11 biggest financial sector cybersecurity threats – Source: www.csoonline.com

The financial sector faces a wide array of serious security threats that will only increase as cybercriminals make greater use of AI.

Financial sector firms are uniquely exposed to cyber risk due to the large amounts of sensitive data and transactions they process. Common cyber risks across the sector include phishing, ransomware, data breaches, denial-of-service attacks, and advanced persistent threats.

The shift to hybrid work models, the increasing adoption of cloud computing, and the emergence of novel threats against legacy cryptography heap further pressure on hard-pressed financial sector CISOs — who already face the burden of achieving compliance with numerous laws, regulations, and standards governing the sector.

Following are the most significant cyber threats financial companies face today.

1. Ransomware

Two-thirds (65%) of financial institutions worldwide reported ransomware attacks in 2024, a sharp rise from 34% in 2021, according to Statista. The average ransom demand is US$4.2 million, according to recent research by cybersecurity reviews website Comparitech, which found the average ransomware paid out was even higher, at US$7.4 million.

Comparitech identified a total of 395 individual ransomware attacks on financial organizations over recent years with peaks in 2023 (105) and 2021 (104).

“Organizations need to be mindful that paying a ransom might return access to systems but doesn’t remove attacker access or necessarily prevent them selling the data they’ve successfully targeted,” warns David Higgins, senior director of the field technology office at identity management vendor CyberArk.

More generally, malware attacks against finance sector firms doubled last year, according to network security vendor SonicWall.

2. Phishing and social engineering

The financial services industry is also a prime target for brand impersonation attacks due to its vast amounts of sensitive data, such as banking credentials and personally identifiable information (PII).

Two-thirds (68%) of identified phishing pages from August 2023 through July 2024 targeted financial institutions and their customers, according to a recent report by cybersecurity and content delivery vendor Akamai.

Information obtained via counterfeit banking sites allows cybercriminals to either loot online accounts or sell stolen banking credentials through underground marketplaces.

Credentials for e-wallets and cryptocurrency accounts can be sold on the dark web for anywhere from US$120 to US$400. The high payoff of such schemes makes financial services prime targets of both brand abuse and phishing attacks.

Introducing stronger identity verification and multifactor authentication (MFA) can reduce exposure to phishing attack. Introducing technologies to guard against email fraud and spoofing is also beneficial.

“Organizations should deploy email authentication protocols such as Domain-based Message Authentication, Reporting & Conformance [DMARC] protection to prevent cybercriminals from spoofing their identity and reduce the risk of email fraud associated with their brand,” advises Matt Cooke, cybersecurity strategist at email security experts Proofpoint.

3. Distributed denial of service (DDoS)

Financial organizations rely on high availability, so DDoS attacks pose a severe threat.

The finance industry faces significant threats from hacktivist groups who target financial institutions — perceived as symbols of economic power — with DDoS attacks to advance political or social agendas, creating inconvenience and financial loss while drawing public attention to their causes.

DDoS attacks are often driven by geopolitical tensions, including the Israel-Hamas conflict and the war in Ukraine. For example, a recent politically motivated DDoS attack in July targeted a major financial services company in Israel, originating from a globally distributed botnet, and lasted nearly 24 hours, peaking at 798Gbps.

The global financial services industry was more frequently targeted by DDoS attacks than any other business sector in the first half of 2024, according to Akamai.

The issue is far from limited to conflict zones.

In the first half of 2024, insurance agencies and brokerages were among the top 10 most targeted sectors by cybercriminals in EMEA, according to network performance management vendor NetScout.

“Critical infrastructure sectors, particularly banking and financial services, have experienced a 55% increase in DDoS attack activity over the last four years,” Richard Hummel, threat intelligence lead for NetScout, tells CSO.

4. Advanced persistent threats (APTs)

Financial institutions are frequently targeted by state-sponsored — mostly by North Korea or Iran — and other APT attackers who seek to either steal funds, manipulate the financial system, or gain intelligence.

“APT groups will continue to use sophisticated tactics, including living-off-the-land (LotL) techniques, to remain undetected,” threat intel firm ReliaQuest warns. “Securing sensitive digital assets and enhancing transaction security are critical for the sector.”

North Korean state-sponsored actors, such as Lazarus, are well known for monetizing cyberattacks — most notoriously through the February 2016 cyber heist of Federal Reserve Bank of New York account belonging to Bangladesh Bank. More recently North Korean cyberspies have targeted cryptocurrency exchanges and wallets to steal or launder cryptocurrency.

5. Insider threats

Insider threats, often exacerbated by overprivileged access and embedded secrets, are a prominent risk in financial organizations.

A disgruntled or mendacious employee with privileged access to systems and data can cause a great deal of harm. “In the finance industry, insider threats can lead to data breaches, fraud, or theft of sensitive financial information,” security vendor SentinelOne warns.

The risk can be mitigated in part by managing access controls and ensuring sensitive information is accessible only to authorized personnel.

6. Security debt

Flaws that remain unfixed for longer than a year exist in 76% of organizations in the financial services sector, with 50% of organizations carrying critical security debt, according to recent research by application risk management vendor Veracode.

Veracode researchers found 40% of all applications in the financial sector have security debt, marginally better than a cross-industry average of 42%. Only 5.5% of financial sector applications are flaw free.

