The financial services industry is especially vulnerable to cyber attacks. ATM card skimming, Trojan botnets on web app logins, denial of service attacks, and vendor management problems plague financial services organizations, regardless of size. As the foundation upon which global economic systems sit, cyber attacks increasingly target banks and nonbank financial institutions (NBFI) which could lead to the next international financial crisis.
Today, financial institutions (FIs) encompass more than just “banks.” Commercial and investment banks may be the most obvious examples, but insurance companies, brokerages, and investment companies all fall under the definition. Moreover, nonbank financial institutions, regulated similarly to traditional banks, include savings and loans associations, credit unions, shadow banks, and fintech.
In many instances, FIs use platforms that enable communications, payments, and account reconciliations. These core platforms, as vendors, create security risks that can impact hundreds of FIs in a single attack. For example, the 2018 FiSERV messaging platform coding flaw enabled security researchers to change the code embedded in consumer alerts, thus giving them access to other customer alerts. This data leakage could easily be used by malicious actors trying to obtain financial information. Moreover, the International Monetary Fund working paper detailed five international cyber attacks against the SWIFT network between October 2017 and January 2018. The SWIFT network enables banks to transfer funds to one another, making it a prime attack vector.
These large core platforms only represent two of the issues facing FIs. Other issues include cybercriminals trying to deny user access to accounts through DDoS attacks or inserting malware to capture user’s login information when they access their accounts.
It’s easy to start with the risks to the individual institution. Data breaches cause the same outcomes for financial institutions as any other industry. Data breach costs lead to lawsuits, record recreation, and customer churn.
These alone would be enough to warrant stronger information security controls. However, in the famous words of late night infomercials, “but wait! That’s not all!”
Analysts continually point to the way in which a large scale attack could undermine global economic security. A cyberattack against a single, international platform such as SWIFT or FISERV could lead to the next financial crisis. Crashing worldwise ATM use and payment infrastructure would leave consumers unable to access cash or use debit and credit cards. Although the panic might decline rapidly, the security concerns and lack of trust for FIs would continue.
These attacks don’t need to start with megabanks, either. Since FIs of all sizes connect to the same core platforms, a small community bank or credit union can be the ground zero for the attack. Weak security from one member of the supply stream can threaten everyone connected to the system. These platforms come with all the security weaknesses inherent in any cloud service. Thus, a single malware injected web application can transmit that to any connected server, network, or application.
Even if an FI is located outside New York, the NY DFS Cybersecurity Rule can provide insight into the future of information security regulatory requirements. While many of the requirements mimic those currently contained in federal regulations such as the FFIEC or FDIC compliance manuals, the NY DFS rule focuses on cybersecurity and data breach risks specifically.
The regulation’s basic requirements include:
The regulation also incorporates several explanatory sections. Most relevant to small and mid-sized FIs are the following sections:
As with most organizations, using a security-first approach ensures better data protection as well as stronger audit outcomes. However, within the heavily regulated financial services industry, audits are less about maintaining customer confidence and more about continuing business operations.
Starting with the institutions business objectives, FIs need to create an enterprise risk management program (ERM). However, even ERM may not apply to all aspects of the business model. Thus, not only should FIs look at enterprise risk, but they should look at the variety of Software-as-a-Service, Infrastructure-as-a-Service, and Platform-as-a-Service vendors. To mitigate risks arising out of new technologies, they should also incorporate integrated risk management directly focused on these implementations.
Most cybersecurity regulations start by requiring a risk analysis so that organizations can align controls that work best for their needs. Although FIs live in an audit-based world, the old methodology of following the directives of a checklist does not apply to cybersecurity. By establishing a security-first approach, FIs begin with controls then review their control environment to fill in any remaining compliance gaps. More often than not, this process streamlines both risk mitigation, compliance, and audits.
While regulations and standards must go through a notice and comment period, cybercriminals continue to update their methodologies. Thus, to maintain data integrity, confidentiality, and accessibility, FIs need to continuously monitor their control effectiveness. This includes continuously monitoring third-party business partners to ensure they keep up with the constantly changing cyber environment.
Although it sounds fatalistic, cybersecurity professionals increasingly believe that data breaches have gone from “if” to “when” status. With the vast amount of information FIs gather and their potential impact on global economies, cyber risk insurance is no longer a luxury. Protecting against the inevitable and transferring the financial risk may be the only way to ensure liquiditiy.
As an end-to-end cybersecurity solution, Zeguro starts by working with FIs to create a risk analysis, helps suggest mitigating controls, provides plain-language policy templates, enables monitoring, and directs customers toward a cyber insurance policy that meets their needs.
Start protecting your financial institution by contacting us for an insurance quote today.