In recent years, there has been a significant uptick in the frequency and sophistication of attacks on the financial and banking industry. The following statistics illustrate the current breadth and depth of cyber attacks by various types of threat actors on financial entities:
Financial institutions were the second most impacted sector based on the number of reported data breaches last year. Institutions in the U.S., Argentina, Brazil, and China were most affected. As of December 2022, finance and insurance organizations globally experienced 566 breaches, leading to over 254 million leaked records.
Ransomware attacks on financial services have increased from 55% in 2022 to 64% in 2023, which is nearly double the 34% reported in 2021. Only 1 in 10 attacks were stopped before encryption took place, making a total of 81% of organizations a victim of data encryption.
Data breaches cost the finance sector the second highest costs amongst all others at $5.9 million.
This blog explores the rise in cyber attacks on the banking and financial industries, their far-reaching consequences, and what these high-target entities can do to protect against the evolving tactics of threat actors.
Understanding the Risks Faced by the Financial Sector
In their 2022 Cybersecurity and Financial System Resilience report, the Federal Reserve Board actively notes all potential risks and emerging threats that affect the state of the U.S. economy. At no surprise, cybersecurity concerns topped the list, calling out Ransomware-as-a-Service (RaaS) and sophisticated Distributed Denial of Service (DDoS) attacks as the biggest risks to financial institutions’ ability to operate and safeguard customer data.
RaaS – RaaS is characterized by heightened sophistication, rapid proliferation, and difficulty of attribution. RaaS empowers threat actors to establish templates that could be considered “franchised” threats. Accomplished threat actors license their software to other malicious parties, typically in exchange for a portion of the ransom proceeds. This threat model provides less advanced threat actors with many more ways of disrupting businesses. Victims that decline ransom payment often find themselves with the burden of reconstructing their infrastructure in order to reinstate normal business operations.
DDoS Attacks – In sophisticated DDoS attacks, the attacker aims to render a machine or network resource unavailable to legitimate users by overwhelming the target or its surrounding infrastructure with traffic. The United States’ financial services sector has long been a target of DDoS attacks, which has also affected associated external entities and other stakeholders.
An excerpt from the Federal Reserve Board’s report highlights this concern, amplified through the lens of current geopolitics:
Banks and financial institutions can face significant short and long-term financial damages when they experience a cyberattack. These damages can result from a variety of factors, including operational disruptions, reputational harm, legal and regulatory consequences, and increased cybersecurity investments.
Immediate & Ongoing Fees
A single, successful cyberattack can lead to immediate financial consequences that directly impact a company’s financial performance. Costs are associated with the severity of the attack and the extent of the data exposure, leading to both immediate and long-term repercussions.
Ransom Payments – In the scenario of a ransomware attack, the average payout cost has surged to $1.6 million on average compared to the previous year’s average of over $272,000. 43% of surveyed companies in the same report confirmed paying the ransom.
Forensic Analysis & Investigation Fees – Organizations often engage cybersecurity experts to identify the nature and scope of the breach, analyze the attack vectors, and trace the attacker’s activities.
PR & Crisis Management Fees – After a breach, organizations may engage public relations and communication experts to manage the institution’s public image and respond to media inquiries. This also involves notifying affected customers, partners, and stakeholders about the breach, potential data exposure, and recommended actions.
Legal Expenses – Small to medium-sized businesses with no in-house legal team may seek legal advice to navigate the legal implications of the breach, including potential liability, regulatory compliance, and contractual obligations.
Customer Compensations & Cost of Remediation – Depending on the information compromised during the attack, organizations may offer credit monitoring and identity protection services to affected customers to mitigate potential identity theft. This can include assisting customers in resolving fraudulent transactions or unauthorized account access for a period after the breach.
Increased Premiums – Post-attack, companies may be forced to pay higher premiums for their cyber insurance coverage.
Regulatory & Legal Consequences
Financial entities and banks are mandated to follow applicable compliance frameworks such as PCI-DSS. After a breach, they will be subject to paying fines imposed by regulatory authorities for non-compliance with data protection and cybersecurity regulations. Those that fall victim to a cyberattack face substantial regulatory and legal consequences. Regulatory bodies impose fines and penalties for failing to safeguard customer data, comply with industry-specific cybersecurity standards, and promptly report breaches. These financial repercussions can amount to millions of dollars, severely impacting an institution’s bottom line.
In terms of legal implications, affected parties including customers and partners may initiate lawsuits to claim damages resulting from data breaches. Legal defense costs, settlements, and potential reputational damage from such actions can lead to long-lasting financial strain.
