Cyberattacks on the financial sector have been steadily
increasing. According to VMware, financial institutions experienced a $238%
increase in cyberattacks within the first six months of 2020 alone. In 2021,
the trend continued with financial institutions/fintech being hit by
ransomware, phishing, SQL injection, social engineering, and denial of service
attacks, among others.
Government agencies have sought to stem the trend with
regulations, resources, and regular warnings. But has this been enough and can
financial institutions/fintech companies do more to protect the sensitive data
of their customers and their own proprietary information? The answer is yes,
and it involves executives’ gaining a better understanding of the progression
of cyberattacks on the financial sector and responses to them, along with
implementing best practices for cybersecurity that address current threat
vectors.
On September 14, 2007, the online brokerage, TD Ameritrade,
reported that it had experienced a data breach that resulted in the theft of
6.3 million customer account records. It was one of the first major wake-up
calls for the financial sector and sadly would be followed by many others. A
report by the Boston Consulting Group stated that financial services firms are
300 times more likely to experience a cyberattack than businesses in other
industries. Their costs from a cyberattack are higher too. Accenture reported
that the average cost of a cybercrime per financial services company in 2018
averaged $18.5 million compared with $13 million for companies in other
sectors. It is likely that amount has increased. The good news is that there is
greater awareness and measures in place to help combat cybercrime. This
heightened awareness coupled with best practices can be extremely effective.
Serious cybercrime incidents in 2021
Since tracking and reporting of cyberattacks began, there
has been a long pipeline of various cyberattacks on banks, credit unions,
credit card companies, mortgage lenders, investment firms, cryptocurrency
platforms, etc. worldwide.
Cybercriminals have included Russian hacking groups like the TA505,
ransomware groups like DarkSide and Ragnar Locker, international crime rings,
and botnet campaigns such as the SharkBot and UBEL. Some of the cyberattacks on
financial sector firms that made headlines in 2021 include:
A stolen SSH key that caused the crypto trading platform,
Bitmart, to experience major security
breach which enabled hackers to withdraw almost $200 million in assets.
The hacking of Robinhood, an American stock trading
platform, that gave the cyber thief access to approximately seven million
customers' personal information.
A breach was experienced by the insurance tech start-up,
BackNine, that exposed 711,000 files containing customers’ sensitive personal
information including medical histories.
A denial-of-service attack on a German IT firm that operates
technology for Germany’s cooperative banks disrupted the operations of 800
financial institutions in the country.
A 300 % increase in phishing attacks from May to August 2021
was experienced by Chase as reported by Cyren research.
The ransomware attack on CNA Financial which disrupted its
employee and customer services for three days.
Measures to mitigate cyber crimes
These are just some examples of the hundreds of cyberattacks
that befell financial sector businesses in 2021. These incidences gave rise to
increasing warnings from government agencies. In the United States, cyber
threat warnings are regularly issued by the Federal Bureau of Investigation
(FBI), the Department of Financial Services (DFS), and the Federal Trade
Commission (FTC). The U.S. also has developed various laws and standards to
improve cybersecurity within the financial sector. For example, there have been
cybersecurity components added to The Sarbanes-Oxley (SOC) Act of 2002, the
passage of the Bank Secrecy Act, the Gramm-Leach-Bliley Act, and the Payment
Card Industry (PCI) Data Security Standards. More recently, U.S. President
Biden’s Administration instituted new cybersecurity rules for the financial
sector.
The FTC made amendments to the Gramm-Leach-Bliley Act
requiring FTC-regulated financial institutions to develop and implement
cybersecurity requirements as a component of their information security
programs. Additionally, the U.S. Securities and Exchange Commission (SEC)
announced new enforcement actions against financial sector firms for deficient
disclosure controls of their cybersecurity risks. It is expected also that
other agencies such as the Office of the Comptroller of the Currency (OCC),
Federal Deposit Insurance Corporation and the Federal Reserve System will also
follow suit and issue new cybersecurity regulations.
Within the European Union, there is the European General
Data Protection Regulation (EU-GDPR) and since Brexit occurred, the United
Kingdom created its own version of GDPR (UK-GDPR).
In 2015, the “Financial Services Sector-Specific Plan” was
issued jointly by the U.S. Department of Treasury and the U.S. Department of
Homeland Security. It outlines a comprehensive cybersecurity plan for financial
sector firms that covers a strategic framework, goals, information sharing policies,
best practices, incident response, recovery, and benchmarking. It is a good
basic guide, but not enough. Financial sector businesses must deploy
industry-driven best practices.
