Cybersecurity in Financial Services

Our economy is reliant on the financial sector.
Banks, credit unions, pension funds,
insurance companies, investment firms and other
financial services have access to our most sensitive data:
personally identifiable information (PII), account details,
transactional and business-related data.
Due to their simplicity and swiftness,
online financial transactions have become
the norm among consumers and services.
But among the advantages also arise drawbacks that need
to be addressed by the financial entities offering their services.

The 2024 Verizon Data Breach Investigation Report
shows that the financial sector recorded
3,348 incidents in 2023, with 1,115 confirmed breaches in the United States.
The greater percentage of the compromised data belonged
to the financial entity’s customers,
meaning they are the ones who face the most risks.
This report also exposed that the financial industry
was the second most attacked sector last year.
These statistics underscore the constant
risk financial service industries have to face every day.

Over the years,
banks have protected tangible cash and other physical assets
in their vaults with solid structures,
personnel restrictions and security guards.
They should do the same now with their digital assets.
In this day and age, where criminals are not only masked robbers
with guns but also online threat actors with nifty methods,
financial services still have the tough job of keeping them out.
That’s where cybersecurity can lend a helping hand.
There are measures that can be taken,
solutions that can be used,
and approaches that can be implemented.
All have the capacity to protect assets against
the constant barrage of cyberattacks faced by the financial sector.

What motivates financial services cyberattacks?

Financial services are a prime target for cybercriminals
due to several factors that make them especially attractive.
Gain — whether it be financial or informational —
is one of those factors.
Financial institutions hold a goldmine of valuable information
(account details, social security numbers, etc.).
If stolen, could be sold on the dark web for a high price
or used to commit further crimes.
Moreover, since these organizations mostly
rely on their digital infrastructure,
attackers can disrupt operations and demand large ransom payments,
which many organizations comply with
in order to return to normal activity.

Financial institutions have complex ecosystems,
with numerous interconnected players like customers,
vendors and third-party providers,
that have access to online platforms, mobile apps,
trading networks or global wire transfer systems.
The sheer complexity and interconnectivity
of financial infrastructures offer an ample attack surface
full of opportunities for cyber attacks
— something that motivates cybercriminals.

Another reason is impact.
A cyberattack can severely damage an organization’s reputation,
erode consumer confidence and even destabilize economies.
Systematic impact makes financial entities particularly appealing targets
for cybercriminals looking to cause widespread disruption and chaos.

All of these reasons give financial organizations
insight into why they are constantly targeted
and why they need a robust security posture.
Complying with established security standards
(which we’ll discuss further down)
is extremely important but not the only feature
that needs to be considered.
Let’s first examine the threats that financial entities endure.

Common cyber threats in the financial services sector

Financial institutions face a myriad
of cyber threats due to the reasons previously explained.
Each time an incident occurs,
the entity is at risk of suffering significant damages.
As earlier informed,
it is the end user that is most targeted by criminals.
However, the financial entity itself suffers business losses,
lawsuits and reputational damage as a result of cyberattacks.
It’s always better to know how cybercriminals work,
so here are some of the most common threats the financial sector is exposed to:

• Phishing attacks: These misleading emails or messages,
  which impersonate real entities or individuals,
  may contain malware that downloads to the receiver’s
  device with only a single click of a malicious link,
  or they may be sent with the intent to trick the recipient
  into disclosing sensitive information like login credentials.
  This tactic can be used on both company employees and customers.
  Examples include the OCBC phishing scam of 2021,
  which resulted in a $13.7 million loss
  and targeted this Singaporean bank’s customers,
  and the PerSwaysion spear-phishing campaign,
  which breached the email accounts of high-ranking financial executives.

• Social engineering: This tactic involves manipulating
  people into divulging sensitive information
  or taking actions that compromise security.
  Phishing attacks are a form
  of social engineering,
  but attackers can also use social media, phone calls,
  or even impersonate the company’s staff to trick employees.
  Examples include hackers tricking an employee
  of the Chilean interbank network Redbanc
  into downloading malware,
  giving them access to sensitive information,
  and the 2015 Dyre Wolf campaign
  that used advanced social engineering
  to steal around $1 million from companies.

