By Libero Marconi, Director with Alvarez & Marsal, and Vishal PandeySenior Director with Alvarez & Marsal’s
As the financial sector grows increasingly digitised, both cyber and data risks have developed in tandem, with the need to proactively combat such threats becoming paramount for financial institutions.
The adoption of cloud computing technology by financial institutions, alongside the outsourcing of key tasks supporting the digital banking service delivery to third party vendors, is allowing them to streamline operations and work seamlessly across borders. On the flip side, the migration opens up said firms to increased, and rapidly evolving, risk of cyberattacks and data breaches, as well as the reputational damage these bring about.
On top of this, the advent of digital banking has meant that customers themselves are increasingly at risk of being duped or defrauded, most commonly through phishing and malware. The latest data released by the Financial Crimes Enforcement Network, for example, shows that the number of ransomware-related transactions flagged by US banks increased by more than 100% from 2020 to 2021.
Regulators are fast attempting to address the trade-off between innovation and cybersecurity, issuing new rules and guidance to ensure firms are best prepared to fend off any unwelcome attacks.
But what are the risks exactly and how are they being addressed?
Third parties and the cloud
While mass migration to the cloud has been pronounced among financial services institutions in recent years, it has not always been seamless. Even though existing infrastructures and capabilities may limit ability to detect and address new risks and vulnerabilities, firms commonly move applications and infrastructure to the cloud without adequate planning – especially as it relates to cybersecurity and data access controls.
One issue commonly seen is that legacy infrastructure with physical firewalls and existing network segmentation/design may not readily adapt to, or fit within, the targeted cloud architecture. This can lead to resulting gaps and vulnerabilities within cybersecurity controls that do not translate over.
Security controls are implemented differently in the cloud because of the tools that are native to each cloud provider’s environment and the fact that cloud providers typically take responsibility for the security of the lower-level infrastructure layers. The shared-security responsibility between cloud providers and the clients they host changes how organizations should anticipate and prepare for security risks.
Dependence on a single cloud vendor can also increase cyber risk significantly for financial institutions. New York’s Federal Reserve has previously warned about a “transmission of a shock throughout the network” in the event financial services are connected through a “shared vulnerability”. Meanwhile, the Bank for International Settlements said in July that the financial sector’s growing fondness of cloud computing was “forming single points of failure” and “creating new forms of concentration risk at the technology services level”.
If successful, an operation carried out by a cybercriminal on a commonly used vendor can go undetected, especially if the responsibility model between the cloud service provider and the organization is not clearly and comprehensively understood. To avoid this, institutions should ideally develop an IT security and risk program for their cloud usage that spans both people and processes.
Cybercriminals are now capitalizing on the increasingly interconnected financial system and turning to so-called “island hopping” attacks to reach their targets. Such attacks are hacking campaigns that target an organization’s more vulnerable third-party vendors to circumvent the target company’s defenses and gain access to their network…
This can be mitigated by institutions developing a comprehensive third-party vendor management program, and appointing key personnel with dedicated roles and responsibilities to manage vendors and associated cybersecurity risks.
Allocating clear reporting chains and accountability can also go a long way, as will ensuring that important areas such as classifying and optimizing vendor portfolios, formalizing plans before onboarding vendors, securely managing transitions to support changes, and effectively terminating relationships with vendors, are in place .
Ensuring that contracts, vendor performance, and vendor relationships are managed and closely monitored is also key for firms. They should aim to improve their third-party vendor management programs by conducting rolling reviews.
Regulators have chimed in on the issue as the risk has compounded in recent years. In recent months, the Bank of England conducted a survey of executives in the UK financial sector, finding that some 74% of respondents considered a cyberattack to be the highest risk to the financial sector in both the short and long term, with inflation or a geopolitical incident trail behind.
The BoE’s Prudential Regulation Authority is also investigating concentration risk of cloud provision and whether this presents a systemic risk to the financial sector, which is likely to affect both providers and customers.
It said that while it recognizes the potential benefits of services provided by third parties, their failure, or severe disruption to their material services, could pose risks to individual firms, to financial market infrastructure firms and even to the UK’s wider financial stability. The regulator is also asking for input on the role of big tech in the financial sector.
