Cyber Security for Financial Services
Nearly every business needs to think about cybersecurity, but the finance sector has particular needs. This is partly because of the way it operates and partly because of the multiple incentives for attackers. Let’s break down what you need to know.
Why is the finance sector at particular risk over cybersecurity?
This may seem like a question with an incredible obvious answer: that the finance sector deals with money and criminals like stealing money. In reality, it’s a much bigger problem than simply worrying about the computerized version of an old-school bank heist. Indeed, thinking of it purely in this way risks underestimating a host of specific risks that apply across the sector, including the following.
Increasing Risk Surface
Between store closures boosting online shopping and more use of contactless payments in person, the pandemic sped up a long-term trend away from cash. That greatly increases the proportion of transactions that involve digital activity, records and data transmission. In turn, that’s increasing the scope for digital security flaws and breaches.
We think of finance as money, but it’s just as much about personal data. By definition, any business that handles somebody’s finances needs to handle personal information, for example to verify their identity, tax status or legal standing. As well as card and account numbers, this can include addresses, dates of birth, social security numbers and other key personal data. The potential for identity fraud and overcoming security checks elsewhere means this data can be just as attractive to cybercriminals as bank balances.
Mention finance and security threats and you’re probably thinking of people stealing money or data. However, unauthorized access is just one element of security. It also involved unauthorized alteration or deletion of data and disruption to systems. If people can’t trust that financial institutions have accurate data about their money and assets, they will understandably be concerned or angry. That can cause almost as much damage to the finance sector’s reputation and smooth operations as actual financial loss.
Finance is a key part of any society, both in its sheer size and the importance to day-to-day life. Disrupting any part of the financial sector, from national banks to tax advisors, can severely disrupt a society. It could harm trust, inconvenience people, limit trade and even sow political division.
That makes finance (along with healthcare) one of the key targets for politically motivated attacks. In particular, rogue nation states have a strong incentive to fund and support cyberattacks on the finance sector in the hope of harming their enemies. In particular, state actors have the resources for advanced persistent threats, gaining access to a system with the intention of remaining undetected for as long as possible.
What are the main cybersecurity issues?
We’ve covered the incentives for cyber attackers to go after the finance sector, along with the range of harm they can do. Unfortunately we also have to consider the other side of the coin: the specific issues that can make cyber-attacks both more likely and more successful. These are some of the key issues at the moment though, as we’ll address later on, new threats are always emerging.
The threat isn’t limited to direct attacks on financial institutions. Instead attackers are increasingly going after the financial “supply chain”. For example, they may go after a vendor or supplier’s systems to find a route into a payment handler’s financial set-up. It’s an approach that’s sometimes dubbed “island hopping”.
Mobile financial access makes life a lot easier for the general public and retailers alike, but does bring unique risks. Insecure wireless networks and cellular data can remove some of the protections that home devices and wired broadband can offer. No financial system should ever rely on these protections as the main line of defense, but it still makes things that little bit riskier.
Convenience Vs Security
Digital finance is usually sold to the public as a way to make their life more convenient, with fewer physical limitations such as carrying cash or being in a specific physical location. However, finding the right balance of convenience and security can be particularly tricky in the financial world.
For example, online financial accounts (whether for information or transactions) need more rigorous security checks than many websites. However, making the requirements too complex or disruptive can annoy customers. Similarly some in the finance sector believe businesses that should be using added layers of protections such as two-factor authentication do not do so because they believe customers would find it too inconvenient.
The extremely sensitive nature of financial data can feel (whether justifiably or not) like a limitation of some key cybersecurity testing strategies. Businesses can feel safe using basic approaches such as vulnerability assessments: in effect a checklist of security measures.
However, they may be more wary of approaches such as penetration testing, where an authorized security expert carries out a simulated “attack”. This often reveals which vulnerabilities (and in which combination) pose the most serious real-world threat. Businesses are naturally much more concerned about the access such experts, whether staff or external, have to real financial data as part of their work.
On every level, finance sector cybersecurity is too often a field where cooperation is both necessary and lacking. Within businesses, a lack of a unified approach can mean organizational fragmentation and a “responsibility gap.”
Widening out, the interests of individual businesses and national security agencies don’t always neatly align. And on a global level, national cooperation may be lacking, handing a major advantage to cybercriminals who don’t respect geographic borders.
Keys to successful cybersecurity in finance
While specific technologies continue to evolve, some key concepts remain at the heart of any successful finance cybersecurity program.
The consequences of a successful attack can be so severe in finance that time is usually a luxury. Many attacks, particularly those aiming to divert funds, destroy data or knock systems offline, are designed to complete in a matter of moments. Successfully blocking such an attack in time is only possible with both real-time detection and a pre-designed defensive strategy.
Preventing attacks is important, but no financial company can rely on prevention as the only tool. The sheer scale of financial cyber threats makes a successful attack more of a “when” than an “if” and businesses need to be ready to deal with the fallout. This means having the technology to mitigate and correct the damage, disaster plans to recover quickly, and the communication skills to comply with disclosure requirements while maintaining consumer trust and confidence.
One of the biggest cybersecurity failings is to think of it as purely an IT problem. A successful cybersecurity strategy needs the entire business on-board, with a clear system of accountability and risk transparency. Staff at all levels must be educated in cyber awareness with a clear culture that mitigates risks such as phishing and social engineering. That’s particularly true in a world of increasing hybrid and remote working.
What are the regulatory issues with finance cybersecurity?
Tackling cybersecurity in the finance sector is not just a case of good business. In many cases it’s a legal issue.
