The finance industry is one of the most targeted industries for cyberattacks, and it makes sense. When most cyberattacks are conducted for financial gain, bad actors would naturally be inclined to go directly where the money is. However, the mass disruption caused by digitization and FinTech has created recent shifts in the industry making them particularly vulnerable.
As the finance world becomes more digitized and financial institutions become increasingly interconnected, banking and financial services have become more efficient and inclusive for everyone. FinTech banking and payment apps like Venmo, PayPal, Robinhood, Mint, Chime, MoneyLion, and Card Curator are becoming more and more popular; and mobile banking, online lending, and contactless payments are on the rise. 75% of global consumers use at least one fintech service. Unfortunately, this convenience for customers is opening the industry to increasing numbers of cyber attacks.
Cybercrime is on the rise and no industry is exempt from being breached, but recent attacks on financial institutions, large and small, have highlighted the vast vulnerabilities in the financial services space. Back in 2017, a breach at the credit reporting agency, Equifax, exposed the personal information of 147 million people. However, breaches aren’t the only risk plaguing the industry.
Jump ahead to March of this year when Silicon Valley Bank collapsed and, according to multiple security reports, hackers immediately started laying the groundwork to run business email compromise (BEC) scams. Signature Bank, a pro-crypto entity, also closed up shop in March and is being investigated by government agencies to determine whether the bank took adequate measures to detect potential money laundering by its clients. Earlier this year, the Cash App data breach potentially exposed the personal financial information of more than 8 million users.
So why are bad actors targeting the financial sector; and, more importantly, why are they finding so much success? Here are some of the reasons.
Financial institutions are an appealing target
Perhaps one of the most obvious reasons hackers target financial institutions is because they contain massive amounts of money and personal data. BEC attacks can be very lucrative in the financial services and FinTech sector; while banking and money transfer apps are attractive because they house significant amounts of financial, banking, and personal data.
Attacks are becoming more sophisticated
As more information and money flow digitally between applications and financial institutions, hackers can launch increasingly complex attacks that are difficult to block.
Though many of the popular methods remain the same (phishing, malware, fuzzing, DDoS attacks), the ways hackers are executing those attacks are becoming more and more sophisticated. Phishing emails are almost indistinguishable from legitimate emails and attack methods like fuzzing — a once slow and manual process — have become speedy and incredibly effective with the help of AI and machine learning. Even more frightening are the advanced tactics used to corrupt the integrity of financial data itself, including records, algorithms, and transactions. For instance, many hedge funds and high-frequency trading firms use algorithms and automated trading models to take advantage of minor price discrepancies in the market, and these are considered the lifeblood of a financial firm. If a bad actor steals the algorithm and holds it for ransom or sells it to a competitor, they stand to make a pretty penny. While lucrative for the hacker, it could cause major disruptions in the market.
The industry is undergoing massive digitization
Like many others, the financial industry is in the midst of digital transformation. Customers and businesses alike are demanding online financial services and the ensuing mass digitization has led to the emergence of FinTech. New applications have introduced modern banking, investing, and lending. As banks and traditional finance institutions modernize their technology and interface with FinTech products and applications, the attack landscape becomes increasingly vast. Each API gives attackers another entry point into a financial institution.
This increased vulnerability is exacerbated by the move to remote work for bank and financial services employees. Like many other industries, the move to remote work creates new challenges for IT teams as they struggle to keep their software, data, and devices safe.
The global payment messaging system lacks an owner
Most global money and security transfers are powered by SWIFT, an electronic payment messaging system. This means that an attack on SWIFT could result in a global financial crisis. In 2020, the Financial Stability Board (FSB) warned that “a major cyber incident, if not properly contained, could seriously disrupt financial systems, including critical financial infrastructure, leading to broader financial stability implications.”
The real issue is that SWIFT is vulnerable to an attack because it’s unclear who is responsible for protecting the system. Each government has its own cybersecurity regulations, and companies track security issues in silos. Layer on geopolitical tensions and mistrust between governments; and the collaboration necessary for securing the systems moves even farther away. Progress is slow and the constantly changing cyber risks don’t make forward motion any easier.
So, with a barrage of sophisticated attacks constantly hitting financial institutions, an electronic payment messaging system that lacks a cybersecurity owner, and an industry in transition; it’s clear that each individual business should prioritize securing its own data and operations. While that may not be an issue for larger financial institutions; smaller banks, lenders, and financial services firms are at a disadvantage.
