Cyberattacks on the financial sector have been steadily increasing. According to VMware, financial institutions experienced a $238% increase in cyberattacks within the first six months of 2020 alone. In 2021, the trend continued with financial institutions/fintech being hit by ransomware, phishing, SQL injection, social engineering, and denial of service attacks, among others.
Government agencies have sought to stem the trend with regulations, resources, and regular warnings. But has this been enough and can financial institutions/fintech companies do more to protect the sensitive data of their customers and their own proprietary information? The answer is yes, and it involves executives’ gaining a better understanding of the progression of cyberattacks on the financial sector and responses to them, along with implementing best practices for cybersecurity that address current threat vectors.
On September 14, 2007, the online brokerage, TD Ameritrade, reported that it had experienced a data breach that resulted in the theft of 6.3 million customer account records. It was one of the first major wake-up calls for the financial sector and sadly would be followed by many others. A report by the Boston Consulting Group stated that financial services firms are 300 times more likely to experience a cyberattack than businesses in other industries. Their costs from a cyberattack are higher too. Accenture reported that the average cost of a cybercrime per financial services company in 2018 averaged $18.5 million compared with $13 million for companies in other sectors. It is likely that amount has increased. The good news is that there is greater awareness and measures in place to help combat cybercrime. This heightened awareness coupled with best practices can be extremely effective.
Serious cybercrime incidents in 2021
Since tracking and reporting of cyberattacks began, there has been a long pipeline of various cyberattacks on banks, credit unions, credit card companies, mortgage lenders, investment firms, cryptocurrency platforms, etc. worldwide. Cybercriminals have included Russian hacking groups like the TA505, ransomware groups like DarkSide and Ragnar Locker, international crime rings, and botnet campaigns such as the SharkBot and UBEL. Some of the cyberattacks on financial sector firms that made headlines in 2021 include:
- A stolen SSH key that caused the crypto trading platform, Bitmart, to experience major security breach which enabled hackers to withdraw almost $200 million in assets.
- The hacking of Robinhood, an American stock trading platform, that gave the cyber thief access to approximately seven million customers’ personal information.
- A breach was experienced by the insurance tech start-up, BackNine, that exposed 711,000 files containing customers’ sensitive personal information including medical histories.
- A denial-of-service attack on a German IT firm that operates technology for Germany’s cooperative banks disrupted the operations of 800 financial institutions in the country.
- A 300 % increase in phishing attacks from May to August 2021 was experienced by Chase as reported by Cyren research.
- The ransomware attack on CNA Financial which disrupted its employee and customer services for three days.
Measures to mitigate cyber crimes
These are just some examples of the hundreds of cyberattacks that befell financial sector businesses in 2021. These incidences gave rise to increasing warnings from government agencies. In the United States, cyber threat warnings are regularly issued by the Federal Bureau of Investigation (FBI), the Department of Financial Services (DFS), and the Federal Trade Commission (FTC). The U.S. also has developed various laws and standards to improve cybersecurity within the financial sector. For example, there have been cybersecurity components added to The Sarbanes-Oxley (SOC) Act of 2002, the passage of the Bank Secrecy Act, the Gramm-Leach-Bliley Act, and the Payment Card Industry (PCI) Data Security Standards. More recently, U.S. President Biden’s Administration instituted new cybersecurity rules for the financial sector.
The FTC made amendments to the Gramm-Leach-Bliley Act requiring FTC-regulated financial institutions to develop and implement cybersecurity requirements as a component of their information security programs. Additionally, the U.S. Securities and Exchange Commission (SEC) announced new enforcement actions against financial sector firms for deficient disclosure controls of their cybersecurity risks. It is expected also that other agencies such as the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation and the Federal Reserve System will also follow suit and issue new cybersecurity regulations.
Within the European Union, there is the European General Data Protection Regulation (EU-GDPR) and since Brexit occurred, the United Kingdom created its own version of GDPR (UK-GDPR).
In 2015, the “Financial Services Sector-Specific Plan” was issued jointly by the U.S. Department of Treasury and the U.S. Department of Homeland Security. It outlines a comprehensive cybersecurity plan for financial sector firms that covers a strategic framework, goals, information sharing policies, best practices, incident response, recovery, and benchmarking. It is a good basic guide, but not enough. Financial sector businesses must deploy industry-driven best practices.
