Sixty-four percent of financial service firms were victims of at least one ransomware attack this year, according to the 2023 Sophos report-up from 55% in 2022 and almost double the 34% reported in the 2021 survey.
Already in the first half of 2023, the financial sector ranks seventh among the most targeted sectors, suffering more attacks in six months than all of 2022.
This has significant consequences for financial firms and the teams that manage the fallout from a breach. While cybersecurity risk is often managed by information security teams, other teams in risk, compliance, and even those concerned with brand reputation have a lot at stake if something goes wrong.
Case in point: Since 2018, ransomware attacks on the global finance sector have cost $32.3 billion in downtime alone, exposing at least 32.3 million individual records.
Ransomware attacks typically cost financial firms more than other industries-with organizations spending an average of $2.23 million to fully recover from an attack in 2023. And that isn’t even counting ransom payments, which 43% of organizations ended up paying.
In addition to the upfront costs of recovery and ransom payments, cyber attacks can cause operational downtime, lost revenue, and long-term reputational damage.
Below, we’ll walk through some of the unique challenges and vulnerabilities the financial industry faces today, and how security teams and other leaders can take steps to mitigate risk.
Cybersecurity Challenges Facing the Financial Industry
Increased Reliance on Digital Supply Chains
The pandemic sparked a massive digital transformation in the financial sector. However, this growing reliance on digital supply chains also introduced new cyber risks and vulnerabilities. Financial firms now work with hundreds or thousands of third-party vendors that may have some level of access to their infrastructure, including sensitive customer data.
With a broader digital footprint, financial companies have more potential entry points to defend against would-be hackers. In fact, an estimated 60% of all data breaches happen via third-party vendors.
Financial institutions are vulnerable to third-party cybersecurity threats directly and indirectly:
- Directly: Hackers target third-party vendors specifically to gain access to the financial institution. Vendors are often less secure entry points, making them easier targets for infiltrating the valuable assets of their financial clients.
- Indirectly: Hackers target third-party vendors, and the resulting disruption to the vendor’s business can impact the financial company’s operations.
As a result, it’s no longer enough to worry about protecting the organization’s cyber perimeter-firms must also mitigate cyber risks across their vendors, many of which may have fewer resources or investments in cybersecurity compared to financial behemoths.
Huge Stores of Sensitive Data
Banks and other financial institutions gather and store immense amounts of sensitive customer data, making them prime targets for hackers. When attackers successfully breach a financial company, the scale and value of the data at risk is usually enough leverage to command high ransoms. And even if the organization refuses to pay, financial customer data-including information like credit card info, account numbers, PINs, Social Security numbers, etc.-can fetch a high resale price on the black market.
Recent Guidance & Regulation Impacting Cybersecurity Risk Within Financial Institutions
On top of the unique vulnerabilities and heightened threats the financial sector faces, it is also one of the most scrutinized and regulated industries. In 2022, the U.S. Securities and Exchange Commission (SEC) fined more than a dozen banks nearly $2 billion for cybersecurity shortcomings. This impacts not only how firms approach risk but also underlines the significant consequences they will face for non-compliance when handling prevention and mitigation.
Below are some of the recent regulatory initiatives impacting financial institutions globally:
FDIC Guidance on Third-Party Risk Management (U.S.)
The U.S. Federal Reserve, FDIC, and OCC released final interagency guidance on third-party risk management for the banking industry in June 2023. The guidance provides principles-based recommendations for effective third-party risk management and oversight through the entire vendor lifecycle-from vendor selection and onboarding to contract termination. This includes recommendations for due diligence best practices, governance, and reporting.
The guidance applies to any business arrangement-with or without a contract-between a banking institution and a third-party entity. This includes outsourced services, independent consultants, and fintech services.
>>Read more: Understanding The New FDIC Guidance For Third-Party Risk Management
Digital Operational Resilience Act (E.U.)
The European Commission adopted the final draft of the Digital Operational Resilience Act (DORA) in December 2022.
DORA aims to improve the digital security of financial institutions, with a focus on ICT (information and communication technology) risk management, including for third parties.
DORA outlines requirements for financial institutions in the following areas:
- ICT risk management
- ICT-related incident reporting
- Digital operational resilience testing
- ICT third-party risk mitigation
- Intelligence sharing regarding cyber threats and vulnerabilities
This regulatory framework requires all firms to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. The regulation will go into effect in January 2025 and will be binding and applicable to all E.U. member states.
Cyber Incident Reporting Act (U.S.)
The Cyber Incident Reporting for Critical Infrastructure Act went into effect in March 2022. It requires organizations in critical infrastructure sectors, including financial, to report cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and 24 hours, respectively.
This legislation comes amidst a flurry of regulatory actions promoting prompt reporting. For instance, the SEC proposed a rule in 2022 requiring financial institutions to report incidents within 48 hours. Financial institutions must comply with these new regulatory requirements and ensure that their vendors do, too.
How to Protect Yourself From Cyber Risks
As cyber threats continue to increase for both financial institutions and their vendors, security, compliance, and risk management leaders need to find more robust ways to protect their assets. In addition to following best-practice cybersecurity measures, such as employee training, data backup systems, Zero-Trust Access, etc., organizations should invest in third-party cybersecurity efforts and risk management.
Help Third-party Vendors Shore Up Their Cybersecurity
Many smaller vendors or those in less-regulated industries may not have the resources or knowledge to invest in robust cybersecurity practices. These represent some of the financial sector’s weakest links in terms of cyber risk. So it’s important for financial institutions to assess their vendors’ cybersecurity postures and help them identify areas for improvement and clear next steps.
This can and should include mitigative steps like:
- Strong passwords and access policies
- Regular required security updates
- Robust data encryption
- Clear incident response plans
This is important for both existing and new and prospective vendors. In fact, when considering new partnerships, organizations should keep cybersecurity in mind as a critical factor before moving forward with any third-party relationship.
>>Read more: How To Help Your SMB Suppliers Strengthen Their Cybersecurity Health
Use a Comprehensive Risk Management Platform
With hundreds to thousands of vendors in some financial networks, it’s more important than ever to have intelligent solutions to monitor and manage risk throughout the supply chain. Because so much is at stake-and the financial sector ecosystem can be so complex-you want to find a risk management platform that has comprehensive monitoring, alerts, and integration that can track vendors at multiple tiers.
Use a supplier risk management platform with:
- Insights that show easy-to-digest security scores across a wide range of categories, including technical and non-technical risk categories, including network and endpoint security, people, and processes.
- 24/7 monitoring with immediate alerts when there is a reported breach or drop in a vendor’s cybersecurity score, and/or positive or negative press updates.
- A cross-functional collaboration workspace. Procurement, compliance, and information security teams (and other applicable teams) need to seamlessly collaborate when an issue arises, and outline and assign a plan of action.
- A holistic range of risk domain tracking, including financial risk and regulatory risk (i.e., ESG compliance, etc.). This is important because risks are often interrelated. For instance, a third-party vendor’s cybersecurity risk is also a financial risk, and vice versa. So, understanding the financial health of your vendor can indicate how much they can invest in shoring up their cybersecurity.
Level up your cybersecurity posture with Craft. Craft’s comprehensive and intelligent supplier risk management platform lets you track all your suppliers in one place, making it easy to monitor and assess risk and break down siloes between teams for collaborative, end-to-end risk management.