophisticated cybercrime cartels in the world, coupled with intelligence services from rogue nation-states who want to hack the sector—not just for the purposes of economic espionage but to help offset economic sanctions.”
Geopolitics and cyber-criminal incentives
The conflict between Russia and Ukraine has had severe consequences on government bodies, which has prompted a change in the cybersecurity landscape. Financial services have been targeted with attacks including fund theft, ransomware deployment, DDoS attacks, SQL injections, and more.
In a survey conducted by Contrast Security, over 54% of financial service providers interviewed identified attacks from Russia as their topmost concern, with North Korea following closely behind.
“Russian Cybercrime cartels are far more knowledgeable of, not only the financial sector in terms of how it operates and what is most valuable… but also the inter-dependencies that exist in the sector,” said Kellermann. “Which is why you’re seeing that surge of attacks against APIs and an increase in island-hopping and watering hole attacks.”
The financial industry has been revolutionized by cyberattacks, with complex operations utilizing “as-a-service” models. Access brokers have become popular and are targeting the financial industry, selling access to others to spend less time compromising their targets.
A Deloitte survey found that 35% of firms had their accounting and financial data targeted by cybercriminals in the last 12 months, with predictions that this will increase to approximately 49% in the next year.
Daniel Soo, a principal with Deloitte’s risk and financial advisory group, said that the goal of cybercriminals is to compromise financial transactions between corporations and financial institutions, as well as financial firms and their vendors.
“These attackers are becoming a little bit more targeted, where they can get into some financials and see what’s underlying each of these firms,” he said. “And it’s a little bit frightening, because by peering into the financials, you can learn a lot about organizations.”
The financial services industry is facing increasing regulations from various authorities. California and the federal government in the United States are focusing on information security, while European officials must be informed of data breaches to comply with the General Data Protection Regulation (GDPR). Although the American Data Privacy Protection Act (ADPPA) failed to pass through Congress, federal standards are still being developed, including a 36-hour reporting requirement for financial firms.
Teresa Walsh, global head of intelligence at FS-ISAC, says, “The increasing regulations mean that any financial institution needs to build a holistic cyber resilience program to have the flexibility to meet changing regulations, particularly multinational institutions.”
“This has been a major priority for many years now, so we expect few institutions to have to make dramatic changes to their cyber management or reporting infrastructure in response to regulation,” she adds.
Tom Kellermann comments, “Plausible deniability is dead. They are just going to have to report now.”
Call for Advancement in Financial Security Posture
According to a survey conducted by Contrast Security, the rapid innovation in payment technologies is driving the need for financial services to secure these technologies quickly. Typically, financial services lead the pack as adopters of cybersecurity, with 72% of financial institutions planning to increase their investment in application security in 2023. The survey also found that 64% of financial institutions require cybersecurity requirements for their vendors.
Cybersecurity and cybercrime are expanding into new categories, with the Financial Industry Regulatory Authority adding a new section for financial crimes in cybersecurity and including a technology section in a report published in January 2023.
Deloitte’s Daniel Soo said, “For the most part, the financial industry needs to make its information infrastructure and processes more resilient, not only in resisting an attack but also in the organization’s ability to recover following an attack.” Only 26% of organizations have a specific method in place for estimating damages caused by different types of cyber incidents, and 17% plan to implement one in the next 12 months.
“There’s certainly going to be a disruption often related to some sort of cyber incident, and resilience is very much around ‘how do you recover quickly in a very structured way?'” Soo said. “How can you recover and how can you limit the blast radius, [so] you localize any type of damage?”