The cybersecurity landscape for financial institutions and finance technology (fintech) has changed dramatically in the past few years, and 2023 will likely be no different.
In 2022, for example, distributed denial-of-service (DDoS) attacks targeting financial firms increased by 22% worldwide, compared to the previous year, according to a joint report published by the Financial Services Information Sharing and Analysis Center (FS-ISAC) and Internet infrastructure firm Akamai. Financial institutions in Europe saw an even greater jump, with 73% more DDoS attacks, the report stated.
While many businesses wave aside DDoS attacks as noise on the Internet, such tactics are increasingly used as a diversion tool, especially with geopolitical tensions running high, as they have since Russia invaded Ukraine, says Teresa Walsh, global head of intelligence at the FS-ISAC.
Financial institutions need to gauge “the potential for DDoS attacks to be used as a decoy for more damaging cyber activities, such as the infiltration of systems and the installation of malware,” she says. “While DDoS attacks themselves tend to not cause large windows of downtime due to a wide array of standard defensive measures available to financial institutions, the same practices are not as readily available for DDoS used as a smokescreen.”
The increase in DDoS attacks is just one area where financial services and fintech firms face an increasing level of threats. Driven by nation-state groups taking sides in the Russia-Ukraine war, ransomware is becoming more destructive, while attacks on financial data are increasingly a problem facing all types of organizations. In addition, attackers are using cybercriminal services — such as access brokers and ransomware-as-a-service — leading to more specialized and sophisticated operations against financial institutions and cryptocurrency services.
Regulations are also changing the cybersecurity landscape for financial firms, which must now — as of May 1, 2022 — disclose cyber incidents within 36 hours to their regulators in the United States, if the incident could impact the US banking system. At the same time, the recent ransomware attack on derivative service provider ION Group and the ongoing popularity of business email compromise (BEC) schemes shows the brittleness of the financial supply chain.
While financial firms have some of the best cybersecurity, attackers continue to find ways to succeed, says Tom Kellermann, senior vice president of cyber strategy at Contrast Security.
“They have invested much more than other industries in cybersecurity, they have the best technologies, and they have some of the very best people in the world,” he says. “But they’re being hunted by the most organized sophisticated cybercrime cartels in the world, coupled with intelligence services from rogue nation states who want to hack the sector — not just for the purposes of economic espionage, but to help offset economic sanctions.”
Geopolitics & Cybercriminal Specialization Spur Changes
Two major forces are changing the overall cybersecurity landscape. Russia’s invasion of Ukraine has led to a parallel cyberwar that, unlike the physical conflict, has spilled outside the boundaries of those two nations. The Russia-Ukraine conflict has led to a greater number of attackers focusing on destructive operations, in addition to stealing funds or deploying ransomware for profit.
More than half (54%) of financial firms interviewed by Contrast Security considered cyberattacks from Russia as the top threat, with a quarter naming North Korea as their top worry.
“The Russians are most concerning to these institutions because Russian cybercrime cartels are far more knowledgeable of, not only the financial sector in terms of how it operates and what is most valuable … but also the interdependencies that exists in the sector,” Kellermann says. “Which is why you’re seeing that surge of attacks against APIs and an increase in island-hopping and watering hole attacks.”
Overall, cyberattacks in the sector have become more sophisticated, with many traditionally standalone attacks now being used as part of more complex operations, with “as-a-service” models replacing some parts of the attack chain. Access brokers have become far more popular, as demonstrated by the growth of the Emotet malware-as-a-service operation, cybersecurity firm Kaspersky said in a list of cyberthreats targeting the financial services industry.
“These access broker cybercriminal groups, they are basically hacking as much as they can and then they are selling the access to us to anyone that wants to buy,” Marc Rivero, a senior security research at Kaspersky, said during a presentation on the company’s predications. “That allows other groups to spend less time compromising their targets.”
Even company finance and accounting departments are seeing increased risks. More than a third of organizations (35%) had their accounting and financial data targeted by attackers in a cyber event in the past 12 months, and nearly half (49%) expect an increase in similar attacks in the next year, according to a survey conducted by consultancy Deloitte.
Increasingly, attackers are focusing on compromising financial transactions between corporate users and financial institutions, and between financial firms and their vendors, said Daniel Soo, a principal with Deloitte’s risk and financial advisory group.
“These attackers are becoming a little bit more targeted, where they can get into some financials and see what’s underlying each of these firms,” he says. “And it’s a little bit frightening, because by peering into the financials, you can learn a lot about organizations.”
More Regulations, Compliance Risks
Financial institutions also have to deal with increasing regulations across multiple jurisdictions. Data breaches must be reported to European authorities to satisfy the General Data Protection Regulation (GDPR), and the United States is increasing oversight at both the state — led by California — and federal level. The American Data Privacy Protection Act (ADPPA) did not pass through Congress, but federal standards continue to progress, including a 36-hour reporting requirement for financial firms.
The increasing regulations means that any financial institution needs to build a holistic cyber resilience program to have the flexibility to meet changing regulations, particularly multinational institutions, says FS-ISAC’s Walsh.
“This has been a major priority for many years now, so we expect few institutions to have to make dramatic changes to their cyber management or reporting infrastructure in response to regulation,” she says.
Kellermann adds, “Plausible deniability is dead. They are just going to have to report now.”
Improvement Needed in Financial Security Posture
While financial services firms typically lead the pack as adopters of cybersecurity, the fast pace of innovation in payment technologies requires financial institutions to quickly move to secure those technologies, according to Contrast Security’s survey. In 2023, 72% of financial organizations plan to increase their investment in the security of their applications, while 64% mandated cybersecurity requirements for their vendors, the survey found.
In addition, the definition of cybersecurity and cybercrime is expanding to new categories. In a report released in January 2023, the Financial Industry Regulatory Authority (FINRA) added a new section for financial crimes in its cybersecurity and technology governance section.
For the most part, the financial industry needs to make its information infrastructure and processes more resilient — not only in resisting an attack, but also in the organization’s ability to recover following an attack, says Deloitte’s Soo. Currently, only 26% of companies have a process in place to estimate damages from specific types of cyber incidents, with another 17% aiming to put one in place in the next 12 months, Deloitte stated in its report.
“There’s certainly going to be a disruption often related to some sort of cyber incident, and resilience is very much around ‘how do you recover quickly in a very structured way’,” Soo says. “How can you recover and how can you limit the blast radius, [so] you localize any type of damage?”