Connect with us
Our website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Banking

Digitalisation and cyber risk: Do banks have their heads in the cloud?

Digitalisation and cyber risk: Do banks have their heads in the cloud? 1
Digitalisation and cyber risk: Do banks have their heads in the cloud? 2

Libero Marconi

By Libero Marconi, Director with Alvarez & Marsal and Vishal Pandey, Senior Director with Alvarez & Marsal’s Disputes and Investigations Global Cyber Risk Services practice.

As the financial sector grows increasingly digitised, both cyber and data risks have developed in tandem, with the need to proactively combat such threats becoming paramount for financial institutions.

The adoption of cloud computing technology by financial institutions, alongside the outsourcing of key tasks supporting the digital banking service delivery to third party vendors, is allowing them to streamline operations and work seamlessly across borders. On the flip side, the migration opens up said firms to increased, and rapidly evolving, risk of cyberattacks and data breaches, as well as the reputational damage these bring about.

Digitalisation and cyber risk: Do banks have their heads in the cloud? 3

Vishal Pandey

On top of this, the advent of digital banking has meant that customers themselves are increasingly at risk of being duped or defrauded, most commonly through phishing and malware. The latest data released by the Financial Crimes Enforcement Network, for example, shows that the number of ransomware-related transactions flagged by US banks increased by more than 100% from 2020 to 2021[1].

Regulators are fast attempting to address the trade-off between innovation and cybersecurity, issuing new rules and guidance to ensure firms are best prepared to fend off any unwelcome attacks.

But what are the risks exactly and how are they being addressed?

Third parties and the cloud

While mass migration to the cloud has been pronounced among financial services institutions in recent years, it has not always been seamless. Even though existing infrastructures and capabilities may limit ability to detect and address new risks and vulnerabilities, firms commonly move applications and infrastructure to the cloud without adequate planning – especially as it relates to cybersecurity and data access controls.

One issue commonly seen is that legacy infrastructure with physical firewalls and existing network segmentation/design may not readily adapt to, or fit within, the targeted cloud architecture. This can lead to resulting gaps and vulnerabilities within cybersecurity controls that do not translate over.

Security controls are implemented differently in the cloud because of the tools that are native to each cloud provider’s environment and the fact that cloud providers typically take responsibility for the security of the lower-level infrastructure layers. The shared-security responsibility between cloud providers and the clients they host changes how organisations should anticipate and prepare for security risks.

Dependence on a single cloud vendor can also increase cyber risk significantly for financial institutions. New York’s Federal Reserve has previously warned about a “transmission of a shock throughout the network” in the event financial services are connected through a “shared vulnerability”[2]. Meanwhile, the Bank for International Settlements said in July that the financial sector’s growing fondness of cloud computing was “forming single points of failure” and “creating new forms of concentration risk at the technology services level”[3].

If successful, an operation carried out by a cybercriminal on a commonly used vendor can go undetected, especially if the responsibility model between the cloud service provider and the organisation is not clearly and comprehensively understood. To avoid this, institutions should ideally develop an IT security and risk programme for their cloud usage that spans both people and processes.

Cybercriminals are now capitalising on the increasingly interconnected financial system and turning to so-called “island hopping” attacks to reach their targets. Such attacks are hacking campaigns that target an organisation’s more vulnerable third-party vendors to circumvent the target company’s defences and gain access to their network…

This can be mitigated by institutions developing a comprehensive third-party vendor management program, and appointing key personnel with dedicated roles and responsibilities to manage vendors and associated cybersecurity risks.

Allocating clear reporting chains and accountability can also go a long way, as will ensuring that important areas such as classifying and optimising vendor portfolios, formalising plans before onboarding vendors, securely managing transitions to support changes, and effectively terminating relationships with vendors, are in place.

Ensuring that contracts, vendor performance, and vendor relationships are managed and closely monitored is also key for firms. They should aim to improve their third-party vendor management programmes by conducting rolling reviews.

Regulators have chimed in on the issue as the risk has compounded in recent years. In recent months, the Bank of England conducted a survey of executives in the UK financial sector, finding that some 74% of respondents considered a cyberattack to be the highest risk to the financial sector in both the short and long term, with inflation or a geopolitical incident trailing behind[4].

The BoE’s Prudential Regulation Authority is also investigating concentration risk of cloud provision and whether this presents a systemic risk to the financial sector, which is likely to affect both providers and customers[5].

It said that while it recognises the potential benefits of services provided by third parties, their failure, or severe disruption to their material services, could pose risks to individual firms, to financial market infrastructure firms and even to the UK’s wider financial stability. The regulator is also asking for input on the role of big tech in the financial sector.