• Ransomware: This looming danger encrypts critical data
  and blocks operating systems until a ransom is paid,
  disrupting operations and causing losses.
  Ransomware can be delivered in different ways.
  Some examples include the 2021 ransomware attack that
  hit the U.S. insurance firm CNA Financial
  and disrupted the company’s employee and customer services
  and the ransomware attack faced by
  the Israeli insurance company Shirbit,
  whose refusal to pay the ransom resulted
  in four class-action lawsuits amounting to $360 million
  from customers affected by the data breach.

• Distributed Denial-of-Service (DDoS) attacks: DDoS attacks overwhelm
  a server with fake internet traffic,
  making it unavailable to legitimate users
  and disrupting the financial institution’s service.
  These popular attacks can compromise online banking,
  customer accounts, employee portals, etc.
  Examples include the
  2022 Moscow Stock Exchange and Sberbank
  DDoS attacks that took their websites offline
  and the DDoS attacks on Dutch financial entities of 2018
  that left their (ABN Amro, ING and Rabobank)
  online and mobile banking services down.

• Supply chain attacks: Cybercriminals ….
  An infamous example of this is
  the Lazarus group attacks in South Korea
  via a supply chain that
  involved software used by this country’s banks and government agencies.

• Insider threats: This form of risk can be for different reasons:
  Sometimes, disgruntled or greedy employees can misuse sensitive information;
  other times, data can be accidentally leaked by inattentive employees.
  Examples include the 2010 Bank of America ATM fraud incident,
  where an employee installed malware on 100 ATMs
  and stole thousands of dollars,
  and the Scotiabank employee
  who put at risk a number
  of customers’ accounts by accessing them without a valid reason.

It’s absolutely crucial to identify and understand
these and other tactics (like zero-day or API attacks)
in order to develop more effective
and comprehensive strategies against ever-evolving threats.

Cybersecurity measures for financial services

Financial services should implement a comprehensive range
of cybersecurity measures to protect
all their assets from lurking risks.
They need a multi-layered defense to effectively combat cyber attacks,
and it should address various aspects of cyber security,
like prevention, detection, reaction and recovery.
The following are some essential measures to consider:

Adhere to compliance standards

Strict regulations are imposed by government agencies,
and some are not just requirements but rather state or federal laws,
so their compliance is non-negotiable.
They work to ensure that financial institutions protect client data
and safeguard them against financial fraud,
generally seeking to keep the clients’ confidentiality safe
and maintain trust between entities and customers.

The first step is to identify the specific compliance standards
that apply to their institution.
Depending on factors such as locations, offered services,
and size of the institution, different standards will apply.
Those standards include:

• Sarbanes-Oxley Act (SOX): This act
  of 2002 is a federal law that imposes financial reporting
  and disclosure requirements on all publicly traded U.S.
  companies and aims to protect investors and prevent accounting fraud.

• Gramm-Leach-Bliley Act (GLBA): This act
  of 1999, also known as the Financial Modernization Act of 1999,
  is a federal law in the U.S. that mandates financial institutions
  to protect the customer’s financial information
  and implement a data security program.

• Payment Card Industry Data Security Standard (PCI DSS): This set
  of policies and procedures governs the security of the cardholders’ data,
  such as credit card numbers, expiration dates and security codes.
  PCI DSS security controls help companies minimize the risk of data breaches,
  fraud and identity theft.

• New York Department of Financial Services (NYDFS):
  These cybersecurity regulations aim to
  guarantee that financial institutions protect their client data
  and information systems from attacks.

• General Data Protection Regulation (GDPR):
  This European Union legislation requires
  the protection of personal data and mandates strict norms on data processing,
  storage and transfer for organizations
  that handle EU residents’ personal information.