Best Practices for cybersecurity in fintech
Many financial institutions/fintechs have extensive Information Technology (IT) departments. They are well-staffed by computer engineers, technicians, network administrators, etc. with oversight by an experienced Chief Information Officer (CIO). These organizations also rely on Managed Service Providers (MSPs) to perform various functions such as preventive system maintenance and software updates. In many organizations, both internal IT staff and MSP staff often assume a role in cybersecurity, however, this is not the ideal situation and without question, these individuals should not be performing certain critical tasks such as vulnerability assessments, penetration testing and benchmarking.
These tasks should be outsourced to a third-party cybersecurity firm. These firms have experienced cybersecurity professionals on staff who hold important credentials such as Computer Hacking Forensics Investigator, Certified Information Systems Auditor, Certified Ethical Hacker, Certified Information Systems Security Professional and Certified Information Systems Manager. Beyond their cybersecurity specializations, they provide an objective evaluation of a financial firm/fintech’s systems which would not be compromised by their primary roles such as in the case of internal or MSP staff.
Measures to build a sound cybersecurity initiative
Detection – An organization’s cybersecurity should be driven by strong detection measures. That starts with having a third-party cybersecurity firm conduct a vulnerability assessment on all of the organization’s IT systems to determine weaknesses and risk levels. In addition, penetration testing (i.e., ethical hacking) should be performed to assess the ease with which a cyber-criminal could enter and attack the organisation’s the network, ports, database, emails, etc.
Mitigation – Once the vulnerability assessment and penetration testing have been completed, it is important to consider the remediation measures recommended by the cybersecurity firm. To mitigate threats and heighten system security, the firm may recommend new firewalls, anti-keylogging encryption software, endpoint protection, multi-factor authentication, password and SSH key management, and other measures to secure system access.
Cybersecurity Framework and Policies – A formal document should be developed to break out all cybersecurity-related policies, procedures, and best practices. They will include data back-ups and back-up data recovery, implementing software updates, regular vulnerability assessments, and penetration testing which addresses the latest threat vectors, limiting access to sensitive data to select authorized staff, a password management directive, and eliminating any unnecessary technology. This document should be shared with staff and vendors whose roles involve access to the organization’s technology. The document should also include a section indicating the organisation cybersecurity insurer and coverage, which should be reviewed on an annual basis or more frequently if the organization has experienced an increase in cyberattacks.
Incident Report and Recovery Plan – A plan that includes all measures to be implemented in the event of a cyberattack. Much like a disaster recovery plan, it should include key staff and their responsibilities, a communications policy (i.e., what individuals and entities should be notified and in what order), documentation procedure, and any crisis management and damage control measures to be taken.
Cybersecurity Staff Training – It is also critical that the awareness of all staff regarding the threat of cyberattacks be raised with training and education. Many cyberattacks start with an unsuspecting staff member who opens an email attachment or link that they should not have and in doing so, exposed the organization to a major breach. It’s important that staff be familiar with common cyberattacks. These include:
- Phishing attacks (i.e., cybercriminals send emails that appear to be issued by a credible organization (many times one with which there is a relationship) and requests proprietary data (e.g., financial account information, passwords, etc.)
- Ransomware attacks wherein hackers place malicious software to encrypt a school district’s data and then demand a ransom in order for the organization to get access to its data back.
- Malware, is malicious software that is placed on computers or a network and enables the cybercriminal to take control of the computer to monitor the user’s keystrokes and actions, and access confidential data. The malware gets into a computer when the user clicks on a link or opens an attachment.
- Denial-of-Service attacks temporarily shut down a machine or network rendering it inaccessible to its intended users.
- SQL (structured query language) Injection attacks that target servers that store proprietary/critical data and use SQL to manage their databases. A SQL Injection attack uses malicious code to target the server and cause it to convey privileged information.
Securing the financial sector
The American Institute of Certified Public Accountants (AICPA) reported that eight in ten US adult citizens are concerned that businesses are unable to secure their personal financial information. The high incidences of financial sector breaches have done nothing to quell those concerns. Nor does the security breach statistic from Positive Technologies that 92% of ATMs are vulnerable to hacks instill customer confidence. Financial sector firms should adopt the mantra that it is not a matter of if, but when their organization will experience a cyberattack. By implementing effective precautions and best practices financial institutions/fintechs can know they are being proactive in the fight against cyberattacks.
About the author: Joseph Saracino is the President and CEO of Cino Security Solutions. Formerly a Naval Intelligence Officer with the US Navy Saracino’s team provides innovative products and solutions that are relevant in today’s Global Business Environment.