With the vast amounts of money and sensitive data they possess, financial services companies are one of the most common targets for cybercriminals.
Worse, because of the highly lucrative opportunities for theft, fraud, and extortion, financial institutions attract the most competent, experienced, and motivated cybercriminals, including organised cybercriminal syndicates that employ the most sophisticated and diverse tools and techniques, making cyber security for financial services a number one priority.
Consequently, the average cost of a data breach in the financial sector was just under $6 million in 2022 – $1 million above the general average. It’s a cybersecuirty statistic one simply can’t ignore. The financial services industry can’t afford to be the least bit complacent about cyber security and must have the best defence measures in place to mitigate cyber threats.
Considering all this, let’s look at the critical importance of cyber security in the financial services industry.
An overview of the financial service industry
The financial services industry is crucial for a country’s economy to function and prosper. It ensures that capital can flow freely through the market and remains sufficiently liquid. Consequently, it’s the sector most targeted by cybercriminals – after healthcare.
Naturally, the large amounts of money transacted and held by financial institutions, like banks and investment firms, are sought after by cybercriminals. However, the personally identifiable information (PII) they hold on their customers is also lucrative and a common target for criminals. Worse still, this doesn’t only include customers’ financial information but, in the case of companies like insurance brokers, their health records too.
However, it’s not just the sensitivity of data that’s a concern but the sheer amount of it too. In today’s increasingly competitive economic climate, lots of financial institutions have started working with Big Data: extracting, collating, and analysing data from a growing number of sources, including social media and third-party databases.
Another important point to consider is that it’s not just individual financial institutions susceptible to cyber attacks but also the software and systems they depend on. This includes the payment systems that facilitate the transfer of funds between parties (B2C, B2B, C2C), transaction registers, and other critical financial infrastructure.
These systems are so interconnected and relied on by the global financial industry that a serious cyber attack could even trigger an economic crisis. In particular, because of the damage that would be done to the public’s trust and confidence in the underlying mechanisms vital for commerce – and an economy – to function.
The global financial sector’s dependence – and, by extension, the global economy’s dependence on this infrastructure makes them so prone to ransomware attacks. Cybercriminals are fully aware of how desperate the proprietors of key financial infrastructure will be desperate to mitigate a cyber attack as possible, increasing the chance they’ll pay the requested ransom.
What are the top 3 cyber security challenges facing the financial industry right now?
The financial industry’s three biggest cyber security challenges are:
1. The large number and variety of cyber threats: with the sector receiving the 2nd most cyber attacks – after healthcare.
2. The constant evolution of cyber threats and security teams’ struggle to keep up with malicious actors.
3. The lack of clarity regarding responsibility for implementing cyber risk mitigation strategies, and the resulting lack of co-operation between institutions, intelligence agencies, lawmakers, etc.
Cyber security for financial services in a post-pandemic world
Although it has always been crucial, financial services cyber security is even more of a priority in the wake of the global pandemic.
The first reason is the rapid rate of digitisation in the financial industry – which was only accelerated by the pandemic. Unable to purchase goods and services like they’re used to, hundreds of millions of consumers were forced to get to grips with applications and digital services, such as contactless cards and digital wallets.
Subsequently, malicious actors took advantage of the huge surge in the adoption of fintech in such a condensed timeframe – as well as the general chaos and confusion caused by COVID. So much so, that the number of cyber attacks against financial institutions increased by an alarming 74% during the first year of the pandemic alone.
However, the digital transformation in the financial industry is far from over – with many speculating its merely in its infancy. At this time, as the public grows accustomed to emerging financial technology, a cyber attack can most undermine trust in them, slowing down their adoption – as has been the case with cryptocurrencies.
A second reason its never been more essential to have strong cyber security requirements for financial services companies is the unprecedented rise in remote and hybrid working. Again, as with the adoption of fintech, the increasing trend of employees working from home was underway before 2020, only to skyrocket due to the pandemic. Organisations worldwide scrambled to set staff up to work from home, with many turning to communication, conferencing, and collaboration applications they’d never used before. With limited time to get employees up and running, the priority was adaptability and functionality – not security.
Consequently, the tens of millions of people employed by the global financial services industry were outside their employers’ traditional network perimeter defences – making them prime targets for cybercrime. Malicious actors took advantage of the reduced monitoring ability of security teams, more staff working on their own devices, and the widespread use of vulnerable applications to breach financial services companies’ cyber security defences.
Additionally, cybercriminals capitalised on the fear, uncertainty, and rampant spread of misformation during the pandemic to increase the frequency and efficacy of their phishing campaigns. As a result, many were able to trick employees of financial institutions into divulging their access credentials, giving hackers a foothold into their employer’s IT infrastructure – and access to sensitive data and digital assets.
Solutions for better cyber security within the financial services industry
Multi-factor authentication (MFA)
MFA refers to using several authentication methods to verify a user’s identity, as opposed to just a username and password. This can include something the user knows (username and password, pin, security questions); have (a one-time password (OTP), security fob, USB device, access card or badge; or are, i.e., inherence ( biometric markers: fingerprints, retina, voice, face, etc.).