Best Practices for cybersecurity in fintech
Many financial institutions/fintechs have extensive
Information Technology (IT) departments. They are well-staffed by computer
engineers, technicians, network administrators, etc. with oversight by an
experienced Chief Information Officer (CIO). These organizations also rely on Managed
Service Providers (MSPs) to perform various functions such as preventive system
maintenance and software updates. In many organizations, both internal IT staff
and MSP staff often assume a role in cybersecurity, however, this is not the
ideal situation and without question, these individuals should not be
performing certain critical tasks such as vulnerability assessments,
penetration testing and benchmarking.
These tasks should be outsourced to a third-party
cybersecurity firm. These firms have experienced cybersecurity professionals on
staff who hold important credentials such as Computer Hacking Forensics
Investigator, Certified Information Systems Auditor, Certified Ethical Hacker,
Certified Information Systems Security Professional and Certified Information
Systems Manager. Beyond their cybersecurity specializations, they provide an
objective evaluation of a financial firm/fintech’s systems which would not be
compromised by their primary roles such as in the case of internal or MSP
staff.
Measures to build a sound cybersecurity initiative
Detection – An organization’s cybersecurity should be
driven by strong detection measures. That starts with having a third-party
cybersecurity firm conduct a vulnerability assessment on all of the
organization’s IT systems to determine weaknesses and risk levels. In
addition, penetration testing (i.e.,
ethical hacking) should be performed to assess the ease with which a
cyber-criminal could enter and attack the organisation’s the network, ports,
database, emails, etc.
Mitigation – Once the vulnerability assessment and
penetration testing have been completed, it is important to consider the
remediation measures recommended by the cybersecurity firm. To mitigate threats
and heighten system security, the firm may recommend new firewalls,
anti-keylogging encryption software, endpoint protection, multi-factor
authentication, password and SSH key management, and other measures to secure
system access.
Cybersecurity Framework and Policies – A formal
document should be developed to break out all cybersecurity-related policies,
procedures, and best practices. They will include data back-ups and back-up
data recovery, implementing software updates, regular vulnerability
assessments, and penetration testing which addresses the latest threat vectors,
limiting access to sensitive data to select authorized staff, a password
management directive, and eliminating any unnecessary technology. This document
should be shared with staff and vendors whose roles involve access to the
organization’s technology. The document should also include a section
indicating the organisation cybersecurity insurer and coverage, which should be
reviewed on an annual basis or more frequently if the organization has
experienced an increase in cyberattacks.
Incident Report and Recovery Plan – A plan that
includes all measures to be implemented in the event of a cyberattack. Much
like a disaster recovery plan, it should include key staff and their
responsibilities, a communications policy (i.e., what individuals and entities
should be notified and in what order), documentation procedure, and any crisis
management and damage control measures to be taken.
Cybersecurity Staff Training – It is also critical
that the awareness of all staff regarding the threat of cyberattacks be raised
with training and education. Many cyberattacks start with an unsuspecting staff
member who opens an email attachment or link that they should not have and in
doing so, exposed the organization to a major breach. It’s important that staff
be familiar with common cyberattacks. These include:
Phishing attacks (i.e., cybercriminals send emails that
appear to be issued by a credible organization (many times one with which there
is a relationship) and requests proprietary data (e.g., financial account information,
passwords, etc.)
Ransomware attacks wherein hackers place malicious software
to encrypt a school district’s data and then demand a ransom in order for the
organization to get access to its data back.
Malware, is malicious software that is placed on computers
or a network and enables the cybercriminal to take control of the computer to
monitor the user’s keystrokes and actions, and access confidential data. The
malware gets into a computer when the user clicks on a link or opens an
attachment.
Denial-of-Service attacks temporarily shut down a machine or
network rendering it inaccessible to its intended users.
SQL (structured query language) Injection attacks that
target servers that store proprietary/critical data and use SQL to manage their
databases. A SQL Injection attack uses malicious code to target the server and
cause it to convey privileged information.
Securing the financial sector
The American Institute of Certified Public Accountants
(AICPA) reported that eight in ten US adult citizens are concerned that businesses
are unable to secure their personal financial information. The high incidences
of financial sector breaches have done nothing to quell those concerns. Nor
does the security breach statistic from Positive Technologies that 92% of ATMs
are vulnerable to hacks instill customer confidence. Financial sector firms
should adopt the mantra that it is not a matter of if, but when their
organization will experience a cyberattack. By implementing effective
precautions and best practices financial institutions/fintechs can know they
are being proactive in the fight against cyberattacks.
Click here for the
original article.