In this post, we explain key cybersecurity risks in financial services. We also cover the main regulatory requirements and standards applied in different parts of the world.
Financial Services Risks and Cybersecurity Concerns
Although cybersecurity threats are countless and are on the rise every day, IT specialists divide the majority of them into defined categories. Here are the most dangerous threat sources and vectors.
Phishing attacks
Phishing is among the oldest cyberattack techniques but it is still relevant, effective, and widely used. Phishing involves composing a fraudulent email that looks legitimate, making it look like the message composed by, for example, a bank’s support team representative. A bad actor comes up with a likely email address and copies the official style and shape of the real bank’s email. A hacker adds a malicious attachment (e.g. a link or file) that a tricked recipient is supposed to open or download. The user’s inattention opens the backdoor that the hacker can use to bypass the organization’s cybersecurity and continue their attack inside the IT infrastructure.
Bots
A bot is a malicious software piece that a hacker directs to, for instance, infiltrate the account of a financial organization’s staff member or client. Bad actors can activate botnets (i.e. a bot network that was built previously) to strike seriously protected organizations and to hide the attack source. Typical bot-initiated activities:
Spambot Credential stuffing DoS or DDoS bots Vulnerability scanners Click fraud Traffic monitoring
Ransomware
In 2022, ransomware threats are among the most known and dangerous. Any organization or individual connected to the web can become a target for a ransomware attack. However, financial organizations experience ransomware attack attempts more frequently than the majority of other industries. Ransomware creators are regularly developing and improving their malware strains to stay ahead of the known cybersecurity solutions. Regarding the frequency of cyberattacks, the successful ransomware infiltration in a particular organization’s system is just a matter of time. To secure sensitive data from change or deletion, consider using NAKIVO protection against ransomware attacks.
Insider threats
When considering a typical bad actor in an organization’s IT environment, both security specialists and average employers think of a person from the outside. However, for example, a tired or disgruntled employee can cause even more problems. A careless person clicking a doubtful web link or an IT admin that is about to get fired are unpredictable and, therefore, more dangerous cybersecurity threats.
Supply chain vulnerabilities
Another name for such cybersecurity risks in financial services is “third-party weaknesses”. The origin of vulnerabilities is in the variety of partnership software integrated into the environments of organizations. In addition to new functions, improvements and possibilities for employees and clients, every solution brings additional security issues that bad actors can use to conduct an attack.
Cyber Security Regulations for Banks and Financial Institutions
The development of online solutions and the growing threat of cyberattacks have made it necessary to generate regulatory requirements for cybersecurity in financial services. The main regulation standards are mandatory. Here is the list of important financial regulations and standards for data protection and cybersecurity worldwide.
GDPR
Mandatory: yes Countries impacted: globally (any organization that processes personal data of citizens of the European Union and the United Kingdom)
The General Data Protection Regulation (GDPR) framework is one of the cybersecurity regulations for financial services that are applied to protect the citizens of the EU and the UK from personal data compromises. The framework sets particular guidelines for organizations controlling and processing the personal data of clients to maintain safety throughout the entire lifecycle. After leaving the European Union, the UK government adjusted the framework to make it correlate with the United Kingdom’s domestic law. The GDPR requirements are obligatory for any organization processing or collecting personal data from EU and UK citizens.
ISO/IEC 27001
Mandatory: No Countries impacted: International standard
The internationally accepted standard for risk reduction and IT systems’ protection, ISO/IEC 27001 unites particular security policies and workflows. In fact, this standard can guide organizations on their way of strengthening data protection. Although keeping up with ISO/IEC is not mandatory, financial organizations willing to increase and demonstrate their IT infrastructures’ resilience to cyberattacks should get the certificate.
NIST
Mandatory: Yes, for the US federal entities and their contractors Countries impacted: International standard
The National Institute of Standards and Technology is the US equivalent of the ISO (International Organization for Standardization). NIST sets security standards and cybersecurity compliance in the NIST publication 800-53. The original NIST 800-53 revision referred only to federal and government entities. However, in revision 5 of the publication, they also paid attention to non-governmental entities and contractors. The latest revision of the standard focuses on data protection more than previous ones. Additionally, revision 5 contains a unified controls’ set to balance multiple regulatory requirements between themselves.
SOX
Mandatory: Yes, for all public companies Countries impacted: United States
The Sarbanes-Oxley (SOX) Act was accepted in the US in 2002. The main focus of this regulatory framework is to secure investors from financial frauds and scam schemes. SOX describes best practices and a system of internal checks for protection and avoidance of fraudulent transactions. The evolution of a framework happened along with the development of the financial sector. Recently, SOX got cybersecurity recommendations added. It now helps ensure that organizations can counter cyber threats potentially disrupting financial activities. Moreover, SOX has got the support of security controls implementation in IT environments storing sensitive financial data.
PCI DSS
Mandatory: Yes Countries impacted: International standard
Payment Card Industry (PCI) Data Security Standards (DSS) include guidelines to protect the personal data of cardholders and reduce fraud with credit card compromising. The regulation controls protect the cardholder data throughout three stages: processing, storage and transfer.
PSD 2
Mandatory: Yes Countries impacted: European Union members
The part of PCI DSS, the Payment Service Directive 2 was designed to support competition between banks in the EU. The directive includes requirements for securing online transactions, setting additional layers of personal data protection and multi-factor authentication.
BSA
Mandatory: Yes Countries impacted: United States
The Bank Secrecy Act (aka the Currency and Foreign Transactions Reporting Act) is designed to prevent money laundering. The set of regulations can prevent both willful and forced illegal processes. Simply put, organizations keeping up with BSA are in the fight against financial crimes together with the federal government. Specifically, national banks under the BSA enable controlling financial flows to reduce money laundering crimes and financing of terrorism by notifying law enforcement organizations about suspicious financial activities.
GLBA
Mandatory: Yes Countries impacted: United States
The Gramm-Leach-Bliley Act sets requirements for client data protection in financial organizations. In addition, organizations must inform clients about all the practices involving the collection or sharing of their personal data. The described US law forces organizations to maintain the protection of customer data from cyber threats such as unauthorized data access or manipulation.
FINRA
Mandatory: Yes Countries impacted: United States
The Financial Industry Regulatory Authority (FINRA) has introduced rules to prevent compromising of customer data. Additionally, FINRA establishes controls enabling the detection of cyber threats and assisting with mitigating the consequences of successful attacks.
Conclusion
Cyber threats are evolving and posing new challenges for cybersecurity in financial services every day. The main sources of danger for banks and other organizations in the industry are:
Phishing attacks Bots Ransomware Insider threats Supply chain vulnerabilities
Regarding the growing threat of personal data manipulation, corruption or theft, governmental officials worldwide introduce and improve data security standards and regulations. The most important mandatory documents are:
GDPR (globally) NIST (US, federal entities and contractors) SOX (USA) PCI DSS (international) PSD 2 (EU) BSA (USA) GLBA (USA) FINRA (USA)
The non-mandatory but still important and commonly accepted standard is ISO/IEC 27001. Also, NIST requirements are voluntary for non-federal organizations in the United States. Keeping up with the regulatory requirements does not only prevent organizations from getting legal punishments and fines. Following those regulatory frameworks increases the resilience of IT infrastructures and helps financial institutions protect important data, such as financial reports or personal identification information of their clients.