Cybersecurity is already one of the top risks facing financial institutions thanks to huge developments in Information and Communications Technology (ICT) and the proneness of the sector to cyberattacks. What is cybersecurity and which regulatory frameworks exist for controlling cybersecurity risks?
Robert Tappan Morris is a name well-known in computer history. His academic journey includes a Ph.D. in Applied Sciences from Harvard University, an assistant professor before being awarded tenure at MIT, and cofounder of Viaweb (later renamed Yahoo! Store) and Y Combinator start-ups. However, his infamy preceded any of these success stories as he built and released the Morris worm in 1988, a malware that wreaked havoc with 10% of the web including some NASA systems and universities of that time, and brought Robert three years of trial, 400 hours of community service, and a penalty of $10,050.
Today, Robert T. Morris is recognized as the initiator of the cybersecurity industry, an industry valued at $176.5 billion in 2020 and forecasted to be worth $403 billion by 2027. More than three decades since the Morris worm was launched from Cornell University, the protection measures including technological tools and regulatory frameworks have advanced considerably, yet tactics and skills of cybercriminals have gotten equally sophisticated. IBM analysis shows that it takes on average no less than 280 days to detect and contain a cyberattack while the cost of an average attack is estimated at $3.86 million.
Although no industry is safe from being a victim of cyber adversaries, financial institutions are more prone to such risks due to the nature of activities they are involved in. Basically, banks, funds, and other financial entities are where the money is. Profit-driven cybercriminals attack these institutions to gain profit through theft, fraud, and other avenues, while nation-states and ideologically motivated hacktivists target them mainly for political leverage. Read on to find out about major cyber threats for financial institutions, as well as existing legal instruments to manage these risks.
Six Common Cyber Threats
Hackers monetize their skills in increasingly elaborate ways particularly taking advantage of the latest work-from-home situations, cloud services, and remote access possibilities. Major threats include:
- Malware – different versions of malicious software such as Trojans, viruses, and worms that are sent as attachments and provide unauthorized access to or interfere with the functioning of a computer. Thanks to the rapid increase in the use of fintech, mobile malware variants are developed more frequently and even become ‘fileless’. These attacks may target small banks as ‘entry points’ to larger financial institutions exploiting a complex network of relationships in financial markets. The highest rates of online banking are observed in Asia, not surprisingly, so are the highest rates of cybercrimes involving mobile banking Trojans.
- Ransomware – a malware that controls access to data, or systems, threatening the victim with publicly disclosing or destroying sensitive data unless the demanded ransom is paid. The financial sector has been increasingly plagued by ransomware attacks as the cybercriminals moved to target market strategy information such as long-term portfolio strategy and undisclosed merger or acquisition plans.
- Distributed denial-of-service (DDoS) – overloading and crashing a system with multiple coordinated requests. The financial sector, especially banking, insurance, and financial services subsectors, was the top victimized by DDoS attacks in 2021 which attracted 25% of all cyberattacks of this kind.
- Phishing – a kind of plotting that convinces users to voluntarily provide their own sensitive or confidential data (e.g. bank account details) in response to requests that seem to come from legitimate sources. As with DDoS and other cybercrimes, the financial sector is the most attacked by this type of social engineering which comprises 41% of all incidents.
- Insider attacks – this is probably the most undetectable type of cybercrime since it is carried out by a former employee, contractor, or partner who has legitimate access to a firm’s systems. The average annual cost of insider threats was highest for the financial services sector at $14.5 million in 2020.
- Advanced persistent threats (APTs) – a cyber-incident where an infiltrator remains undetected for a prolonged time while stealing confidential or sensitive data and avoiding the triggering of countermeasures. ATPs accounted for half of all supply chain attacks in the financial industry in 2020 according to European Union Cybersecurity Agency (ENISA).
Key Regulatory Frameworks
Going back to the case of the Morris worm, Robert T. Morris was the first person to be convicted under the 1986 Computer Fraud and Abuse Act. Today, technology is more advanced, financial markets have become more interconnected than ever, and, therefore, cyberattacks have also evolved not necessarily in number, but in size and complexity. Subsequently, new regulations and laws have evolved to directly or indirectly govern the cybersecurity management of businesses.
Different countries have differing laws, regulations, and standards related to cybersecurity. Two of the well-known standards in the field are the National Institute of Standards and Technology (NIST) framework and ISO 27001. While the former mainly concerns the businesses operating in the US, the latter is an international standard – both for identifying and managing cybersecurity risks of any type for any organization. While these frameworks are voluntary, they can help businesses in protecting their assets such as financial information, employee or third-party details, and intellectual property.
Perhaps the most famous regulatory framework applying to cybersecurity is the General Data Protection Regulation (GDPR) of the European Union (EU). The purpose of the GDPR is to enable and regulate any business that uses, processes, or stores EU residents’ personal data in order to protect the private information of citizens of the Union. The GDPR includes certain requirements from member states regarding cybersecurity certification and defines penalties for violations of the data protection rules. Moreover, the definition of personal information under the regulation is wider than several other national cybersecurity frameworks including location, IP address, and cookies in addition to other personal information such as biometric data, racial, ethnic, and political opinions data, or sexual orientation.
Cybersecurity is an ever-evolving field with substantially greater relevance for financial institutions. Although legislation has not been very proactive in comparison to technological developments, it is likely that more and more legal and regulatory instruments will emerge to help businesses manage cyber-risks. Meanwhile, banks and other financial institutions not only need to invest in measures to comply with this legislation but also should focus on education and awareness of clients and employees in order to commensurately respond to increasing cybersecurity risks.
You might also like:
All your donations will be used to pay the magazine’s journalists and to support the ongoing costs of maintaining the site.