Cybersecurity in the Financial Services Industry- Every customer and client’s personally identifiable information (PII) is given to financial services providers such as banks, credit unions, credit card companies, and investment businesses. Home address, Social Security number, banking information, phone number, email address, and income information are all included. Because of the great value of this data on the darknet, fraudsters are attracted to this area.
The worldwide financial services sector was estimated to be worth $22 trillion in 2019. Non-cash payments have been steadily increasing in this industry. Non-cash payments are growing in popularity as the internet and mobile phones become more widely used in emerging countries, as well as a global shift toward real-time payment mechanisms.
Internet banking, smartphone apps, and rapid payments all necessitate the use of new technology. Increased technological use necessarily expands the attack vector for the industry and provides new vulnerabilities.
The increasing incidence of cyberattacks on financial services firms reflects how this industry has resorted to technology to solve many of its challenges. Many financial organisations rely on big data to grow their market share. Financial organisations may better understand their consumers and attract new ones by tapping into social media, consumer databases, and news feeds.
Because of the inherent dangers of technology, academia is under pressure to produce fresh and growing crops of highly competent security specialists. The financial industry may have fumbled at the start of the fight to keep one step ahead of cyber bad actors. “While financial institutions are aware that security is a concern, many are unprepared and unaware of how to resist fraudsters’ increasingly sophisticated tactics,” according to a blog post on the University of San Diego website. “Recent surveys portray a picture of an industry that sees the writing on the wall but frequently works with the technological equivalent of whiteout,” according to RSA.
Cybersecurity in the Financial Services Industry
The financial services industry, without a doubt, requires more qualified cybersecurity personnel. The present cybersecurity skills shortage affects all business sectors, but financial services organisations are generally high-profile targets and must be especially attentive when it comes to cybersecurity. Financial firms are subject to an ever-increasing number of cybersecurity rules and regulations as custodians of sensitive client PII. Financial firms are encouraged to contribute significant investment and collaboration to strengthen cybersecurity preparedness, response, and resiliency throughout the sector due to regulatory pressure and the need to safeguard brand reputation.
Financial services firms can be divided into two categories. Those who have been harmed by a cyberattack and those who will be harmed in the future. Financial institutions are finding it increasingly difficult to protect client data, and many have faced multiple breaches.
From 2009 to 2019, some of the most well-known names in the industry were penetrated on many occasions. During this time, American Express and SunTrust Bank were both hacked five times, while Capital One and Discover were both hacked four times.
The average cost per breach in financial services in 2019 was $5.86 million, according to the IBM Security Cost of a Data Breach Report. This is only second to the healthcare business in terms of cost per breach, and it is approximately 1.5 times that of the public sector.
In the financial services industry, hacking and malware are the most common sources of data breaches. Insider threats and unintentional disclosures, on the other hand, are on the rise. Over the next few years, rising cloud adoption is projected to amplify these challenges.
According to industry statistics, 75% of breaches include hacking and malware, 18% involve unintentional exposure, 6% involve insider risks, and 2% involve physical breaches.
Cyberattacks on financial institutions provide minimal direct harm to consumers. Consumers are protected by US federal law, which compels banks to refund clients who tell them within 60 days of an erroneous transaction appearing on their statement, as long as they utilise reasonable procedures to secure their information.
The federal government, on the other hand, provides fewer guarantees to banks. The Financial Stability Oversight Council of the US Department of the Treasury is in charge of monitoring the financial system’s stability. Critics allege that the council isn’t doing enough to prepare for cyberattacks that might jeopardise large banks’ solvency.
Case Study: Cybersecurity and Financial Services
Data security is being impacted by the growing usage of rented cloud data servers. The major data breach suffered by Capital One in 2019 is an example of the security complications brought by using third-party servers in an organization’s computing architecture.
“Authorities allege a Seattle software developer was responsible for the hacking of Capital One and got the personal data of over 100 million people in what seems to be one of the largest breaches of a significant bank in history,” according to a July 2019 Fox News report.
Paige Thompson, 33, was detained in Seattle after strewn about the internet and social networking sites with information regarding the incident. “Thompson blogged on the information sharing site GitHub about her theft of information from the servers hosting Capital One data,” the US Attorney’s Office said on July 29. A misconfigured web application firewall allowed access to the data, allowing the breach to take place. A GitHub user who saw the post informed Capital One to the likelihood of a data breach on July 17, 2019. Capital One alerted the FBI after discovering an unauthorised access to its data on July 19, 2019.”
“A Capital One insider informed Fox News that the 100 million people affected by the attack include every existing customer, every prior customer, and anybody who’s ever applied for a Capital One card,” according to the Fox News storey.
“Data included approximately 140,000 Social Security numbers and approximately 80,000 bank account numbers on US consumers, and roughly 1 million Social Insurance Numbers (SINs) for Canadian credit card customers,” said Brian Krebs, a leading cybersecurity researcher, on his website, KrebsonSecurity.com.
Ray Watson, a cybersecurity researcher at cloud security business Masergy, is quoted by Krebs. “The attacker was a former employee of the web hosting company involved, which is known as insider threats,” Watson explained. “She allegedly obtained privilege escalation by using web application firewall credentials. In addition, comparable data breaches frequently involve the use of Tor and an overseas VPN for obfuscation.”
Thompson worked as a software developer at Amazon at the time of the incident. Capital One’s data was stored on an Amazon-rented server.
When data is hosted on a third-party server, malicious insider conduct, such as this one, is more difficult to regulate. Outsourcing computing infrastructure is cost-effective for financial services companies, as it is for many other businesses. This added complexity puts more pressure on security teams to create solutions that address insider risks while also incorporating their rented cloud infrastructure.
