Cyber threats for financial services firms come with their own unique risk profile. The financial industry is second only to the healthcare sector in terms of the frequency of cyber attacks, and they are targeted at a rate of around 300 times that of other industries. As one of the most closely regulated industries in the world, financial institutions also face significant repercussions in the event of a data breach.
Why Cybersecurity Matters
As if the sheer rate at which cybercriminals target financial institutions didn't give you reason enough to take cybersecurity seriously, the cost of a cyber attack can be staggering. While most breaches cost firms between $800 and $650,000, that's just the initial cost. Regulatory fines can be quantified but are sometimes substantial, which doesn't even begin to consider the reputational damage a successful cyber attack will cause.
Take the Equifax data breach of 2017, for example, this devastating breach compromised credit data for millions of customers, and Equifax eventually agreed to pay victims over $700 million. That still doesn't include legal fees, the cost to repair the breach, or the cost of investigating the extent of the breach in the first place. In fact, the average total cost of cybercrime activities is over 40% higher for the financial industry than any other sector.
Applicable Regulations
There are a large number of regulatory bodies and guidelines that financial services firms must comply with. These regulations can vary substantially across the many locations where the firm may do business, and violations could lead to fines of over six figures and other serious sanctions. Some of the more wide-ranging regulations are:
- The General Data Protection Regulation (GDPR) in the European Union
- The California Consumer Privacy Act (CCPA)
- The New York Department of Financial Services Cybersecurity Regulation
- The Payment Card Industry Data Security Standard (PCI-DSS)
Notably, some regulations like the GDPR have stringent standards as to when they apply. Suppose the enterprise or the customer is based within the territory covered by the GDPR. In that case, the data passes through such a region, or several other qualifications exist, then the standards of the GDPR apply to some or all of the data that the institution holds. It's critical to know not only if the GDPR or other similar regulations apply but also what precisely it is that they apply to.
Emerging Cyber Threats in the Financial Services Industry
Risk management professionals have a full plate for better securing financial institutions. Threats from a number of attack vectors persist, and there is no shortage of individuals who seek to profit from gaining access to financial firms' sensitive data. We've previously detailed some time management tips for vendor risk managers to try and help lighten the load, and now we're going to highlight the top five cyber threats for financial services firms. When you know where to focus your efforts, your chances of defending against cyber threats increase exponentially.
Social Engineering Scams
Social engineering scams are some of the most prolific cyber attacks and are responsible for initiating many other attacks. These scams prey upon the innate human tendency to want to comply or help others. Psychologically manipulating victims into taking action that will directly transfer customer data or funds to the cyber criminal is one method. Still, another common attack vector allows the attacker to access the victim enterprise's network with stolen or compromised credentials. They then can stay and take action for an unlimited time frame until the breach is detected and locked down.
Some of the most common social engineering scams are:
- Phishing: typically emails sent with links connecting to spoofed websites used to capture login credentials.
- Smishing/Vishing: similar to phishing but using SMS or VoIP phone calls.
- Whaling: any of the above derivatives directed at a high-level target using obtained personal information of the target to make an attempt more believable.
- Business email compromise: using compromised login credentials to take over a business email account and then direct further actions of others through the fraudulent use of that account.
In 2021 alone, research has shown that phishing attacks were utilized to gain initial access in 46% of all successful cyber attacks against financial systems. As you can see, social engineering scams are an advanced persistent threat actively damaging the entire financial services industry.
Distributed Denial of Service (DDoS) Attacks
Distributed denial of service (DDoS) attacks use a far-flung network of typically compromised machines to direct web traffic to a specific site to overload the public-facing servers and cause them to crash. This disrupts the victim's ability to conduct business, and it can lead to a host of other issues. DDoS attacks targeting financial firms increased 93% during the period of 2018 to 2020.