Of all industries, you would think that finance is not one that’s low on cash. And yes, many large corporations have the funds and manpower to secure their business effectively; but, as we saw with SVB and First Republic Bank, smaller banking institutions aren’t in the same boat. While large banks might be the target of nation-state attacks, small banks are targeted just as frequently because adversaries don’t discriminate.
Small banks lack the security teams and budgets to set up appropriate defenses, and hackers are aware of this – they see smaller firms as low-hanging fruit. But, compared to the big boys, small banks have much more to lose if they are attacked. One data breach could be all it takes to sink a bank.
Customers want to make sure their money is with a bank they can trust. If a bank isn’t a major player and its reputation is called into question, consumers will likely pull their funds immediately. That, of course, can put a bank’s financial solvency at risk. In fact, the National Cyber Security Alliance found that 60 percent of small firms go out of business within six months of a data breach.
Why cyber resilience matters
A robust cybersecurity strategy is no longer necessary just for large corporations. It’s a requirement for every business. That’s because it’s not a question of if a breach happens, but when. If you’re underprepared for an attack, the consequences could be devastating.
Breaches are expensive
IBM reported that data breaches in 2022 cost companies an average of $4.35 million. That includes ransoms paid, remediation costs, legal and compliance fees, lack of business continuity, and the costs associated with reputational damage. For the average small business, $4.35 million would be a devastating blow; something from which they’re unlikely to recover. Given those sobering statistics, it is apparent that any costs associated with securing your organization are well worth the price tag.
Keeping customers depends on it
When it comes to protecting their nest egg, their assets, and their savings, people aren’t willing to give banks a second chance. PCI Pal data showed that 62% of Americans claimed they would stop buying from a brand for several months following an attack. The finance and FinTech industry is becoming increasingly competitive, so a breach or even a security incident might be enough for customers to pull their funds and reinvest elsewhere. Also, with the new regulations put in place this March, the public will have more access to information about security incidents than ever.
Businesses need to meet U.S. and other global regulations
While regulations vary around the world, companies operating in the U.S. must meet criteria that are constantly changing. On March 9, the Securities and Exchange Commission (SEC) published a proposal for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies. These new rules are meant to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies.”
Then, on March 15, the Cybersecurity Incident Reporting for Critical Infrastructures Act of 2022 was signed into law; it requires companies to report significant cyber incidents. Previously, reporting incidents and cybersecurity practices was voluntary. While this transparency might be good for customers, it puts pressure on companies not only to maintain a robust cybersecurity strategy but also to ensure systems are in place for rapid reporting.
So here is the bottom line: to avoid fines, penalties, lost customers, and the significant financial costs of a breach, it’s essential to create a cybersecurity strategy, invest in the right tools, and then maintain your defense posture consistently.
How financial institutions can become cyber resilient
Financial institutions of all sizes need to invest in the cybersecurity basics, including email protection, endpoint protection, endpoint detection and response, privilege account abuse detection, and cyber insurance. They also need to protect data and algorithms with encrypted data vaults.
Multi-factor identification is a must for both customers and employees; and, ideally, customers should use biometrics to access their accounts on their apps. Because new regulations have put stricter requirements on reporting cyber instances, organizations also need to ensure they can quickly and easily gather and report that information.
More often than not, security breaches are a result of human error. So it’s essential to conduct cybersecurity training and establish policies around email best practices, internet and social media usage, remote access, password protection, and more. Additionally, a company should run regular phishing tests for employees and simulate cyberattacks so it knows where vulnerabilities lie.
For small banks, this can be quite daunting. Unless you have a robust in-house cybersecurity team, you’ll need to outsource at least some of your security efforts to an outside vendor. You need a partner who can provide 24/7 monitoring and response services. In an ideal world, that partner would also provide the necessary tools and technology to secure your organization.
While it’s rare to find such a partner, SolCyber is up to the challenge. Our Foundational Coverage ensures small to mid-sized businesses have everything they need and nothing they don’t. And we can get you up and running in days.
Ready to become cyber resilient? Reach out to SolCyber, the experts in cybersecurity, to see how we can help.
Follow us on the following social platforms!