Cyberattacks in financial services – how vulnerable are we?

As web attacks become more of a norm, how should risk managers react?

Cyberattacks in financial services – how vulnerable are we?

Risk Management News

By Kenneth Araullo

A new report illuminates the ongoing and increasing cyber threats directed at the financial services sector across Asia Pacific and Japan (APJ), marking it as one of the most targeted industries globally. The period from Q2 2022 to Q2 2023 has witnessed a surge of 36% in web application and API attacks, reaching a count of over 3.7 billion attacks.

Akamai Technologies’ report, titled “The High Stakes of Innovation: Attack Trends in Financial Services,” is another entry in its ongoing series, State of the Internet.  One critical revelation is the persistent use of Local File Inclusion (LFI) as the top attack vector, posing a significant threat to financial institutions and their customers.

The report found that 92.3% of attacks against the finance sector in APJ were pinpointed at banks, underlining the gravity of the issue, and emphasizing the need for heightened security measures.

An issue exacerbated by better customer experience initiatives

In a bid to enhance customer experiences and expand their digital footprint, financial organizations in the region are increasingly relying on third-party scripts, making up 40% of the scripts in use. However, this widespread adoption introduces potential vulnerabilities due to limited visibility into the authenticity and security of these scripts, thereby adding a new layer of risk for businesses. This lack of visibility is a significant concern, as it opens another avenue for threat actors to launch attacks against banks and their clientele.

The report also sheds light on the alarming rise in malicious bot traffic across APJ, surging by 128% from the previous year. These bots play a significant role in amplifying the scale and efficiency of cyber-attacks. APJ stands as the second-most targeted region globally for malicious bot requests against financial services, accounting for a substantial 39.7% of all such requests worldwide.

In addition to these insights, the report also underscores several key findings, emphasizing that web applications and APIs remain preferred attack vectors in APJ, with the finance sector accounting for 50% of such attacks. Australia, Singapore, and Japan were identified as the top three most targeted countries in APJ, jointly accounting for over three-quarters of all web application and API attacks.

A challenge for risk managers

The Akamai report also highlighted the importance for financial services organizations to remain vigilant about regulatory oversight and new reporting obligations. Risk managers should take note that the rise in the use of third-party scripts poses challenges for these institutions to meet the upcoming Payment Card Industry Data Security Standard (PCI DSS) v4.0 requirements, especially those related to client-side script visibility and management. Compliance with new regulations is imperative to avoid potential fines and reputational damage.

"Financial services organizations in APJ must remember that cyber criminals will always try to find new and more sophisticated ways to launch their cyberattacks as the pace of innovation in this sector increases. The rising popularity of financial aggregators and especially those organizations keen to adopt open banking practices will mean that the industry will begin to be even more dependent on the use of APIs and third-party scripts moving forward – expanding attack surfaces even further,” said Reuben Koh, Akamai security technology and strategy director.

“Financial institutions must focus on securing new digital offerings, continuously educating customers on cyber hygiene best practices, and investing in frictionless security measures for users. As regulators enforce policies to strengthen cybersecurity standards, it is also important for financial services organizations to understand and account for new compliance requirements while strengthening their security posture and cyber resilience against modern cyber threats,” Koh said.

Part two of this series, which will include Reuben Koh’s interview with Insurance Business Corporate Risk, will be published in the coming weeks. Stay tuned.

What are your thoughts on this story? Please feel free to share your comments below.

Keep up with the latest news and events

Join our mailing list, it’s free!