What Makes Cybersecurity Challenging Within the Financial Services Field?
The financial services industry is particularly concerned about cybersecurity because, as the cliché goes, “that’s where the money is.” In today’s world, there are a plethora of complex and clever techniques to defraud others of their money. Still, nothing appeals to the criminal psyche more than electronically diverting funds from someone else’s account into their own.
As the number of attacks rises, regulators take notice and take action to put more pressure on the industry to find solutions. Regulatory and compliance standards are both a huge barrier and the single most essential reason why people trust the financial sector with their money.
Author Ashlyn Burgett points out in an interesting blog article on the KirkpatrickPrice website that the financial industry has been burdened with the following regulatory monitoring in only the last two years, in addition to current cybersecurity laws:
- New York State Department of Financial Services Cybersecurity Requirements Regulation for Financial Services Companies Part 500 (NY CRR 500) of Title 23.
- US Securities and Exchange Commission (SEC) issued interpretive cybersecurity guidance.
- National Cybersecurity Center of Excellence (NCCoE) released the NIST Cybersecurity
- Practice Guides SP 1800-5, SP 1800-9, and SP 1800-18.
- 24 US states passed bills or resolutions related to cybersecurity.
In general, third-party vendors play an important role in the financial sector. The industry is nothing more than a mash-up of multiple business partners collaborating to provide the illusion of a unified set of services. The financial services industry faces a significant problem in managing vendor risk. Many smaller organisations perform a variety of business services behind the scenes at every large well-known financial service company. The act of assessing, auditing, and controlling each of these businesses adds to the overall cyber risk.
Consumers are increasingly requesting cashless and frictionless banking services. They want apps that are simple to use while yet being safe. They want to transfer and receive money electronically at the press of a button, but they also want such transactions to be secure. Keeping up with the newest in computer and application security technology can be difficult for financial services businesses, which supports the industry’s demand for highly qualified security personnel.
Cybersecurity Solutions for the Financial Services Industry
The financial sector is struggling to keep up with technological advancements. Legacy systems that would be expensive to change, while inconvenient for clients, could represent a serious threat to financial institutions. Hackers, on the other hand, frequently benefit from new technology that make attacking legacy systems easier.
Many banking organisations, for example, have yet to implement two-factor authentication (2FA). 2FA is most typically implemented by sending a temporary code to a customer’s cell phone, which is required to log into their account. The hacker would require access to both the computer or account credentials as well as the cell phone in this situation. Several banks do not employ two-factor authentication for account access. The most common explanation given is that 2FA is inconvenient for their consumers.
To provide the convenience that customers want, businesses must use cutting-edge computer science technologies. Developers of apps and software are under constant pressure to improve the client experience, and security might fall behind in the development process. To properly maintain a DevSecOps environment where security is shared across all elements of development and operations, security specialists with the latest programming and security capabilities are required.
Companies like Nyotron have developed methodologies to protect against even zero-day exploits, based on the idea that bad actors can use an infinite number of illegitimate or malicious behaviours to attack a target but only a finite number of legitimate activities that should be allowed on financial systems. These new operating system-centric technologies work as a white list of allowed behaviour, preventing any system behaviour that does not follow a prescribed set of functions in a logical order. This strategy guards against behavioural anomalies and, as a result, many cyber-attacks.
Leaders in the financial services industry must accept that hackers will discover ways to exploit flaws. These flaws can be found in computer systems and networks, as well as processes and procedures. Building a technological firewall is only the first line of defence.
Human behaviour is the weakest link in cybersecurity, according to study after study. Cybercriminals use social engineering as a common tactic. For decades, phishing emails have made it possible to download malware. Cybercriminals are increasingly turning to social media platforms to collect information that can be used to groom or exploit workers of financial institutions. Scammers apply pressure to obtain credentials or other sensitive information to allow the installation of harmful software after establishing a connection with or manipulating an employee at the targeted organisation.
Many financial firms believe that forming internal or external penetration teams is beneficial. Exercises with a red team and a blue team can reveal cyber weaknesses while also offering useful training for internal cyber defenders.
The financial industry is targeted on all sides by cybercriminals, second only to healthcare in the hierarchy of most cybersecurity threats. Sensitive data, especially valuable PII, is the lifeblood of this industry. Regulators maintain a close eye on cyber occurrences in this industry and are prepared to impose ever-stricter laws and restrictions. Customers demand a seamless, frictionless, and cashless online and mobile app experience. Financial services, like all industries, is affected by a global cybersecurity skills shortage.
These characteristics combine to create what may be described as a perfect storm of cyber-threat settings. Under the circumstances, this industry should be commended for offering a degree of protection that the majority of customers find acceptable. But how much will it cost? Many people believe that the underlying costs of compliance and resilience will be too expensive for some financial service companies in the long run. If this occurs, only the largest companies will be able to survive, reducing competition in the industry. In the long run, this is bad news for consumers.
This market is primed for innovation that will go beyond the current state of affairs and provide a safer way to conduct financial transactions.
Hands-On Cybersecurity for Finance: Identify vulnerabilities and secure your financial services from security breaches. By Dr. Erdal Ozkaya and Milad Aslaner. A comprehensive guide that will give you hands-on experience to study and overcome financial cyber-threats.
Elementary Information Security. By Richard E. Smith. Elementary Information Security provides a comprehensive yet easy-to-understand introduction to the complex world of cybersecurity and technology.
Third-Party Cyber Risk for Financial Services: Blind Spots, Emerging Issues & Best Practices. Report by BitSight and CeFPRO.