In today’s society, there are new cybersecurity threats to the financial sector every day. Find out the most common risks for financial institutions here.
Cybersecurity threats pose a substantial risk to just about every company and individual all over the world. That may sound like hyperbole but according to USA Today, billions of people have been affected by cybersecurity attacks. Financial institutions are particularly at risk due to the massive amount of capital they oversee. Understanding the risks and how to protect yourself are vital in succeeding in the financial world.
What are the chances?
In 2017 also saw an uptick in the frequency of attacks, increasing between 32 percent and 47 percent depending on the month. As we mentioned, everyone should be concerned about their own cybersecurity. However, who should worry the most? Those who have the most to lose. Cybersecurity threats to the financial sector are more real than ever. All financial institutions must assess their cyber risk.
Damage on multiple fronts
Failure to properly address inherent security risks can lead to damage on many levels. According to the International Monetary Fund, if a financial company suffers a cybersecurity attack, they could lose between 10%-30% of net profits for that year. But, that’s not all. Since the financial industry is so interconnected third parties attached to the financial institution typically also take a hit; it’s cybersecurity collateral damage. Creating financial stress for your partners is never good business and could lead to further strife down the road.
Then you also have to consider the damage to public perception. According to OnePoll, “86.55 percent of respondents stated that they were “not at all likely” or “not very likely” to do business with an organization that had suffered a data breach involving credit or debit card details.” Both Target and eBay saw substantial, $520 million in Target’s case, drop-offs in revenue in the year they endured cyber attacks.
Some companies may shrug off reputational damage, assuming people’s short attention spans will leave any lingering resentment in the past. According to a Ponemon institute’s consumer survey, “Data breaches were up there with poor customer service and environmental disasters for impacting brand reputation.”
Essentially, cybersecurity breaches ruin reputations. A security breach is on par with cable company customer service and oil spills with the damage can have on a company.
Financial institutions need to be extra careful as their security reputation is paramount in comparison with a department store like Target. People expect financial institutions to utilize the highest grade security possible and information breaches erode that trust over time.
Types of cybersecurity attacks
The impact cybersecurity attacks have on a company can be sorted into three different facets: integrity, confidentiality, and availability. Integrity relates to misuse of the system. Confidentiality covers information breaches. Availability deals with disruptions to services. There is bleed over within these categories.
For instance, a security breach caused by a former or disgruntled employee is both a confidentiality and integrity issue. There are also events that aren’t nefarious or from entities that could potentially affect your availability, like a natural disaster. Regardless, insulated and vigilant cybersecurity is designed to protect you from all of these intrusions upon your business.
Follow the money
Some people may assume that because the United States is so technologically advanced, cyber-attacks are rebuffed the vast majority of the time. Unfortunately, that isn’t the case. In fact, it’s the inverse. While in many cases, the United States does boast top of the line security, it also possesses much of the world’s money. Such reserves of wealth also translate into opportunities for hackers. The following graph by the Center for Strategic International Studies provides a visual of where cyber attacks occur and who propagated them since 2006.
It should be mentioned that cyber breaches are notoriously hard to calculate accurately. That’s because many companies don’t report cyber breaches in fear of negative publicity. However, based on the reported attacks, the United States is one of the hardest-hit countries in the world.
Size Doesn’t Matter
Some smaller financial institutions may think that they are insulated, due to safeguarding fewer assets than larger institutions. According to the data, that is just not the case. In fact, smaller institutions are more likely to suffer a cybersecurity attack than larger ones.
That’s likely due to less sophisticated security and not investing in cybersecurity due to budget limitations. Hackers are like predators in the wild – if they can find an easy meal without having to do any work, perfect. For hackers, finding a bank, an insurance company, or a credit card service business that’s operating without date patches is a great mark. Ideally, they want to make as much money as possible with as little work as possible. In this way, they aren’t that different than the average person.
That’s why regardless of size, financial institutions must take the proper steps to secure their assets from falling into the wrong hands.
Why are financial institutions at risk of cybersecurity threats?
The International Organization for Standardization created an equation to demonstrate the risk that high profile companies face. Essentially, “Risk is defined as a combination of consequences and likelihood.” The equation goes like this: Risk = F (Threat, Vulnerability, Consequences).
Obviously, threat levels for financial institutions are extremely high. Legions of hackers are out there. Some for their own gain and others at the behest of governments and even private institutions. There has been much written about the increased use of hacking as a show of military might. Just recently, Iran and the United States deployed cyberattacks upon each other. The Washington Post wrote on June 24th,
“Clearly, the threat level for everyone, not just financial institutions, is very high. Then there’s the vulnerability element. Part of the thrill of working in the financial sector is the rapid speed of transactions. Enormous sums of money are sent around the world at lightning speed. Such velocity is vital for businesses to stay successful. However, that hyper-interconnectivity comes with pros and cons.”
Since everything is connected, that can leave cracks for hackers to slip through. According to Sam Friedman,
“Many institutions have legacy systems that might not be resilient to cyber-attacks.” Hackers have also become far more sophisticated than ever before.
