Where financial institutions must shore up their cybersecurity

The cyber threat landscape "continues to metastasize"

Where financial institutions must shore up their cybersecurity


By Bethan Moorcraft

Cyberattacks on the financial sector continue to increase. Financial institutions (FIs) experienced a 238% increase in cyberattacks in the first six months of 2020 alone, according to VMware, and that trend has continued in 2021 and 2022, with FIs being hit by everything from ransomware and phishing to social engineering and denial of service attacks.

There are reasons for both optimism and concern in the FI sector right now, according to Michael Phillips, Resilience chief claims officer, and an expert at the crossroads of data protection, insurance, and cybersecurity.

“The optimistic point of view is that many FIs are early adopters of some of the modern and contemporary cybersecurity defenses that make firms more secure in the face of the threat. That shouldn’t be overlooked when we compare the financial sector to its peers in other industry classes,” said Phillips.

“But unfortunately, the threat landscape continues to metastasize. And so, what we see are greater numbers of more sophisticated and more specialized cyber criminals, who are engaged in a dark race for tragic innovation, where they’re specializing in better initial access, better tools for lateral movement, and then they’ve developed more destructive forms of ransomware and extortion that financial firms have to wrestle with.”

Phillips also highlighted the “problem of scale” that currently exists, where a number of criminal cyber groups have specialized in building attack tools that other less sophisticated criminals can operate and monetize. One example of that is ransomware-as-a-service (RaaS), a business model between ransomware operators and affiliates in which affiliates pay to launch ransomware attacks developed by operators.

“I think the financial sector threat landscape has really bifurcated into increasingly sophisticated cyber criminals who have specialized in exploiting the sector,” Phillips told Insurance Business. “There’s also the problem of scale, with cyber criminals who might not be that sophisticated, but they’re looking for every opportunity to make a quick buck.”

Resilience data shows that FIs often lag behind in email security controls, making them more susceptible to phishing attacks that lead to cybercrime. Notably, phishing attacks are at the top of Verizon’s 2022 Data Breach Investigations Report (DBIR) for threats to the financial sector and also lead the FBI’s 2021 reported digital crimes, with over 300,000 incidents.

“With respect to business email compromise (BEC) attacks, it’s important to highlight that while some of the initial intrusion methods are the same, many of the cyber criminals have different motivations,” said Phillips. “Some want to deceive an employee into sending money directly to them, while others are interested in capturing data to take advantage of opportunities for identity theft, to steal intellectual property, or to carry out other privacy related crimes.”

There are strategies that FIs can implement to better protect the sensitive data of their customers and their own proprietary information. According to Phillips, an important part of this plan includes executives’ gaining a better understanding of the progression of financial cyberattacks and responding to them, along with implementing best practices that address current threat vectors.

“FIs are often well beyond the basics when it comes to cybersecurity, but certainly, multi-factor authentication (MFA), especially for privileged accounts, is of the utmost importance in the financial sector,” Phillips said. “Advanced endpoint detection and response (EDR) technology, which prevents malicious files from propagating within a network, is another essential investment.”

The Resilience chief claims officer urged FIs to redouble their cybersecurity efforts in three key areas: threat intelligence – an emerging discipline in which experts collect, process, and analyze data to understand threat actors’ motives, targets, and attack behaviors; privileged access management – to create security blocks and checks throughout a network; and practicing restoration from back-ups – to ensure operational continuity after business-interrupting cyber events.

One area where FIs must “continue to mature,” according to Phillips, is in their third-party vendor risk management. He said: “While securing the four walls of your own castle is super complicated, FIs must not forget that they’re vulnerable to the network of vendors and third-party service providers – IT vendors, software providers, law firms, and infrastructural firms - who they rely on to fulfil their mission and service their clients. Even more than ransomware hitting an FI directly, we’re seeing key vendors of FIs suffer attacks – in turn, jeopardizing the data or the business of the financial firm.”

With respect to vendor risk management, Phillips shared several recommendations. First, he said FIs should make an inventory of their current vendors and the data they have access to. Then, they should categorize those vendors into risk tiers to understand which vendors are critical to their mission, and determine which vendors manage operations or data that could potentially disrupt their business if jeopardized.

“It’s also important to build risk due diligence into the vendor selection process,” Phillips added. “Unfortunately, in the financial sector, with their significant reliance on third-party vendors to operate, FIs are often choosing vendors on price or capabilities, and only later are they realizing that they should vet these vendors for their cybersecurity posture and the best practices that they bring to the table for cybersecurity. And so, building in that due diligence process into the vendor selection processes is super important.

“FIs should also implement ongoing monitoring and oversight of any high-risk vendors that they need to operate their business. They should have both eyes on them cautiously, monitoring their systems and their performance, and they should also have a remediation plan in place if the vendor does not meet the right standards, or they suffer a cyber event.”

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!