As seen in Crain's New York Business

The persistent rains of social engineering attacks are combining with the gale force winds of data breaches and the destructive and all-too-frequent lightning strikes of ransomware, creating a foreboding and perfect tempest of cybersecurity threats that are rapidly bearing down on the financial services sector.

With each passing day, cyberattacks are becoming more sophisticated and capable of circumnavigating security defenses with an ever-increasing level of efficacy. Gone are the attacks resulting in small, isolated money grabs and minor production outages. Instead, financial service organizations are seeing exponentially more devastating impacts, resulting in multimillion-dollar fines, irretrievable data, prolonged disruption of operations and perhaps most important, brand degradation in the eyes of their customers.

Some samples of the catastrophic impact of these attacks:

• Capital One had more than 100 million credit card applications compromised after cybercriminals took advantage of a firewall misconfiguration. The attack resulted in fines of $80 million and customer lawsuits of $190 million.
• Experian experienced a data breach that resulted in more than 24 million customer records and nearly 800,000 business records being compromised after an employee was socially engineered into providing access.
• Desjardins, Canada's largest credit union, was victimized by an insider who gained unauthorized access to millions of member records, causing estimated damages of more than $100 million.
• Flagstar Bank, one of the largest financial providers in the U.S., was the victim of a massive data breach this year. It was reported that Social Security numbers belonging to 1.5 million customers were compromised in the attack, triggering a series of costly class-action lawsuits.

Should members of the financial sector feel that they are not the most desired targets of cybercriminals, the consensus of researchers would indicate otherwise. According to IBM’s “Cost of a Data Breach Report 2022,” financial organizations experienced the highest percentage of attacks, compounded by having the second-highest average breach costs of almost $6 million. Verizon’s “Data Breach Investigations Report” says the financial sector experienced more data breaches than any other industry. VMware Carbon Black’s “Cyber Security in Financial Services” report provides another stark assessment of the financial services industry, saying that it is “subjected to the highest rates of attack of any vertical market, the source of one-third of all data breaches”.

Why are cybercriminals focusing their attacks on the financial services sector?

There are several key motivating factors. First, and perhaps foremost to criminals, is the tremendous amount of sensitive information that is stored and processed by businesses in the financial sector, often for extended periods to meet retention regulations. Second is the accessibility to the financial assets of customers, many of whom may be high-net-worth or even ultra-high-net-worth individuals. Factor in the industry’s reliance on an intricately connected system of devices, web and mobile fintech applications, and financial systems and supply chains, some of which adhere to a less-than-optimal level of security, and it is easy to imagine the multitude of ways that attackers can gain unauthorized access.

While there is no easy path to a secure destination that is invulnerable to cyberattacks, businesses can reduce their risk and increase their ability to avoid becoming the next data breach headline. While there are new and exciting technologies that are leveling the playing field in the battle against cybercriminals, including artificial intelligence, automation and robust security frameworks, there are essential building blocks that every financial services business should implement. They include:

• Assessments
  • Conducting cybersecurity risk assessments on a regular basis will allow businesses to identify where their risks lie so that they can direct remediation resources to where they are needed most. The scope of an assessment should include key third-party vendors, suppliers and other partners. Once an assessment is completed, it is critically important to repeat the process on a regular basis to reflect the constantly evolving threats and changes in technology.
• Awareness
  • Since the preponderance of attacks are geared toward socially engineering humans, it is critically important to educate all employees on the importance of defending their business against the nefarious schemes of criminals. While training is instrumental to every cybersecurity strategy, testing users with simulated social engineering attacks will arm employees with an instinctual ability to avoid cyberthreats. This approach will convert employees from what is typically the weakest link in the security chain to a virtual human firewall capable of drastically diminishing the chance of a successful cyberattack.
• Resilience
  • Taking the mindset that a breach is not “a matter of if” but “a matter of when” may seem like a defeatist attitude, but it is, in fact, a constructive one. By preparing for the day when the cybercriminals outmaneuver your defensive efforts, having a plan to respond and recover will slash downtime and the expenses related to returning to operational status. This preparation includes the secure creation of dependable backups, the development and regular testing of incident response and disaster recovery plans, and the acquisition of a cyber insurance policy.

The cybersecurity challenges facing the financial services industry are many, with businesses forced to defend themselves from an onslaught of criminals looking to enrich themselves with stolen information and ransom demands.

With a strategic approach that weaves cybersecurity into the fiber of every financial services business, however, the industry can weather the storm and reach for a brighter tomorrow.

For more information on securing your financial services business, contact Kevin Ricci at kricci@citrincooperman.com or Alexander Reyes at areyes@citrincooperman.com.