No longer are businesses facing a college drop-out in their mother’s basement. Instead, the threat comes from an army of extremely smart and talented individuals, who are utilizing cutting edge technology to make a living. The advancement in technology allows these individuals to launch more attacks than ever before, with zero concern over the cost of generating such attacks. Now hackers are able to send, literally, millions of attacks at a single time with the proper delivery system.
Single point of failure
Financial institutions depend on rapid transaction speed and global interconnectivity. Unfortunately, all of those critical financial market infrastructures like trading platforms, central security depositories, payment and settlement systems and central counterparties each serve as a Single Point of Failure. Therefore, a security breach at any one of those infrastructures could have far-reaching consequences, like any other institution. Financial institutions just have more to lose.
Distributed denial of service attacks
Regrettably, hackers have invented means of damaging the financial sector without actually hacking the financial institutions themselves. Instead, hackers target the mechanisms that enable the financial markets to do business, like power grids and cloud service providers. According to a 2018 report by the Lloyd’s of London, “A disruption of the top cloud provider in the U.S. for 3 to 6 days could lead to losses of around USD 24 billion with most losses occurring in the manufacturing and trade sectors, while losses for the financial sector would be limited to USD 450 million.”
In 2012, Bank of America, U.S Bancorp, Wells Fargo, PNC, Capital One, HSBC, Region Financial, SunTrust and JPMorgan all saw their services disrupted. The following year three of the largest banks in the Czech Republic and the stock exchange were hit with DDoS attacks. In 2014 seven of Norway’s largest financial institutions sustained DDoS attacks. The same year three banks in Finland lost all online services and were unable to allow customers to withdraw or make bank payments.
It is difficult to ascertain the total financial losses sustained in these types of attacks, as financial institutions often underreport or fail to report the financial details of attacks. You also must consider the financial hit to public perception. Hackers can be vindictive criminals.
In Bulgaria, in 2014, hackers sent large scale phishing emails reporting a particular bank was experiencing liquidity issues. Deposits outflows stacked up to 10% of all the banks’ deposits. The bank was forced to utilize a liquidity assistance scheme provided by the government. It’s hard to compute how hackers made money on the scheme. It appears their only goal was to damage the bank they attacked. Threats to security are especially scary when authorities cannot ascertain the motives.
Another cybersecurity threat that financial institutions must address comes from using the SWIFT system. The SWIFT messaging system is a system designed specifically for fast and secure transactions between financial institutions. However, in the past three years, there have been at least ten security breaches by hackers subverting the SWIFT system. Hackers were able to access SWIFT credentials and send fraudulent payments from the bank itself. Initial losses equaled $336 million. However, some of the banks were able to freeze transactions and recoup a portion of their losses.
Emerging Security Technologies
It sounds counter-intuitive but new technologies, at the outset, can be more exposed to security threats due to reliance on their advanced technology. Examples of such potentially vulnerable innovations include Fintech firms.
According to the Banking Journal, Fintech companies boast, “Flat, agile and open organizations that move at a fast pace, often making decisions in 24 hours, versus 24 months it often takes banks.” The Banking Journal goes on to say that:
Fintech organizations have made impressive technological advancements that cannot be ignored. The technology has created new business models, applications and processes, including peer-to-peer payments, online lending, proactive and real-time updates and alerts, and personalized communications and experiences. Fintechs are doing what banks have always done – and what consumers demand – only faster, cheaper and with better technology.
However, faster and newer innovations also come with the potential for unexpected security risks. Designing new and improved infrastructure are often accompanied by unforeseen speed bumps. Unfortunately, when it comes to the financial sector, unexpected issues can cause millions and millions of dollars in losses. Hackers love new technologies as it gives them the opportunity to find the inefficiencies and backdoors in the systems before the developers do.
Fintech firms lack controls, risk management, and vertically integrated intermediaries. The lack of these systems could lead to increased holes and cracks in security. Those are the openings that hackers are so adept at utilizing. Below is a graph outlining the known Fintech cybersecurity attacks since 2013.
Cybersecurity threats are everywhere and pose risks to everyone. Financial institutions are especially sought after targets for hackers due to the enormous amount of capital they oversee. They should take all precautions against the growing technological threats they face. Whether it is losses due to hackers or damage to public perception, financial institutions have the most to lose.
New technologies offer both solutions and potential risks. Understanding the threats you face, the plan to mitigate them and how to handle inevitable breaches must be laid out in stark terms. When a security breach occurs, there is no time for emergency meetings to work out a response. From top to bottom financial institutions whether they are central banks or fintech firms must be overly prepared for the litany of cybersecurity threats they face.
A quantitative tractable framework offers financial institutions the best chance to minimize potential threats. The more proprietary data you can supplement to the framework, the more effective the security framework will be. In the future, the design and appraisal of policy changes must be explored. In the cybersecurity world, there is no such thing as sitting back and enjoying the fruits of your labor. Check out RSI Security for more information on how you can maintain the cybersecurity of your institution.