By Alexander Jones, International Banker
The global banking industry continues to be the target of the lion’s share of cyber-attacks, meaning that the stability of banks and the financial system as a whole remains under grave threat for the foreseeable future. The outbreak of the COVID-19 pandemic has only escalated this threat as the world has increasingly shifted towards the digital realm for its financial needs, while the move towards remote living and working has made the need to remain vigilant against attacks from malicious actors more pressing, especially given the expanded security perimeters and greater number of access points that are now vulnerable to attack.
Globally, “finance and insurance” was the most-attacked industry during the 2015-2020 period, according to IBM’s “X-Force Threat Intelligence Index Report” for 2022. Of those attacks, 70 percent were on banks, 16 percent on insurance organizations and 14 percent on other financial organizations. However, the report also noted that 2021 marked the first time during the five years of producing the report that “finance and insurance” was not the most attacked industry, having been marginally overtaken by manufacturing. “The financial industry’s drop from the first place suggests that the high security standards in place at most financial organizations are yielding concrete results and that the financial services industry is doing security right,” the report noted. “In addition, hybrid cloud environments are dominant at financial services organizations, allowing for better visibility into and management of sensitive data.”
Nonetheless, cyber-risk remains as palpable a threat to banking stability as ever. “Today, the assessment that a major cyberattack poses a threat to financial stability is axiomatic—not a question of if, but when,” the International Monetary Fund (IMF) acknowledged in March 2021. “Yet the world’s governments and companies continue to struggle to contain the threat because it remains unclear who is responsible for protecting the system. Increasingly concerned, key voices are sounding the alarm.”
Ransomware is arguably the most significant—and most frequent—form of cyber-attack, with banks frequently targeted by an expanding array of ransomware attacks. A February study by the cloud-computing firm VMware focusing on the evolving cybersecurity threats facing financial institutions surveyed 130 chief information security officers and security leaders. It found that a massive 74 percent of respondents had experienced one or more ransomware attacks, while 63 percent of those victims ultimately had to pay the ransom. VMware also found that the Conti ransomware group was the most prevalent in these attack campaigns.
US insurance company CNA Financial Corporation was subject to such an attack when its employees initiated a fraudulent browser update, resulting in CNA having to pay a hefty $40 million in ransom. “Much of the general public understands the basic profile of a ransomware attack, following attacks such as the one on Colonial Pipeline that caused a shortage of gas on the US East Coast in May 2021,” the report explained. “Attackers can choose among a well-funded ecosystem of readymade and available ransomware kits, use the kit to compromise a network, encrypt sensitive files within the network, and present a ransom note to the victim that asks for cryptocurrency in exchange for a decryption key that will unlock access to the files.”
And according to a November 2021 private industry notification from the US Federal Bureau of Investigation (FBI), ransomware actors “are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections.” The FBI also noted that before an attack, the malicious actor would have researched publicly available information regarding its chosen target, such as stock valuation, as well as material non-public information. “If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash,” the FBI added.
Phishing scams also remain a deeply concerning threat as an attack vector for compromising financial institutions, with the “X-Force Threat Intelligence Index Report” for 2022 observing that the practice—which typically involves tricking targets into revealing sensitive information such as passwords—was the most common infection vector for financial services, leading to 46 percent of attacks against the sector in 2021. And according to PwC’s (PricewaterhouseCooper’s) “Cyber Threat Report” for 2021, the North Korea-based threat clusters Black Alicanto (also known as Dangerous Password, Leery Turtle, CryptoMimic, CryptoCore, Operation SnatchCrypto) and Black Dev 2 (Operation Gold Hunting) have been among the most frequent sources of phishing attacks against financial-services entities. These clusters are cited for “often sending spear-phishing emails to targets as well as using lure documents related to cryptocurrency, or pretending to be legitimate joint venture pitches”.
