Cybersecurity in financial services

Cyber Security

/

February 13, 2019

Karen Walsh

The financial services industry is especially vulnerable to cyber attacks. ATM card skimming, Trojan botnets on web app logins, denial of service attacks, and vendor management problems plague financial services organizations, regardless of size. As the foundation upon which global economic systems sit, cyber attacks increasingly target banks and nonbank financial institutions (NBFI) which could lead to the next international financial crisis.

What are financial institutions?

Today, financial institutions (FIs) encompass more than just “banks.” Commercial and investment banks may be the most obvious examples, but insurance companies, brokerages, and investment companies all fall under the definition. Moreover, nonbank financial institutions, regulated similarly to traditional banks, include savings and loans associations, credit unions, shadow banks, and fintech.

What is the state of cybersecurity for financial institutions?

In many instances, FIs use platforms that enable communications, payments, and account reconciliations. These core platforms, as vendors, create security risks that can impact hundreds of FIs in a single attack.  For example, the 2018 FiSERV messaging platform coding flaw enabled security researchers to change the code embedded in consumer alerts, thus giving them access to other customer alerts. This data leakage could easily be used by malicious actors trying to obtain financial information.  Moreover, the International Monetary Fund working paper detailed five international cyber attacks against the SWIFT network between October 2017 and January 2018. The SWIFT network enables banks to transfer funds to one another, making it a prime attack vector.

These large core platforms only represent two of the issues facing FIs. Other issues include cybercriminals trying to deny user access to accounts through DDoS attacks or inserting malware to capture user’s login information when they access their accounts.

What damage could a cyber attack do?

It’s easy to start with the risks to the individual institution. Data breaches cause the same outcomes for financial institutions as any other industry. Data breach costs lead to lawsuits, record recreation, and customer churn.

These alone would be enough to warrant stronger information security controls. However, in the famous words of late night infomercials, “but wait! That’s not all!”

Analysts continually point to the way in which a large scale attack could undermine global economic security. A cyberattack against a single, international platform such as SWIFT or FISERV could lead to the next financial crisis. Crashing worldwise ATM use and payment infrastructure would leave consumers unable to access cash or use debit and credit cards. Although the panic might decline rapidly, the security concerns and lack of trust for FIs would continue.

These attacks don’t need to start with megabanks, either. Since FIs of all sizes connect to the same core platforms, a small community bank or credit union can be the ground zero for the attack. Weak security from one member of the supply stream can threaten everyone connected to the system. These platforms come with all the security weaknesses inherent in any cloud service. Thus, a single malware injected web application can transmit that to any connected server, network, or application.

What to learn from the New York Department of Financial Services Cybersecurity Rule

Even if an FI is located outside New York, the NY DFS Cybersecurity Rule can provide insight into the future of information security regulatory requirements. While many of the requirements mimic those currently contained in federal regulations such as the FFIEC or FDIC compliance manuals, the NY DFS rule focuses on cybersecurity and data breach risks specifically.

The regulation’s basic requirements include:

  • Establishing a cybersecurity program
  • Adopting a cybersecurity policy
  • Assigning a chief information security officer
  • Creating a vendor management program

The regulation also incorporates several explanatory sections. Most relevant to small and mid-sized FIs are the following sections:

  • 500.05: conduct penetration and vulnerability testing (including continuous monitoring)
  • 500.06: establish an audit trail
  • 500.07: establish role-based access requirements
  • 500.08: reivew app security guidelines
  • 500.12: use multi-factor authentication
  • 500.10 and 500.14: keep workforce updated and trained in cybersecurity
  • 500.15: incorporate at-rest and in-transit encryption
  • 500.16: establish an incident response plan and process

What are the best practices for data security in financial services?

As with most organizations, using a security-first approach ensures better data protection as well as stronger audit outcomes. However, within the heavily regulated financial services industry, audits are less about maintaining customer confidence and more about continuing business operations.

Establish a Risk Management Program

Starting with the institutions business objectives, FIs need to create an enterprise risk management program (ERM). However, even ERM may not apply to all aspects of the business model. Thus, not only should FIs look at enterprise risk, but they should look at the variety of Software-as-a-Service, Infrastructure-as-a-Service, and Platform-as-a-Service vendors. To mitigate risks arising out of new technologies, they should also incorporate integrated risk management directly focused on these implementations.

Create Risk Mitigating Security Controls

Most cybersecurity regulations start by requiring a risk analysis so that organizations can align controls that work best for their needs. Although FIs live in an audit-based world, the old methodology of following the directives of a checklist does not apply to cybersecurity. By establishing a security-first approach, FIs begin with controls then review their control environment to fill in any remaining compliance gaps. More often than not, this process streamlines both risk mitigation, compliance, and audits.

Monitor Continuously

While regulations and standards must go through a notice and comment period, cybercriminals continue to update their methodologies. Thus, to maintain data integrity, confidentiality, and accessibility, FIs need to continuously monitor their control effectiveness. This includes continuously monitoring third-party business partners to ensure they keep up with the constantly changing cyber environment.

Insure Against Potential Losses

Although it sounds fatalistic, cybersecurity professionals increasingly believe that data breaches have gone from “if” to “when” status. With the vast amount of information FIs gather and their potential impact on global economies, cyber risk insurance is no longer a luxury. Protecting against the inevitable and transferring the financial risk may be the only way to ensure liquiditiy.

How Zeguro Enables Financial Institutions

As an end-to-end cybersecurity solution, Zeguro starts by working with FIs to create a risk analysis, helps suggest mitigating controls, provides plain-language policy templates, enables monitoring, and directs customers toward a cyber insurance policy that meets their needs.

Start protecting your financial institution by contacting us for an insurance quote today.