Disruption to Business Operations & Reputational Damages
Cyber attacks disrupt services, delay transactions, and lock up day-to-day operations. The more critical the attack is on the systems, the greater the cost to operations. In the immediate aftermath of an attack, resources may need to be redirected towards remediation, taking away from core business activities. Other than direct financial losses, indirect costs while rebuilding systems and restoring data, some additional cybersecurity measures require significant investments, which can put a strain on budgets.
The value of customer trust can’t be measured and a tarnished reputation is one of the most costly consequences of a data breach. The ongoing cost of a data breach is largely reflected in the competitive landscape as the victim organizations see a decrease in their brand value and market share. For publicly traded firms, this cost is mirrored in stock price fluctuations.
As news of a data breach is reported, damage to the victim organization starts to go beyond dollars and cents. The perception of poor security measures can lead clients to doubt the organization’s ability to safeguard their sensitive information, potentially causing customer churn. From a stakeholder’s perspective, negative media coverage amplifies the impact, eroding the organization’s credibility. Extending beyond the immediate aftermath, breaches can massively influence customer decisions, partnership opportunities, and market sentiment.
Building Cyber Resilience In Big Banks & Financial Giants
To better defend the nation’s critical infrastructure from ongoing attacks, the U.S. government has implemented programs such CISA’s Shields Up!, the Office of the National Cyber Director (ONCD), and the Cyber Safety Review Board (CSRB), and most recently, the new U.S. Cyber Trust Mark.
At the enterprise-level, security leaders can use the following checklist to assess their organization’s cybersecurity posture as it stands and improve any identified gaps.
1. Response & Recovery | How fast can we regroup post-cyber attack?
Financial institutions can be susceptible to cyberattacks even with preventative controls in place. To build long-lasting resilience, security leaders are encouraged to design, maintain, and consistently review plans to ensure business continuity in the event that a threat actor succeeds. This includes:
Well documented incident response plans (IRP), communication matrices, and post-attack workflows. Focus on system and operations recovery and a chain of command that includes all necessary leads needed to facilitate the response plan.
Good relationships with federal and local law enforcement entities and any cybersecurity resources available for the specific industry.
Contacts for cyber forensics and any post-incident recovery experts that can be engaged as needed.
Implementing a regular schedule to conduct cyber recovery exercises, audits, and red team and penetration testing.
Consider cyber insurance as a risk management strategy to identify, measure, and monitor ongoing cyber risk exposure.
2. Network & System Security | How protected are we from cyber intruders?
Many organizations adopt an “assume breach” mentality where defenders operate under the assumption that their systems have already been compromised. This is a proactive approach which acknowledges the ever-present risk of cyberattacks and focuses on detecting and mitigating intruders as quickly as possible. By assuming a breach has occurred, defenders strategically deploy continuous monitoring, anomaly detection, and threat hunting techniques to identify malicious activities early on. In essence, “assume breach” empowers defenders to stay one step ahead of adversaries in the dynamic landscape of cybersecurity. Building up the necessary network configurations and system hardening includes the following key aspects:
Securing all network components to ensure that only approved ports, protocols, and services are allowed.
Reviewing, adjusting, and disabling (if necessary) any default user accounts and settings before system use.
Performing vulnerability scans to cover all network and hardware components, firmware, and operating systems.
Adhering to a strict patch management schedule.
Adding threat detection and prevention capabilities to email systems to combat common email attack vectors such as phishing, whaling, spoofing, etc.
Segmenting critical network components and services, particularly any business-critical and/or highly sensitive elements of the environment.
3. Identity & Access Management | How do we secure against illegitimate users?
The increase in phishing attacks and the effectiveness of threat actors in infiltrating login credentials mean that financial institutions must implement the right controls for identity and access management. This includes authentication controls for customers, employees, and any third-party access to sensitive systems. To build up a strong set of identity and access management controls:
Implement multi-factor authentication (MFA) policies, network segmentation, and role-based access control (RBAC). This significantly enhances security by adding an additional layer of authentication beyond just passwords and minimizes the risk of unauthorized access to critical systems and data.
Use the Principle of Least Privilege (PoLP), where users should be only granted the minimum level of access required to perform their responsibilities. This principle reduces the rolling impact should an account become compromised.
Set up means for continuous monitoring, regular account audits, and encryption protocols. Real-time monitoring of user activities and access patterns allow security teams to quickly detect and respond to potential signs of breach. Using strong encryption protocols for authentication ensures that sensitive information like passwords is transmitted securely.
As geopolitical and socio-economic sands continue to shift, the targeting of financial institutions and the banking sector by sophisticated and well-funded threat actors continues to be a top concern.
Threat actors continue to refine their techniques and our defense against these attacks needs to evolve in parallel. Enhancing cybersecurity measures, information sharing, and early threat detection are now pivotal to both safeguarding financial systems and mitigating geopolitical tensions.