The majority (84%) of all security debt affects first-party code, but the majority (78%) of critical security debt comes from third-party dependencies. Researchers found that financial organizations fix half of first-party flaws in the first nine months, compared to 13 months for third-party flaws.

Delays in fixing, or at least remediating, insecure code threaten financial sector security, according to Veracode, which warns that security debt in the financial sector is escalating rather than improving.

7. Software supply chain risks

The latest edition of Verizon’s Data Breach Investigations Report warned of a 68% surge in breaches resulting from supply chain attacks over the past year, particularly targeting critical vendors in software, data processing, and IT infrastructure.

“Supply chain cyber threats also pose a significant risk to the FSI [financial services and insurance] sector, especially with the increase in reliance on third-party IT services,” Lewis Duke, SecOps and threat intelligence lead at Trend Micro, tells CSO.

Last December a ransomware attack on a service provider left 60 US credit unions facing outages. An earlier 2020 supply chain attack on SolarWinds’s Orion network monitoring software, widely used in government and industry, served as a wakeup call about the class of threat.

“To mitigate this risk, FSI organisations must implement rigorous vendor risk management programs, and conduct thorough security assessments and audits of third-party providers,” Trend Micro’s Duke advised.

Vulnerabilities in open-source components and third-party libraries are increasingly exploited in sophisticated supply chain attacks, experts warn.

“SBOM [software bills of materials] automation tools scan dependencies to identify and mitigate vulnerabilities early in the development lifecycle, reducing exposure to these threats,” says Philip Pearson, field CISO at cloud-native application security vendor Aqua Security.

8. Cryptojacking

Cryptojacking occurs when malware infiltrates an organization’s network and steals resources to mine cryptocurrency. Threat actors spread this malware through malicious websites, browser extensions, phishing emails, unsecured cloud instances, and by exploiting vulnerabilities.

The scam is on the rise with security researchers reporting a 659% year-on-year rise in global cryptojacking by the end of 2023, according to SonicWall.

ReliaQuest warns both financially motivated cybercriminals and nation-state-backed APT groups pose cryptojacking threats to the finance industry, which they covet for its huge computational resources.

9. Emerging quantum threats to encryption

Quantum computers are advancing toward solving complex mathematical problems that underlie today’s public-key cryptography. Once operational, they could render current encryption obsolete, exposing sensitive financial data to breaches.

“Quantum computers present a threat to RSA or elliptic curve-based public key encryption systems that financial sector organizations rely on to protect sensitive data,” says Dr. Marc Manzano, general manager for cybersecurity at AI and quantum technologies specialist SandboxAQ. “To mitigate this risk, financial institutions need to establish comprehensive programs to modernize cryptography management.”

Fortunately, the threat has been long-anticipated and development of cryptographic algorithms secure against cryptanalytic attacks by a quantum computer has been in the works for years.

The US National Institute of Standards and Technology (NIST) released its first set of quantum-resistant algorithms in August 2024. Early adoption of these technologies aligns institutions with global best practices and regulatory expectations.

The G7 Cyber Expert Group (CEG) — chaired by the US Department of the Treasury and the Bank of England — is advising financial authorities and institutions to take proactive measures against quantum risks.

Organizations should plan for a phased migration of their IT infrastructure to quantum-resistant encryption, ensuring continued data security in a post-quantum era.

10. Emerging AI-assisted attacks

AI speeds up credential stuffing and brute-force attacks, allowing cybercriminals to test passwords at a rate no human could match. Gen AI tools can also be abused to create much more convincing phishing scams.

“The misuse of AI has stepped up phishing efforts,” according to Megha Kumar, chief product officer at global cyber consultancy CyXcel. “Forget those obvious, typo-filled scam emails. Now, cybercriminals can send highly tailored, professional-looking messages that are much more likely to trick people.”

“While commercial generative AI tools, such as ChatGPT, have attempted to build guardrails to prevent bad actors from using the technology for malicious purposes, adversarial tools such as WormGPT have emerged to fill the gap for attackers,” adds Keiron Holyome, VP of UKI and emerging markets at BlackBerry Cyber.

Research has shown gen AI can be abused to create fraudulent voice imprints capable of circumventing biometric identification tools used by banks.

That’s just the start of it.

Criminals might use AI to comb through huge data sets quickly, identifying valuable targets for data theft, among other malicious applications.

“Malware empowered by AI can learn typical user or network behaviors, enabling attacks or data exfiltration that evades detection by better mimicking normal activity,” Holyome says. “AI-powered reconnaissance tools may facilitate autonomous scanning of networks for vulnerabilities, choosing the most effective exploit automatically.”

11. Tougher regulatory regimes

Not a cyber threat per se, but banks, insurance, and investment firms in particular are subject to an increasingly wide range of regulations and compliance requirements, with new cybersecurity strictures upcoming.

“Failing to implement appropriate cybersecurity measures may expose [finance sector organizations] to reputational as well as enforcement risks, including severe fines under the GDPR,” warns Sarah Pearce, partner at law firm Hunton Andrews Kurth. “We are seeing an increased focus on operational resilience with upcoming legal frameworks on cybersecurity evolving and becoming more prescriptive.”

DORA (Digital Operational Resilience Act) regulations are set to take effect across the EU in January 2025, bringing with them a requirement for banks to establish comprehensive risk management frameworks.

“Within the next year, banks will, for example, be required to comply with considerable cybersecurity obligations under DORA,” according to Pearce. “Obligations will vary depending on the specific type of products and services they offer.”