Financial industry overview
Financial services providers such as banks, credit unions, credit card companies, and investment firms are entrusted with the personally identifiable information (PII) of every customer and client. This information includes home address, Social Security number, banking details, phone number, email address, and income information. The high value of this data on the darknet makes this sector an attractive target for cybercriminals.
In 2019, the global financial services market was valued at about $22 trillion. This industry has seen steady growth in non-cash payments. Non-cash payments are multiplying due to increasing penetration of internet and mobile usage in developing countries and a global shift toward immediate payment schemes, which offer instant payments in real-time.
The advances in internet banking, mobile apps, and instant payments all require new technology. Heightened technology use invariably increases the industry’s attack vector and introduces new vulnerabilities.
The growing number of cyberattacks against financial services companies is a reflection of how this sector has turned to technology to solve many of the problems it faces. To increase market share, many financial institutions rely on big data. Tapping into social media, consumer databases, and news feeds can help financial firms better understand their customers and attract new ones.
The inherent risks associated with technology create pressure on academia to provide new and growing crops of highly skilled security professionals. In the race to stay one step ahead of cyber bad-actors, the financial industry may have stumbled at the starting blocks. A University of San Diego website blog says, “While financial institutions know security is an issue, many of them aren’t prepared and don’t know how to combat the increasingly sophisticated tactics of cybercriminals. As RSA explained, “Recent surveys paint a picture of an industry that sees the writing on the wall but often finds itself working with the technological equivalent of whiteout.”
Cybersecurity within the financial services industry
To be sure, the financial services industry needs more qualified cybersecurity professionals. All business sectors struggle with the current cybersecurity skills shortage, but financial services companies are often high profile targets and must be particularly vigilant when it comes to cybersecurity. As the gatekeepers of valuable customer PII, financial institutions are subject to an ever-increasing number of cybersecurity rules and regulations. With pressure from regulatory agencies and the need to protect brand reputation, financial firms are motivated to provide significant investment and collaboration to improve cybersecurity preparedness, response, and resiliency across the sector.
There are two types of financial services companies. Those that have experienced a cyberattack and those that will in the future. It is so challenging for financial companies to protect customer data that many have experienced multiple breaches.
In the years 2009 through 2019, some of the most recognizable names in this sector were breached on more than one occasion. American Express and SunTrust Bank were breached five times, and Capital One and Discover were breached four times each during this period.
According to the IBM Security Cost of a Data Breach Report, in 2019, the average cost per breach within financial services was $5.86 million. This cost per breach is second only to the healthcare industry and is nearly one and a half times that of the public sector.
Hacking and malware are the leading causes of data breaches in financial services. However, insider threats and accidental disclosures are both growing. Rising cloud adoption is expected to increase these threats over the next several years.
Commonly accepted statistics for this sector indicate that 75 percent of breaches involve hacking and malware, 18 percent accidental disclosure, 6 percent insider threats, and 2 percent physical breaches.
Consumers have little direct risk from cyberattacks on financial institutions. As long as they use reasonable safeguards to protect their information, consumers are protected by US federal law that requires banks to refund customers if they notify the bank within 60 days of an errant transaction appearing on their statement.
Banks themselves, however, have fewer assurances from the federal government. The US Department of the Treasury’s Financial Stability Oversight Council is charged with monitoring the stability of our nation’s financial system. Critics claim that this council is not doing enough to plan for cyberattacks that may threaten the solvency of major banks.
Case study: Cybersecurity and financial services
The increasing use of rented cloud data servers has a corresponding impact on data security. A case that illustrates the security complexities added by incorporating third-party servers in an organization’s computing infrastructure is that of the massive data breach suffered by Capital One in 2019.
In July of 2019, Fox News reported, “Authorities claim a Seattle software engineer was responsible for the hacking of Capital One and obtained the personal data of over 100 million people in what appears to be one of the biggest breaches of a big bank in history.”
The suspect, Paige Thompson, 33, was apprehended in Seattle after carelessly leaving clues about the breach on the internet and social media sites. According to the U.S. Attorney’s Office on July 29, “Thompson posted on the information sharing site GitHub about her theft of information from the servers storing Capital One data. The intrusion occurred through a misconfigured web application firewall that enabled access to the data. On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft. After determining on July 19, 2019, that there had been an intrusion into its data, Capital One contacted the FBI.”
The Fox News report said, “A Capital One source told Fox News that the 100 million people affected by the hack include every existing customer, every previous customer and anyone who’s ever applied for a Capital One card.”
Brian Krebs, a leading cybersecurity researcher, said on his site, KrebsonSecurity.com, “data included approximately 140,000 Social Security numbers and approximately 80,000 bank account numbers on US consumers, and roughly 1 million Social Insurance Numbers (SINs) for Canadian credit card customers.”
Krebs quotes Ray Watson, a cybersecurity researcher at cloud security firm Masergy, “The attacker was a former employee of the web hosting company involved, which is what is often referred to as insider threats,” Watson said. “She allegedly used web application firewall credentials to obtain privilege escalation. Also, the use of Tor and an offshore VPN for obfuscation are commonly seen in similar data breaches.”
At the time of the breach, Thompson was employed as a software engineer at Amazon. Capital One’s data was hosted on a server rented from Amazon.
Malicious behavior by insiders, such as was the case here, is more difficult to control when data is hosted on a third-party server. Financial services companies, like many other firms, find it economically beneficial to outsource computing infrastructure. This additional complexity increases pressure on security teams to find solutions that mitigate insider threats and include their rented cloud infrastructure.
What makes cybersecurity challenging within the financial services field?
