By Dimitri Nemirovsky, Co-founder & COO, Atakama

The cybersecurity postures of banks and financial services organizations are being picked for holes – and not just by the ‘bad guys’. Institutions must take increasingly proactive measures to avoid falling both under the control of hackers and under the regulatory axe.

While new regulations are welcome, each change adds to the burden on banks. Recently, the New York State Department of Financial Services (NYDFS) proposed significant amendments to the Part 500 Cybersecurity Regulation, in response to the increasingly volatile security climate facing financial institutions. The proposed changes, expected to go into effect in 2023, will see far greater expectations of cyber expertise in relation to compliance, management, boards of directors, and CISOs in particular, as well as timelier notification over cybersecurity events and ransom payment, and stricter auditing for large organizations.

As we have seen with the original 23 NYCRR 500, NYDFS does not shy away from ruthless enforcement, and multiple multi-million-dollar fines have already raised the compliance stakes. But what remains ambiguous is the guidance available for banks on how to achieve this compliance. All too often, banks and covered entities, including health insurers and credit unions, are left to rely on hindsight after enforcement actions have taken place, only reflecting on lessons learned and penalties paid following the fact. With pressure now rising on banks to reach new levels of regulatory compliance, security decision-makers urgently need to reset their approach to data protection.

Hunted from all sides

Banks and credit unions are prime targets for cyber-criminals because of the volume of information they store about millions of customers and their finances. This has long been the case – yet Sophos’ annual study of security within financial services reveals how threats have recently expanded in scale, sophistication, and ruthlessness. For example, ransomware grew by 62% in 2021, with more than half (52%) of targeted organizations ultimately paying a ransom, yet only 10% getting their data back. These worrying figures highlight the vulnerability of banks as cybercrime groups increasingly seek to ransom and exfiltrate their sensitive customer and transactional data. Risks also abound with the sharp rise in double-extortion ransomware tactics, where hackers initially exfiltrate large quantities of private information, then encrypt the target’s files. Following this encryption, criminals can threaten to publish the stolen data on the dark web.

Organizations are also at further risk of severe reputational and financial damage at the hands of eager regulators. In the space of just three months in 2021, the NYDFS racked up $6.3 million in fines for cybersecurity non-compliance from four different firms in the state. One of these organizations, Residential Mortgage Services, Inc. (RMS) paid $1.5 million for failing to report or investigate a 2019 data breach, despite having cybersecurity measures in place. Meanwhile, National Securities was fined $3 million for several security failings, including a lack of multi-factor authentication (MFA) or ‘equivalent’ cybersecurity controls. Alongside significant financial penalties, these companies suffered reputational embarrassment and forensic investigation and remediation costs.

No time for checkbox security

It can only be a good thing that firms across the financial services sector are being held more accountable. However, with ‘constructive ambiguity’ shaping the original NYDFS regulation when it comes to specific cybersecurity measures, banks are largely being left to their own devices to chart the course to effective and compliant cybersecurity. This means that many are still relying on shallow, checkbox approaches to rote controls like encryption.

Under mounting pressure from both regulators and determined criminal groups, organizations must now change course. Centralized approaches to data security are wholly inadequate and fail to protect today’s extended attack surfaces, especially as banks accelerate digital transformation and increasingly embrace the cloud. Therefore, any bank that fails to implement dedicated and effective encryption leaves themselves vulnerable to even the most unsophisticated ransomware and data exfiltration attacks.

This is because centralized identity and downstream access controls inevitably roll out the welcome mat for criminals. Attackers – both external and internal – are gifted with full, uninterrupted access to all systems, databases, and files from the moment they get hold of valid credentials – whether through phishing, social engineering, or any other nefarious method in their arsenal. They can then exfiltrate files containing sensitive data, costing the organization millions of dollars.

From Equifax to Yahoo and the Office of Personnel Management, recent years have seen several industry giants falling victim to massive data breaches stemming from stolen credentials. In fact, the most recent IBM Ponemon Cost of a Data Breach Report reveals that the use of stolen or compromised credentials is once again the most common cause of a data breach, costing an average of $4.5 million per incident.

With checkbox identity and centralized controls, it makes no difference that data is encrypted. Conventional encryption uses centralized keys linked to the same user credentials the attacker has stolen or replicated, offering no defense against data exfiltration.

A more layered approach: multifactor encryption

As both the security and regulatory landscapes evolve, banks must move away from outdated perimeter defenses and change their thinking about mitigation. They need layered solutions that work when all else fails, protecting sensitive data even when malicious actors are inside the perimeter.

An advanced, decentralized data protection strategy is essential. The use of multifactor encryption and distributed key management (DKM) allows financial organizations to eliminate reliance on identity as the basis of all data security, ensuring that sensitive data is safeguarded in the face of an exfiltration event. Criminals quickly realise that all their efforts to exploit the data are useless, as there is no single point of weakness.

How does multifactor encryption work? Data at rest is encrypted using AES-256. A multifactor solution generates a unique key for each object and then automatically fragments and distributes the key shards across physical devices – laptops, mobile devices, tablets, or servers – to eliminate central points of attack, central points of failure, and risky reliance on identity and access management controls.

Even when hackers gain access to a system, they are unable to decrypt files due to the multifactor encryption and DKM in place. This also applies when banks are migrating data to the cloud, as unstructured data remains protected with multifactor encryption – it is inaccessible even to the cloud provider itself, with only a select few users having the necessary key shards on the authorized physical devices.

Multifactor encryption also enables the analysis of encryption status and usage of data for compliance and business reporting requirements. Through an indelible audit trail, banks can demonstrate their active compliance to regulators during audits and inspections, helping organizations to satisfy mounting requirements. Administrators can also create customized alerts and notifications with detailed logging of user activity, allowing data insights to be fed into existing security monitoring solutions.

Rising to the regulatory challenge

The National Clearing House Association (NACHA), the body that governs electronic payment systems between almost every bank and credit union account within the US, has put encryption forward as one security solution, requiring account numbers to be unreadable when stored electronically by large non-financial institution originators and third-party service providers and senders. This is an important shift away from reliance on outdated identity and access management security. Technology such as multifactor encryption is sure to play a key role in helping financial institutions remain compliant, removing the threat of file exfiltration whilst effectively balancing data security and user accessibility.

As both regulatory scrutiny and ransomware risks hit an all-time high, banks simply cannot afford to rely on checkbox solutions and conventional centralized encryption. But through distributed key management and multifactor encryption, organizations across the sector can secure themselves and demonstrate best-in-class regulatory compliance, avoiding the embarrassment of costly fines and reputational embarrassment.