Cyberattackers raising stakes in financial sector, security experts tell House subcommittee

Cyberattacks on the U.S. financial sector amid COVID-19 rose 238 percent over the first five months of 2020, VMware/Carbon Black told Congress during a House Subcommittee on National Security, International Development and Monetary Policy virtual hearing Tuesday.

Four NGOs brought to the attention of the lawmakers of how attackers are raising the stakes with fraudulent schemes and the need for public and private sector vigilance during testimony for the nearly two-hour session entitled “Cybercriminals and Fraudsters: How Bad Actors Are Exploiting the Financial System During the COVID-19 Pandemic.”

In his opening statement, subcommittee Chairman Emanuel Cleaver, D-Mo., cited a 148 percent spike in cyberattacks in March when compared to February, and that the financial sector in that period received a 38 percent increase in ransomware attacks. Cleaver cited cybersecurity complaints to the FBI’s Internet Crime Complaint Center quadrupled in the past four months from 1,000 daily before the pandemic to as many as 4,000 incidents in a day.

Ninety percent of the financial sector’s employees are working from home, making exploitation even more probable due to vulnerabilities without the parameter defenses found in a corporate environment, noted Tom Kellermann, VMWare head of cybersecurity strategy.

“CISOs of financial institutions are being marginalized, and their strategies need to be enacted fully,” he testified.

Financial institutions’ third-party partners and vendors are being increasingly targeted. According to the May 2020 VMware Carbon Black report, “33 percent of surveyed financial institutions said they’ve encountered island hopping, an attack where supply chains and partners are commandeered to target the primary financial institution.”

The globe’s elite hackers, composed of organized crime syndicates and motivated nation-states, are well familiar with the potential attack landscape, Kellermann noted.

The Northern American Securities Administrators Association (NASAA) formed a COVID-19 task force to identify website and social media posts that are offering or promoting investment fraud or unregistered regulated activity, testified Amanda Senn, chair of NASAA’s cybersecurity committee, who also is chief deputy director of the Alabama Securities Commission.

“While the schemes observed by the Task Force are manifold, many involve a cryptocurrency or promote investments that are outside the stock market – perhaps due to recent market volatility,” Senn testified.

She noted senior citizens are particularly vulnerable to such fraudulent ploys, and she pointed out that the Senior Investor Protection Grant Program was originally established and authorized by Section 989(A) of the Dodd-Frank Act, but never put into effect. Senn advocated seniors now be protected in pandemic-specific legislation for victims of securities abuse.

"Bad actors are committing malicious acts before COVID-19 and they will certainly do so after this crisis subsides,” said National Cyber Security Alliance Executive Director Kelvin Coleman. He urged Congress “should consider making game-changing investments in cybersecurity awareness and education.”

Also testifying was Jamil Jaffer, founder and executive director of the National Security Institute, who urged Congress to provide additional resources to U.S. Secret Service to investigate and directly address the very real cyber threats to financial institutions.

The House full committee Chairwoman Maxine Waters, D-Calif., making a late appearance, asked the witness panel whether minority communities with limited English proficiency might be particularly vulnerable to cybercrime exploitation.

Coleman said his organization relies on spreading such educational information through existing and trusted groups within those communities.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.