Phishing-as-a-service (PhaaS) represents a particularly popular—and relatively new—method of attack on the financial-services industry, whereby operators employ the popular software-as-a-service (SaaS) model to provide an attacker with access to the resources required to execute a successful phishing attack. According to San Francisco-based cybersecurity firm Picus Security, common phishing attacks include spoofed sign-in-page development, website hosting, phishing mail-template creation, distribution of phishing emails, credential parsing and overall orchestration. “PhaaS is a game-changer in cybercrime because it eliminates several aforementioned operations, like spoofed sign-in page development and hosting. Attackers are no longer required to hack websites to host their malicious landing pages,” Picus explained in an article published on its website in March. “As a result, cybercrime becomes more accessible when a ready-made Phishing-as-a-Service solution or phishing kits are used. Now, even the most novice cybercriminal may run their own phishing campaign. For example, researchers detected a 300 percent rise in phishing attacks targeting Chase Bank between May and August 2021.”
Picus also cited web-application attacks as significant sources of cyber-attacks on financial institutions, highlighting Akamai’s “State of the Internet/Security” report for 2021, which counted a staggering 6.3 billion web attacks in 2020, of which 12 percent targeted the financial-services industry. The most common form of web attacks targeting financial services, moreover, were Local File Inclusion (LFI) (52 percent), whereby attackers nefariously induce a web application to expose sensitive files on a web server; SQL Injection (33 percent), in which attackers intercept queries that an application makes to its database; and Cross-Site Scripting (XSS) (9 percent), wherein attackers inject malicious scripts into trusted websites.
And an August 2021 study by cybersecurity firm Imperva Research Labs found that web-application attacks on the financial-services sector increased 38 percent between January and May of that year.
So, how can financial institutions reverse these worrying trends? “Ensure you can see the data first, then you can protect it, and all paths to it. This means protecting the organization’s websites, mobile applications, and APIs from automated attacks without affecting the flow of business-critical traffic,” Imperva advised. “It also means providing your business applications with full-function defence-in-depth with web application firewalls (WAFs), bot management, and runtime and API protection. Most importantly, it means having the capacity to discover and tag sensitive personal data as well as enrich and correlate the data to provide accurate behavioural analysis for threat prevention and mitigation.”
For banks, it is also worth consulting the recent work done by global regulators to combat cybercrime. In April 2020, for example, the Swiss-based Financial Stability Board (FSB), which globally coordinates the work of national financial authorities and international standard-setting bodies to develop effective regulatory, supervisory and other financial-sector policies, warned that “a major cyber incident, if not properly contained, could seriously disrupt financial systems, including critical financial infrastructure, leading to broader financial stability implications”.
As such, promoting resilience to cyber-threats has been one of the FSB’s highest priorities in fostering financial stability in recent years. In its October 2020 report, “Effective Practices for Cyber Incident Response and Recovery,” the FSB outlined its development in 2018 of a Cyber Lexicon to support the work of the FSB, standard-setting bodies (SSBs), authorities and private-sector participants to address financial-sector cyber-resilience, as well as a toolkit to provide financial institutions with a set of effective practices to respond to and recover from cyber-incidents to limit any related financial-stability risks.
“The toolkit, structured across seven components, comprises 49 effective practices that organisations have adopted while taking into account jurisdictions’ legislative, judicial and regulatory frameworks, the size of the organisation, the organisation’s role in the financial ecosystem and the extent to which stakeholders are affected by a cyber incident,” the report explained. “The toolkit is composed as a resource and reference guide for effective practices using common cybertaxonomies in a manner aligned to industry standards accessible to senior management, board of directors or other governance or compliance, risk, and legal professionals that interface with cybersecurity technical experts within the organisation, the SSBs or authorities.”
Greater coordination amongst global regulators will also help strengthen the industry’s resilience against large systemic cyber-attacks, with Fitch Ratings noting that such actions represent a “credit positive”. “The focus on systemic risk is to build better industry preparedness and cyber resiliency, to mitigate single points of failure and to ultimately lessen any negative effects of cyber-attacks. Growing geopolitical tensions are an added motivating factor for regulators, as a global cyber-attack on the financial system could have cascading effects,” Fitch recently observed. “Moreover, banking systems have become increasingly interconnected, and cyber risk is evolving into broader aggregations and concentrations within the financial supply chain. An incident at a single critical third or fourth-party vendor could lead to significant financial losses across the financial system.”