Zero trust
Zero trust model is a set of access control policies that subscribe to the principle of “never trust, always verify”. It assumes a security breach has already occurred and forces users to frequently re-verify their identity. A zero trust network architecture (ZTNA) also employs least-privilege access, so users only have as much access as they need for their role – in light of the assumption that a malicious actor is already inside the network.
Third-party risk management
Even if a financial services company has robust cyber security, malicious actors can breach their defences by targeting a third party, i.e., a supplier, with access to their digital assets. Consequently, for financial services firms, third-party risk management is crucial. You can read more about VRM in finance industry in our guide.
Continuous monitoring tools
With the range of severity of cyber threats facing them, static, “point-in-time” assessments aren’t an option for financial institutions. They must employ continuous monitoring tools to determine their cyber security posture at any time. Better still, they can utilise AI-assisted monitoring tools that use machine learning (ML) algorithms to detect potential threats more accurately.
Active cyber security measures
Instead of waiting for malicious actors to (inevitably) attack, some financial services companies are transitioning from passive to proactive cyber defence measures, such as threat hunting and deception-based security
Encryption
Cyber security for financial services must include the strongest cryptographic techniques when storing or transferring sensitive data. Subsequently, it won’t be so easily accessible if exfiltrated by cybercriminals.
Employee awareness training
Cyber security for financial services is far more effective with the buy-in and support from a company’s workforce. Teaching your employees the importance of cyber security and how to be more vigilant, e.g., how to spot a phishing email, reduces the chance of a successful cyber attack.
Why is cyber security for financial services a challenge?
The primary reason cyber security for financial services is challenging is the large frequency and variety of cyber threats the sector is subject to. With the substantial profit cybercriminals can generate by stealing a financial institution’s assets, they’ll always be a steady supply of malicious actors motivated to try.
Worse, financial services companies attract the most capable cybercriminals, who are constantly devising new ways to execute data breaches successfully. Consequently, regardless of how quickly security teams can implement cyber security mitigation measures – or how fast developers can create new security tools, cybercriminals are developing ways to circumvent them just as quickly. It’s an arms race.
Another pressing challenge in improving cyber security in the financial services industry is ambiguity over who’s responsible for risk mitigation. As mentioned earlier, the financial sector isn’t just comprised of companies in banking and insurance brokers; it’s the shared critical infrastructure that underpins the industry.
While companies must be responsible for the cost of implementing their cyber security controls, who should foot the bill for securing the systems and mechanisms that everyone benefits from? To successfully address, let alone solve, this problem, there needs to be greater co-operation between companies, governmental agencies, and regulatory bodies.
Cyber security regulations for financial services
While complying with risk management regulations and compliance is important for any organisation, for financial services companies, it’s essential. Cyber security regulations for financial services are designed to ensure that companies implement cyber security processes and controls appropriate for the frequency and level of threats facing the industry. Here are a few key cyber security regulations for financial services to be aware of.
EU-GDPR
GDPR (General Data Protection Regulation) is an information security framework that protects the PII of EU citizens. GDPR applies not only to organisations based in the EU but also to any organisation, worldwide, that deals with the PII of EU citizens.
UK-GDPR
UK GDPR is the United Kingdom’s version of the EU data privacy legislation in light of Britain leaving the European Union. As with EU-GDPR, it applies to any organisation that collects and stores data from UK citizens.
SOX
The Sarbanes-Oxley Act (SOX) was established in 2002 in the wake of the Enron scandal. It requires that companies that trade in the US submit annual reports outlining identified risks to the organisation and their mitigation strategies – including information security.
Examples of data breaches within the financial industry
Unfortunately, you haven’t got to look far for examples of major security incidents at financial institutions. Here are five prominent examples of data breaches within the financial industry, each further highlighting the crucial importance of cyber security for financial services.
- First American Financial, May 2019: this breach exposed 885 million records, including PII such as names, emails, and phone numbers.
- Equifax, Sep 2017: a particularly serious data breach, with the attack on the credit scoring bureau leaking the PII of 147 million customers, including credit card and social security numbers. This security breach had the potential to impact an estimated 40% of the American population.
- Capital One, Mar 2019: The data breach at this credit card company saw the theft of 100 million credit card applications and the exposure of sensitive data like social security and bank account numbers.
- Experian, Aug 2020: this data breach occurred as a result of a cybercriminal impersonating staff from Experian’s supply chain network, who convinced an employee to reveal 24 million customer records.
- Block, Apr 2022: a potent example of an insider threat, a Block employee leaked 8 million customer records, including full names, brokerage account numbers, and details of holdings.
How RiskXchange can help you secure your business
If your company is in the financial services industry, having a well-constructed, robust, and evolving cyber security risk mitigation strategy is vital. Contact us for your free attack risk surface assessment and start the essential process of strengthening your company’s cyber security.