Gone phishing

Additionally, the advent of digital banking has meant that users are increasingly at risk of being duped, most commonly through phishing attacks. Hackers often contact bank customers posing as bank representatives with the underlying aim of stealing login credentials, credit card or financial information, and sensitive personally identifiable information, among other sensitive data.

This is made all the more difficult because steps that seem rational and routine to bank staff may not align with consumer behaviour – victims often don’t see warnings, or they do but deem them irrelevant.

Such attacks have proven very successful, owing to the carefully crafted attack messages and a seemingly authentic appearance of these communications, making it difficult to detect. Newer techniques have also emerged; “whaling” is a process whereby emails are sent targeting chief executives, while “spear-phishing” is another electronic communications attack vector targeted towards a specific individual, organisation, or business.

Digital banking services providers can counter such attacks by employing data analytics and machine learning to detect fraud, and appropriately escalating and responding to such incidents in accordance with a documented response plan and playbook. Additionally, they can educate customers on good digital practices, utilise customer behaviour profiles to pick up on unusual behaviour, and implement multi-factor authentication.

Malware related attacks involve malicious software injected into endpoint or mobile devices, servers, or networks. Malware – for those not familiar with the term – can come in the form of worms, viruses, spyware, ransomware, etc. According to recent research, the number of known malware attacks crept up by 11% in the first half of 2022 to 2.8 billion, with the financial sector being actively targeted[6].

In the event an end-user’s (e.g. a bank employee or trusted third-party) device is compromised with malware, it could pose a threat to a bank’s digital network if that device then connects within the organisation’s network. From a customer perspective, if a customer carries out an online transaction using an infected device or system, the malware may steal the user’s credentials and contribute to fraudulent activity.

Protecting digital banking systems and infrastructure from malware can begin with using runtime application self-protection solutions and strong antiviruses and Endpoint Detection and Response (EDR) software, alongside multi-factor authentication and behavioural analysis to help protect the user even if a successful attack has exfiltrated sensitive credentials.

Regulatory horizon

In one of the most significant regulatory moves this year, the European Union reached provisional agreement on the new Digital Operational Resilience Act (DORA) in May. This regulation is specifically tilted toward the banking and financial services industry, and aims to strengthen the security of institutions by imposing resilience requirements and regulating financial institutions’ contractual relationships with their suppliers.

However, the regulation extends far beyond the EU and its financial sector by virtue of its aims. DORA’s uniform requirements for the security of network and information systems also addresses critical third-party vendors providing information and communications technology related services to the financial sector, such as cloud platforms and data analytics.

More broadly, members of the European Parliament recently approved rules requiring EU member states to comply with tighter supervisory and enforcement measures and harmonise their sanctions. The legislation sets out tighter cybersecurity obligations for risk management, reporting obligations, and information sharing.

Operational resilience has also been a major focus in UK financial services for some time and it is likely that the UK will legislate its own version of DORA in the next year

In the United States, two significant regulations have come about in 2022 that look to address the issue. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law in March this year and calls on critical infrastructure companies – including financial services – to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA).

The Securities and Exchange Commission (SEC) also proposed a rule that same month that would require publicly-listed companies to begin reporting their cybersecurity capabilities and their board’s cybersecurity expertise, as well as any cybersecurity breaches, to the SEC within stipulated timeframes.

Conclusion

It is clear that financial institutions face unprecedented challenges as their embrace of digital solutions continues to move at a fast pace – something that regulators have recognised and are addressing by establishing rules and guidance accordingly. However, in order to minimise risk and disruption, firms must implement well-defined and planned security controls when migrating to cloud solutions and infrastructure – and should vet the critical third-parties that they outsource sensitive functions to. Alerting and educating customers and employees as it relates to good digital banking practice and awareness is also a key tenet of the battle against cyber risk.

[1] https://www.fincen.gov/sites/default/files/2022-11/Financial%20Trend%20Analysis_Ransomware%20FTA%202_508%20FINAL.pdf

[2] Cyber Risk and the U.S. Financial System: A Pre-Mortem Analysis – FEDERAL RESERVE BANK of NEW YORK (newyorkfed.org)

[3] Big tech interdependencies – a key policy blind spot (bis.org)

[4] Systemic Risk Survey Results – 2022 H2 | Bank of England

[5] DP3/22 – Operational resilience: Critical third parties to the UK financial sector | Bank of England

[6] Mid-Year Update to the 2022 SonicWall Cyber Threat Report | Threat Intelligence

Global Banking and Finance Review Awards Nominations 2022
2023 Awards now open. Click Here to Nominate

Advertisement

Newsletters with Secrets & Analysis. Subscribe Now