Cybersecurity is of particular concern for the financial services industry because, well, as the adage goes, “that’s where the money is.” Today’s world is rife with complicated and sophisticated schemes to relieve other people of their money. Still, nothing is quite as appealing to the criminal mind than to electronically divert funds from someone else’s account into one they control.
As attacks increase, regulators take notice and take measures to increase the pressure on the industry to find solutions. Regulatory and compliance requirements are, at once, a significant challenge for the financial sector and the single most important reason that consumers trust the industry with their money.
In an informative blog post on the KirkpatrickPrice website, author Ashlyn Burgett points out that in just the last two years, and in addition to existing cybersecurity laws, the financial industry has been saddled with the following regulatory oversight:
- New York State Department of Financial Services Cybersecurity Requirements Regulation for Financial Services Companies Part 500 (NY CRR 500) of Title 23.
- US Securities and Exchange Commission (SEC) issued interpretive cybersecurity guidance.
- National Cybersecurity Center of Excellence (NCCoE) released the NIST Cybersecurity Practice Guides SP 1800-5, SP 1800-9, and SP 1800-18.
- 24 US states passed bills or resolutions related to cybersecurity.
Third-party vendors are a big part of the financial sector, generally. The industry is but an amalgamation of multiple business partners working together to provide the appearance of a cohesive set of services. Managing vendor risk is a critical challenge the financial services industry faces. Behind the scenes at every large well-known financial service provider are many smaller companies providing a myriad of business services. The process of vetting, auditing, and managing each of these companies introduces additional cyber risk to the equation.
More and more consumers demand cashless and frictionless financial services. They want apps that are easy to access, yet secure. They want to send and receive funds electronically with just the click of a button but need those transactions protected against attacks. It can be a challenge for financial services companies to keep abreast of the latest in computer and application security technology—this all fuels the industry’s need for highly skilled security professionals.
Cybersecurity solutions for the financial services industry
The financial industry struggles to keep pace with technological innovation. Legacy systems that would be costly to replace, while only an inconvenience to customers, may pose a significant threat to financial institutions. On the other hand, hackers often benefit from new technologies that make it easier to attack legacy systems.
As an example, many financial institutions have not yet instituted two-factor authentication (2FA). For banks, 2FA is most commonly accomplished when a bank sends a temporary code to the customer’s cell phone, which is needed to log into their account. In this scenario, the hacker would need to have access to both the computer or account credentials and the cell phone. Several banks don’t use 2FA for account login. The reason most often cited is that their customers find 2FA inconvenient.
To make possible the convenience customers demand, firms must employ the latest in computer science technology. App and software developers are under pressure to improve the customer experience, and security sometimes lags in the development process. Security professionals with the latest programming and security skills are needed to effectively sustain a DevSecOps environment where the responsibility for security is shared across all aspects of development and operations.
Building on a paradigm that there is an infinite number of illegitimate or malicious behaviors that bad actors can employ to attack a target but a finite number of legitimate activities that should be allowable on financial systems, companies, such as Nyotron, have developed methodologies for protection against even zero-day exploits. These new O.S. centric technologies act like a white list of acceptable behavior and prevent all system behavior that does not follow a prescribed set of functions in a reasonable sequence. This method prevents behavioral anomalies and, therefore, many cybersecurity attacks.
Financial services leaders must recognize that hackers will find ways to exploit vulnerabilities. These vulnerabilities may be in computer systems and networks, or they may be in processes and procedures. Constructing a tech firewall is just the first line of defense.
Study after study shows that the weakest link in cybersecurity is human behavior. Social engineering is a favorite tool for cybercriminals. Phishing emails have, for decades now, opened the opportunity to download malware. Social media platforms are being used with increased frequency as the tools of choice for cybercriminals attempting to find information that can be used to groom or leverage employees of financial institutions. After building a relationship with or exploiting an employee at the targeted organization, scammers begin to exert pressure to gather credentials or other sensitive information to allow the installation of malicious software.
Many financial institutions find value in creating internal or hiring external penetration teams. Red team — blue team exercises can expose cyber vulnerabilities while providing invaluable training for the internal cyber defenders.
Second only to healthcare in the hierarchy of most cybersecurity attacks, the financial industry is harangued on all sides by cybercriminals. The fuel this industry runs on is sensitive data, including valuable PII. Regulators keep a watchful eye on cyber events in this sector and stand ready to apply evermore onerous rules and regulations. Customers expect a seamless, frictionless, cashless experience using the internet and mobile apps. And, like all industries, financial services suffer from the global cybersecurity skills shortage.
These facts culminate in what could be termed the perfect storm of conditions for cyber threats. Under the prevailing conditions, this sector should be applauded for providing a level of protection that most customers find acceptable. But at what cost? Many fear that the underlying costs of compliance and resilience may, in the end, be too much for some financial service providers. If this happens, only the largest may survive, decreasing competition in the sector. This does not bode well for consumers in the long run.
This market is ripe for innovation that will transcend the current conditions and provide a more secure method of providing financial transactions securely.
Hands-On Cybersecurity for Finance: Identify vulnerabilities and secure your financial services from security breaches. By Dr. Erdal Ozkaya and Milad Aslaner. A comprehensive guide that will give you hands-on experience to study and overcome financial cyber-threats.
Elementary Information Security. By Richard E. Smith. Elementary Information Security provides a comprehensive yet easy-to-understand introduction to the complex world of cybersecurity and technology.
Third-Party Cyber Risk for Financial Services: Blind Spots, Emerging Issues & Best Practices. Report by BitSight and CeFPRO.