Additionally, the advent of digital banking has meant that users are increasingly at risk of being duped, most commonly through phishing attacks. Hackers often contact bank customers posing as bank representatives with the underlying aim of stealing login credentials, credit card or financial information, and sensitive personally identifiable information, among other sensitive data.
This is made all the more difficult because steps that seem rational and routine to bank staff may not align with consumer behavior – victims often don’t see warnings, or they do but deem them irrelevant.
Such attacks have proven very successful, owing to the carefully crafted attack messages and a seemingly authentic appearance of these communications, making it difficult to detect. New techniques have also emerged; “whaling” is a process whereby emails are sent targeting chief executives, while “spear-phishing” is another electronic communications attack vector targeted towards a specific individual, organization, or business.
Digital banking services providers can counter such attacks by employing data analytics and machine learning to detect fraud, and appropriately escalating and responding to such incidents in accordance with a documented response plan and playbook. Additionally, they can educate customers on good digital practices, use customer behavior profiles to pick up on unusual behavior, and implement multi-factor authentication.
Malware related attacks involve malicious software injected into endpoint or mobile devices, servers, or networks. Malware – for those not familiar with the term – can come in the form of worms, viruses, spyware, ransomware, etc. According to recent research, the number of known malware attacks crept up by 11% in the first half of 2022 to 2.8 billion, with the financial sector being actively targeted.
In the event an end-user’s (eg a bank employee or trusted third-party) device is compromised with malware, it could pose a threat to a bank’s digital network if that device then connects within the organization’s network. From a customer perspective, if a customer carries out an online transaction using an infected device or system, the malware may steal the user’s credentials and contribute to fraudulent activity.
Protecting digital banking systems and infrastructure from malware can begin with using runtime application self-protection solutions and strong antiviruses and Endpoint Detection and Response (EDR) software, alongside multi-factor authentication and behavioral analysis to help protect the user even if a successful attack has exfiltrated sensitive credentials.
In one of the most significant regulatory moves this year, the European Union reached provisional agreement on the new Digital Operational Resilience Act (DORA) in May. This regulation is specifically tilted toward the banking and financial services industry, and aims to strengthen the security of institutions by imposing resilience requirements and regulating financial institutions’ contractual relationships with their suppliers.
However, the regulation extends far beyond the EU and its financial sector by virtue of its aims. DORA’s uniform requirements for the security of network and information systems also addresses critical third-party vendors providing information and communications technology related services to the financial sector, such as cloud platforms and data analytics.
More broadly, members of the European Parliament recently approved rules requiring EU member states to comply with tighter supervisory and enforcement measures and harmonize their sanctions. The legislation sets out tighter cybersecurity obligations for risk management, reporting obligations, and information sharing.
Operational resilience has also been a major focus in UK financial services for some time and it is likely that the UK will legislate its own version of DORA in the next year
In the United States, two significant regulations have come about in 2022 that look to address the issue. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law in March this year and calls on critical infrastructure companies – including financial services – to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA).
The Securities and Exchange Commission (SEC) also proposed a rule that same month that would require publicly-listed companies to begin reporting their cybersecurity capabilities and their board’s cybersecurity expertise, as well as any cybersecurity breaches, to the SEC within stipulated timeframes.
It is clear that financial institutions face unprecedented challenges as their embrace of digital solutions continues to move at a fast pace – something that regulators have recognized and are addressing by establishing rules and guidance accordingly. However, in order to minimize risk and disruption, firms must implement well-defined and planned security controls when migrating to cloud solutions and infrastructure – and should vet the critical third-parties that they outsource sensitive functions to. Alerting and educating customers and employees as it relates to good digital banking practice and awareness is also a key tenet of the battle against cyber risk.
 Cyber Risk and the US Financial System: A Pre-Mortem Analysis – FEDERAL RESERVE BANK of NEW YORK (newyorkfed.org)
 Big tech interdependencies – a key policy blind spot (bis.org)
 Systemic Risk Survey Results – 2022 H2 | Bank of England
 DP3/22 – Operational resilience: Critical third parties to the UK financial sector | Bank of England
 Mid-Year Update to the 2022 SonicWall Cyber Threat Report | Threat Intelligence