While the US has historically had a more relaxed approach to personal data protection than many nations, finance is a different story:
The Gramm-Leach-Bliley Act of 1999 means financial institutions must have “administrative, technical, and physical safeguards” to protect customer data. They must also detail their information-sharing policies to customers. The Federal Trade Commission updated the rules in 2021 to account for changing technologies. As well as technology and organizational requirements, the rules cover staff security training, noting that “A financial institution’s information security program is only as effective as its least vigilant staff member.”
The Sarbanes-Oxley Act of 2002 is primarily about preventing fraud and financial error in publicly traded companies. However, it does require cybersecurity programs that can stop deliberate or unintentional alteration or deletion of data.
The Securities and Exchange Commission is considering plans to nudge businesses to put more institutional emphasis on cybersecurity. The new rule would mean public businesses had to publish a report saying how their board considers cyber risks, who is responsible at the highest level for cybersecurity, and how the board is kept informed about cybersecurity. Another change under discussion is for boards to publicly detail whether any board members have cybersecurity knowledge or experience.
While the best-know data security rules in Europe stem from the General Data Protection Regulation (GDPR), specific cybersecurity rules are coming to the finance sector. The proposed Digital Operational Resilience Act will likely take effect in early 2025 and cover most financial entities regulated in Europe, along with many third-party software and service providers.
The rules say organizations must follow a detailed list of requirements so they can “withstand, respond to and recover from” security incidents. The requirements include internal risk management, internal governance, resilience testing, third-party risk management, and breach reporting. The biggest change is a reduction in the deadline for reporting breaches from 72 hours to just two hours for an initial report, with more detailed reporting needed later on.
Although the United Kingdom is no longer covered by European Union rules, it is planning its own similar requirements on financial companies and service providers.
What does the future hold for cybersecurity in the finance sector?
As technology continues to evolve, new threats and challenges will influence finance cybersecurity. Some are inherently impossible to predict, while the existence of others is known but the effects unclear.
Cryptography is quite literally the key to cybersecurity when it comes to financial information and transactions, but the long-term future is not entirely certain. The beauty of public-key cryptography is that it works smoothly for those authorized to use it, but the sheer complexity of trying to reverse the encryption process means even the most powerful computers have no realistic chance of defeating modern-standard encryption.
That’s come into question with the growth of quantum computing, which effectively removes the limitation that a bit of data can only ever be a 0 or a 1. Instead, the quantum equivalent of a “bit” can exist in multiple states simultaneously and thus represent more than one piece of information at a time. In very simplified terms, a quantum computer can solve problems far more quickly by trying out multiple potential solutions at once.
The good news is that the tech community is already working on a “quantum-safe” evolution of cryptography. The challenge now is getting it in place before quantum computing becomes developed enough to make cracking modern encryption a practical tactic. There are also some questions about the logistics of establishing new standards.
While much of the public focus on blockchain involves cryptocurrencies (particularly those treated as speculative investment assets), the underlying technology is just as important. The theory goes that a blockchain’s records are inherently incorruptible unless somebody seizes control of the majority of its processing capacity. Time will tell how feasible such attacks are and whether other security flaws emerge.
Few people in the cybersecurity world think AI will have no impact on the sector, but the net effect remains disputed. Pessimists point to tasks such as crafting attack code or generating mass-scale targeted and topical phishing emails becoming exponentially easier. Optimists note AI could combine human thinking and computer speed when checking code for potential security flaws.
What skills are important for finance cybersecurity?
While cybersecurity involves technical knowledge and experience, specific human skills also play a role, particularly with the finance sector. They include:
- A methodical and consistent approach.
- Communication skills, particularly explaining issues and solutions to non-technical staff.
- Confidentiality, particularly when handling sensitive data.
- Resource management, including prioritizing tasks.
- The ability and willingness to keep learning, for example about new threats or changing security regulations.
Cybersecurity staffing models
Finance sector businesses have three main ways to find and manage the staff to take care of cybersecurity, though many combine methods.
In-house employees offer stability and experience with the specific demands and concerns of both the individual business and the sector. The main downside is that rapid expansion (or contraction) of the workforce doesn’t always work efficiently or economically.
The staff augmentation model means hiring temporary workers for a specific project. They follow the direction of the business though will often bring their own insight and expertise.
Managed services means outsourcing specific areas of IT (such as cybersecurity) to a specialist organization. This organization then takes responsibility for that area, uses its own staff, and makes decisions about how to achieve the required goals.
Whether hiring permanent staff, temporary workers or consultants, recruitment can be a difficult task. Not only do businesses have to handle the hassle and logistics of finding staff, but it’s often a lengthy process to find candidates with the right mix of technical skills, experience and attributes. An organization such as Intercast, which specializes in cybersecurity recruitment, is a great way to overcome these challenges.
Let’s recap the key points about cybersecurity in the finance sector:
- Finance is at particular risk not just from people trying to steal money, but from those targeting personal data. Some attackers, particularly state-backed hackers, are simply trying to disrupt business or the wider economy.
- Key issues at the moment include third-party supply chain attacks, the balance between security and convenience, the limitations on testing on live and critical systems, and structural fragmentation in responsibility for security.
- Important concepts in finance cybersecurity include live detection, a business-wide approach, and preparation to deal with successful attacks rather than simply trying to prevent them.
- Both the US and Europe continue to strengthen security requirements in the finance sector.
- Quantum computing and encryption, blockchain and artificial intelligence could all become significant security issues in the coming years.
- Finance cybersecurity staff require a broad range of skills, including communication and confidentiality.
- Businesses have several options for cybersecurity staffing. Specialist agencies can help find the right candidates, tailored to the sector.