Cybersecurity risks to financial institutions, such as banks and financial services, have grown in recent years despite the industry being heavily regulated to protect customers' data.
Flagstar Bank, which operates 150 branches and is one of the largest mortgage servicers in the U.S., acknowledged on June 17 it suffered a data breach after hackers gained access to customers' personal information. The cyberattack on Flagstar Bank is not alone as financial institutions have become leading targets for cyber criminals. According to Check Point, there were 703 reported cyberattack attempts per week in 2021 within the industry, which was a 53% increase from 2020.
"Cyber incidents pose a threat to the stability of the global financial system,” the Financial Stability Board (FSB) warned in a report. “A major cyber incident, if not properly contained, could seriously disrupt financial systems, including critical financial infrastructure, leading to broader financial stability implications.”
Financial institutions face a challenging environment amid digital transformation
An accelerated digital transformation under COVID-19 pandemic and increasing geopolitical tensions are the two ongoing trends that exacerbate the risk.
Since the COVID-19 pandemic, financial institutions have adopted new technologies to meet high demand of online financial services, which increases attack surfaces.
Experts warned that banks’ automated solutions such as machine learning models pose more risk than the systems operators might have targeted in the past.
“When you introduce machine learning into any kind of software infrastructure, it opens up new attack surfaces, new modalities for a system’s behavior might be corrupted,” Abhishek Gupta, the founder and principal researcher at Montreal AI Ethics Institute said in a recent interview with The Wall Street Journal. “There’s a sense of brittleness in that entire architecture, like a house of cards. You don’t know which of the cards that you pull out will lead to the whole thing collapsing entirely.”
Meanwhile, the emergence of hybrid-work structure amplifies the complexity of IT systems. Companies rush into cloud applications, but fail to plan for the risk. For instance, cloud sprawl may occur if companies fail to monitor the number and type of cloud services they use. And employees’ with little IT training may misuse cloud applications, reusing the same password for work and personal accounts.
While cyber criminals attack financial services for profit, state-backed hackers and patriotic hacktivists target the industry for political leverage with global tensions rising over Ukraine.
“When you sort of marry what’s going on with Russia and Ukraine and China and other actors around the world geopolitically, you have to come back and think that one of their major weapons is cyber,“ Goldman Sachs Group Inc. President John Waldron said at a January event.
Ransomware, phishing among key threats to financial institutions
Defenders should better understand attack vectors in recent cyber incidents so that they can preclude increasingly sophisticated attacks.
Ransomware remains as the top cyber threat to financial institutions. The banking industry experienced a 1,318% increase in the number of ransomware attacks during the first half of 2021, compared with the same period a year ago, according to multinational cybersecurity company Trend Micro.
Ransomware is a type of malware attack that locks and encrypts companies' data and files, and demands a payment to unlock and decrypt the data. Although most financial institutions have upgraded their data backup systems to defend against attacks, ransomware has evolved in response — attackers have begun to exfiltrate sensitive files before encrypting them, and threaten to leak the data if victims do not pay.
As a result of sophisticated methods, attackers have successfully targeted large financial services, such as the insurance company CNA Financial Corp.. CNA paid $40 million to regain control of its system after attackers applied malware called Phoenix Locker, a variant of ransomware invented by a Russia cybercrime group, in March, 2021, to the company's network, according to Bloomberg.
Phishing attacks also pose significant risks to the industry in recent years. The number of phishing attacks reached a record high in the first quarter of 2022, exceeding one million, and the financial sector accounted for the highest amount, with 23.6% of all attacks, according to a recent report by Anti-Phishing Working Group (APWG).
Phishing is a social engineering attack that steals users’ data by tricking them to click malicious links or visiting counterfeit websites.
Leading financial firms, such as Charles Schwab Corp., Chase Bank, and RBC Royal Bank, are popular brands being spoofed in phishing URLs, according to Magni Sigurðsson, Senior Manager of Detection Technologies.
While common phishing attacks require spoofed sign-in page development and hosting, the emergence of phishing-as-a-service (PhaaS) makes attacks easier, allowing attackers to have access to full-scale phishing campaigns without having to set up everything themselves.
Besides evolving phishing kits, phishing continues expanding under digital transformation.
“We have seen an uptick in QR-based attacks as the relatively overlooked technology became more popular during the pandemic,” Sigurðsson wrote in a blog post. “These attacks are again effective at evading traditional email security tools, as the QR code itself is not a malicious asset and its link destination cannot be read by detection technologies optimized for text URLs and virus signatures.“
Small banks struggle to defend against cyberattacks
Cybersecurity experts urge collaborative cyber defense before the threat landscape continues to worsen.
"Unlike many sectors, most of the financial services community does not lack resources or the ability to implement technical solutions," cybersecurity experts Tim Maurer and Arthur Nelson wrote in a report published by the International Monetary Fund (IMF). "The main issue is a collective action problem: how best to organize the system's protection across governments, financial authorities, and industry and how to leverage these resources effectively and efficiently."
Some of the nation's largest banks, including JP Morgan Chase & Co., Bank of America Corp. and Morgan Stanley, are now working closely with the Treasury Department to practice how they would collaborate with each other to better defend cyberattacks, according to Bloomberg.
While big players support each other to harden their defenses, small banks are struggling with the high cost of defending themselves against cyberattacks.
In 2021, Kaseya, a U.S. information technology firm that supports many small banks' financial services, found itself experiencing a ransomware attack. Although the system was fixed later without a ransom payment, cybersecurity experts and community bank leaders worried about future attacks.
Jeff Newgard, CEO of Bank of Idaho, a $700 million community bank, called on Congress to better support small banks in boosting cyber defense.
"We don't have information as it becomes available on the government side," Newgard said during an interview with MarketWatch. "We feel like we're about a half step behind."