Financial Services is among the most frequently targeted industries by cybercriminals because of the valuable financial data and critical assets that it gives them access to, and because digitization in the sector has opened up new attack opportunities. Organizations in the sector control large volumes of valuable data, which can be easily monetized if leaked or stolen. Financial institutions are also part of a growing interconnected network of third-parties, partners, and applications to make customers’ digital experiences smoother – expanding their attack surface and making these institutions even more vulnerable to both direct and third-party attacks.
Why are Financial Services organizations targeted frequently?
- Large volumes of valuable, easily monetizable data – Finance sector organizations store, transmit and use vast volumes of critical data meaning that cybercriminals have a lot to gain if they can successfully exfiltrate this data. Even carefully executed phishing campaigns can yield high returns if only a small percentage of victims take the bait and respond to fraudulent credit transfer requests. In ransomware attacks, not only can the perpetrators hold stolen data to ransom, they can also easily sell it on the dark web if ransom is not paid. Bank account information, credit card numbers and other financial datasets are among the most highly priced records on the dark web.
- Growing network of third-parties and connected apps – In order to provide smooth and fast digital transactions, payments, and banking experiences to customers, financial services companies depend on a slew of connected third-party apps, services and vendors. This means that even organizations with very strong internal defenses can be victims of attacks that use weaker vendors in the supply chain as entry points into bigger organizations’ networks.
- Sharp increase in online banking following the pandemic – Most banks have seen a sharp increase in the number of customers using digital solutions because of the speed and convenience of online banking and financial services, which gained further momentum after the COVID-19 pandemic hit in 2020. It is estimated that by 2025, there will be more than 215 million consumers of digital banking in the US (report by Kenneth Research, a New York-based market research agency). While convenient, internet banking exposes both account holders and banks to greater cyber risk as it opens up new opportunities for intrusion.
Data breaches in the Finance sector
From January 2018 to June 2022, a total of 153.3 million records were compromised in data breaches targeting finance companies in the US, with insurance companies, banks and investment companies accounting for the highest numbers of attacks (Comparitech study, July 2022). Among the 50 US states, California, New York and Texas were the worst hit. The most damaging breaches in recent years were the Capital One breach in 2019 that affected 100 million records; the Cash App Investing breach in 2021 that affected 8.2 million records; and the Dave, Inc. breach in 2020 that affected 7.5 million records.
Worldwide, there were 2,527 cyber incidents in the Finance and Insurance sector in 2021, with 690 resulting in confirmed data disclosure, according to Verizon’s 2022 Data Breach Investigations Report. The average cost of a data breach in the sector was USD 5.97 million in 2022 (2022 Cost of a Data Breach report, IBM), which is significantly higher than the cross-industry average of USD 4.35 million.
79 percent of the data breaches in the sector resulted from Basic Web Application Attacks, System Intrusion and Miscellaneous Error. A large number of attacks (especially web application attacks) involved the use of stolen credentials. Additionally, misdelivery, or the accidental delivery of sensitive data to the wrong recipient, was three times higher in Financial compared to other industries.
Recent incidents that targeted Finance organizations
ION Cleared Derivatives: On January 31, 2023, ION Cleared Derivatives, a division of the UK-based ION Markets, was hit by a ransomware attack that impacted several banks and brokers in the US and Europe, who had to switch to manual processing of the trades while the service was disrupted, causing significant delays. The ION Group is a trading solutions company for equities, fixed income, forex trading and secured funding, and the subsidiary that was targeted provides software to automate the trading cycle and the derivatives clearing process.
PayPal: California-based electronic payments company PayPal suffered a credential stuffing attack in early December 2022, where unauthorized third parties were able to access almost 35000 customer accounts that contained account holders’ full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers. The company started notifying customers of the breach around mid-January.
Binance cross-chain bridge attack: In October 2022, cybercriminals stole $570 million from Crypto exchange Binance in a cross-chain bridge hack. After discovering the exploit, Binance Smart Chain temporarily suspended fund transfers. The attack also affected the value of Binance Coin, which fell by 3.4 percent. The Binance hack was just one of several cross-chain bridge attacks in 2022, with Chainalysis (a New York-based blockchain analysis firm) estimating that almost $2 billion in cryptocurrency funds were stolen in 13 separate cross-chain hacks.
Ransomware and Cyber Insurance in the Finance Sector
Sophos’ 2022 State of Ransomware study found that 55 percent of Finance sector organizations were hit by ransomware in 2021, and data was encrypted in 54 percent of the attacks. As many as 91 percent of the organizations surveyed said that ransomware attacks affected their ability to operate, while 85 percent said that attacks resulted in business/revenue loss.
Cyber insurance: While 83 percent financial services organizations report having cyber insurance coverage to soften the blow from cyber attacks, insurance payout rates in the sector are only 32 percent – much lower than the cross-sector average of 40 percent. Cyber insurance policies are driving finance organizations to handle cybersecurity differently. With insurance companies tightening their policies and making coverage prerequisites stricter, organizations are making greater efforts to harden their security posture to improve their chances of securing coverage.
What organizations can do for stronger cyber defense
To keep operations running smoothly, protect their own and their customers’ data, and meet regulatory compliance and insurance requirements, organizations need to implement strong data protection and security controls, and make informed security investments.
Financial Services organizations, in particular, can benefit from a data-centric approach to cybersecurity where they have greater visibility into and greater control over their data, in addition to effective vulnerability management, secure configuration, and clear risk assessment reporting.
While focusing on data protection across the data lifecycle, IT and security teams must build multiple layers of security controls across the network and endpoints to prevent attacks, and limit damage from intrusions that do happen.
Some basic steps that organizations can take to stay protected are:
- Protect their data, starting with discovering sensitive data in their environments and classifying it based on criticality, followed by steps to secure it (encrypt, create backups, delete, move to a secure location, and so on)
- Implement strict access controls based on the principle of least privilege, and turn on multi-factor authentication across services and systems
- Implement strong preventive controls including internal and external vulnerability management, secure configuration of operating systems and apps, web app security and more
- Segment networks to protect against lateral movement of threats inside the network
- Use effective detection and response technologies to quickly tackle sophisticated threats that bypass perimeter controls
- Create and test detailed incident response plans and playbooks to handle potential incidents
- Get visibility into brand mentions, stolen/leaked internal data, and discussions about the organization on the dark web
- Generate clear, easy-to-understand cyber risk assessment reports that simplify communication with the board and senior leadership
- Quantify and monetize cyber risk and use this data to creating better security programs, prioritize risk areas, allocate resources, and make technology investment decisions
Third-party evaluation: In addition to instituting and carefully implementing security measures to protect their own systems, data and infrastructure, organizations must also create a strong evaluation process for vendors and third parties that need access to any part of their environment/data. IT and security leaders must have a clear understanding of what services their vendors provide, and what degree of access they need. They must also evaluate vendors’ security controls and make sure that these are aligned with their own security policies and compliance requirements.
How CYRISMA helps
CYRISMA enables businesses to implement strong preventive security controls and reduce risk with its multi-feature cyber risk management platform. By combining essential risk discovery, assessment and mitigation tools in a single platform, CYRISMA allows IT and security teams to streamline cybersecurity operations, reduce complexity, and manage risk more efficiently. In addition to identifying and fixing vulnerabilities, strengthening system configuration and discovering and securing sensitive data, organizations can also use CYRISMA to quantify risk in financial terms, allowing them to make better security investments that have real impact.