Once the relevant standards are identified,
financial institutions should outline the specific steps needed
to achieve and maintain compliance with each standard.
After implementation,
they should conduct assessments and audits regularly
to ensure there are no gaps or deficiencies in the policies
and procedures established.
Training and employee awareness programs are necessary
to educate employees about compliance standards,
regulatory requirements and best practices for upholding compliance.
They could also adopt a proactive approach
to checking compliance with automated tools.
From our end, Fluid Attacks offers continuous scanning
that is based on industry standards.
Our SAST tool performs scans that report
several non-compliance in your software.
Adhering and complying with regulations is essential
to preserving the partners’ and customers’ confidence
in the organization as well as avoiding substantial penalties.

Use solutions that prioritize security

There are several solutions or steps that a financial institution
can take in order to keep their information secure:

• Multi-factor authentication (MFA): This type of authentication
  grants access to resources only after the user provides
  two or more verification factors.
  Implementing MFA enhances user authentication and prevents
  unauthorized access to sensitive data and systems.

• Data encryption: Sensitive data managed by financial institutions
  should always be encrypted at rest or in transit,
  ensuring that even if intercepted by threat actors,
  it will remain unreadable and unusable.

• Endpoint security: Endpoints such as desktops,
  laptops, smartphones and servers should be protected with antivirus
  or other software that monitors the devices for irregular activity,
  unauthorized access attempts, malware detection and other threats.

• Patch management: Financial institutions need
  to prioritize timely application of security patches
  that software vendors regularly release to fix vulnerabilities
  in their products.

Implement security methodologies and plans

Responding to a cyber attack while it’s underway
sometimes would be like attempting to bail out water
from a sinking ship with buckets.
We believe prevention and planning are better than panicking,
being locked out of systems, paying ransom, losing business, etc.
One way to take action before the fact is
to have a proactive general approach to manage security,
which is what the zero trust architecture does.
The zero trust security model
assumes that no user or device in the network is inherently trustworthy.
That means that every access request, regardless of origin,
is strictly verified before granting access
to sensitive information or systems.
This philosophy is brought to reality with ZTNA
(Zero Trust Network Access)
helping mitigate the risk of insider threats
and unauthorized access attempts.

Another way to stay ahead of cyberattacks
is to conduct security awareness training.
Employees are often the first line of defense against cyberattacks.
Regular security training programs can educate staff
on how to identify phishing scams
or other social engineering tactics
and how to employ best practices,
like using strong passwords, to maintain systems secure.
This empowers employees to make informed decisions
and avoid falling victim to malicious attacks.

As cyber security is never 100% bulletproof,
it’s always recommended to develop
and maintain a comprehensive incident response plan that
outlines procedures for the detection,
assessment, containment and mitigation of incidents.
It is urged that the plan establishes clear roles
and responsibilities for team members,
that simulations and updates are conducted regularly
and that it is kept offline.

How Fluid Attacks helps the financial sector

At Fluid Attacks, application security is our priority.
For the financial service sector,
we emerge as an all-in-one solution that contributes
to security through different strategies.

• Secure software development: We encourage our clients
  to follow the best secure coding practices,
  and we conduct thorough security testing
  throughout their software development lifecycle (SDLC)
  with our automated tools and certified hacking team
  to identify vulnerabilities in their applications and infrastructure.

• Vulnerability identification: Our solutions,
  like pentesting and
  ethical hacking,
  have the endeavor of finding vulnerabilities,
  which are the door cybercriminals need to penetrate your systems.
  Using top-level tools, methods and their valuable expertise,
  our hacking team attacks your system (with your permission)
  the same way a malicious actor would.
  With their findings,
  which you receive through our platform,
  you can make an informed decision on how to proceed.

All of the aforementioned is part of
our Continuous Hacking solution,
which helps our financial services clients,
in fact all of our clients,
improve their security posture so they can provide a better service.
One of our financial services clients,
Protección,
calls us “an important ally” in their constant quest
for a more secure service.
Read more about their success story
here.
Feel free to contact us to see
how we can help your organization.