Currently, ready-made toolkits are available for purchase that allow an attacker to launch a DDoS attack with just a few clicks. This eliminates the barrier to entry that previously existed where your bad actor needed the technical know-how to stand up a botnet and then run the script to launch the attack.
The ability of this attack to persist despite attempts to counter it makes it extremely successful in impacting business operations. In an example where a shared services provider was targeted, a criminal group caused an outage in over 800 connected financial institutions in Germany in 2021. Much like our next cyber threat, the disruption of a DDoS attack makes it an effective tool to be used as a threat to obtain ransoms either to prevent an attack or to lift the traffic once one has begun.
Ransomware Attacks
Ransomware attacks can start in a number of ways. From an email with a malicious attachment to a phishing attack that leads to compromised credentials, any access to a financial system's network is enough for cybercriminals to launch a ransomware attack. This attack encrypts all files and data, completely shuts down all systems and connected devices, and locks out access by any other user or third party. A ransom demand then accompanies this to regain access to the victim's systems through a decryption key.
Despite ransom payment, there is no guarantee that the attacker will release the systems. Even if they do, nothing prevents them from leaving a back door open and re-encrypting the data later before demanding more money. Ransomware is a high-profit attack with generally low risk, and criminal enterprises even offer ransomware as a service packages for sale to other criminals.
A thorough set of data backup procedures would protect you from an attack like this, and if you were thinking of the classic ransomware attack that we just described, you would be correct. However, criminals have adapted to such countermeasures by incorporating data exfiltration into the ransomware suite. Now, not only is the data encrypted, but it has also been stolen and can be leaked for additional profit. Again, payment of the ransoms does not ensure that the data won't later be sold or released for other purposes anyway, making ransomware attacks one of the top cyber threats for financial services organizations.
Web Application Attacks
Web application attacks are diverse. They can incorporate a number of methods, but the financial services industry has seen the most threat from four specific types. Research has shown that these four types are responsible for 94% of all web application attacks against financial systems. These attack vectors are:
- SQL injections
- Cross-site scripting
- Local file inclusion
- OGNL Java injection
Without getting into the weeds of these advanced threats, gaining access to financial systems from any of them is devastating. Web application attacks are more technical and less likely to be perpetrated by a low-tech user, but they are extremely effective. With the right knowledge base, a cybercriminal can employ these techniques to exploit vulnerabilities and exfiltrate your sensitive data.
Nation States or Organized Criminal Enterprises
There has been a sharp rise in nation-state-sponsored and organized criminal enterprise cyber attacks. These attack vectors sport no new tech, but they can easily employ the above techniques. Direct acts by certain nation states, organizations they fund, and other organized criminal enterprises benefit from high levels of funding, coordinated activities, and a high level of organization. That makes the cyber risk posed by these entities that much greater.
We have seen examples of this in 2022 with increased attacks targeting government, military, and business targets. Nation states and their sponsored partners can focus on financial institutions to cause difficulties before an invasion or strategically disrupt the populace to provide added distractions for the local government. Organized criminal groups can collaborate and target multiple vendors up and down the supply chain to magnify their effect and facilitate higher returns on their activities.
Threat Centric Approach
Regardless of the industry, we recommend a cyber security posture that considers the most likely attack vectors. With a solid foundation of enterprise cyber security, you can defend against generic cyber attacks. To harden your posture against targeted cyber threats for financial services, you must prepare for this industry's most common threats. Information like this top threat list is critical to your planning. Knowing the most common attacks the financial services industry faces, you can apply more of your efforts to those targeted areas.
At Venture Lynk Risk Management, we know about risk management and cyber security. Our vendor risk management specialists can ensure that your vendors aren't exposing you to cyber threats from which you thought you were insulated. An outstanding cyber security program only goes as far as the weakest link in your supply chain. A compromised vendor can lead to utter devastation, but we don't limit ourselves to just vendor management. Venture Lynk offers risk assessments, information security, and intellectual property services. Our staff can present a custom package for your enterprise's specific needs.