Banking and Insurance Cybersecurity in 2021: Threats and Considerations
The Main Facts and Figures of Cybersecurity for Banks and Insurance. Building a Cybersecurity Strategy for the Financial Sector.
In this guide, I will walk you through the main threats and cybercrime trends the financial sector needs to be aware of. With cybercrime rapidly evolving, so must the defense strategies set up by companies in any type of field, but especially by those in the financial sector. The banking and insurance cybersecurity approach needs to be extra vigilant since the stakes are much higher.
In many ways, the banking and insurance operators are perhaps the most exposed to cybercrime, compared to any other type of company. Not only do they operate with large amounts of money, which inevitably attracts cyber-criminals like bees to honey, but they are also responsible for their customers’ finances as well. This means that with the right approach, hackers can potentially defraud many more companies by breaching only one. If the initial access point into a chain of multiple attacks is a bank or an insurance company, they can proceed to tamper with valuable data from a myriad of potential other victims, too.
Banking and Insurance Cybersecurity Stats and Figures
Detected and undetected cybercrimes have risen in frequency and sophistication, becoming one of the main business risks companies worldwide face today. A company has a higher chance to suffer a devastating data breach or fraud than to encounter any other type of business hardship.
Here a few key stats and figures to help you get a better picture of the state of banking and insurance cybersecurity threats:
- Over 50% of businesses suffering from fraud recover less than 25% of the fraud losses (according to the Global Banking Fraud Survey 2019);
- According to the same study, more than 60% of banks are reporting an increase in fraud volumes and over 50% are experiencing an increase in fraud value;
- 77% of banks are planning to invest in AI & ML-powered cybersecurity (same study shows);
- Businesses worldwide have spent approximately $8.2 billion on anti-money laundering (AML) systems in 2018 alone (according to the World Economic Forum);
- Credential stuffing abuse is rampant: Out of 42 billion attacks, 16.55 billion targeted APIs (such as those used by the financial sector for integrations) and 463.3 million were specifically targeted against financial sector targets (according to an Akamai Study from 2020);
Banking and Insurance Cybersecurity Threats
These are the main threats that the banking and insurance sector is facing, from a cybersecurity standpoint.
#1. Open Banking and Third-Party Services
Open Banking is a new tech standard of allowing third parties to access the financial information of customers. It relies on the integration of multiple platforms through secure APIs designed to allow all parties sharing a customer to freely exchange relevant information. While this is theoretically secure (or at least as secure as online banking itself), in reality, integrations never run as smoothly as planned. Ask any programmer friend and they may have stories of countless headaches – figuratively and literally – caused by never-ending integration trouble.
The blank spaces between the various integrated platforms are today one of the main sources of cybersecurity risk and concern among fintech experts worldwide. If hackers can breach an API, they can then breach an entire host of other banking apps, like in a supply chain attack model.
Even if open banking is extra-secure, a problem for the financial sector may be that customers don’t perceive it to be. A recent Black Kite study has shown that over 49% percent of bank customers believe their data will be less safe due to open banking. Managing the customers’ perception of risk is at the forefront of priorities in banking and insurance cybersecurity management, right along with mitigating actual risk.
#2. Online Banking Made Easier for Customers
Any business feels the pressure to make its systems more user-friendly and improve its UX (User Experience). Banks are no different. If they want to encourage people to bring their business to them, navigating daily operations should be easy and straightforward.
Every extra security check is hindering that UX, so this may occasionally result in security being laxer. After all, who wants to go through multiple factor authentications? With simpler security, users are happy. And so are hackers.
#3. Business Email Compromise (BEC) Attacks or CEO Fraud
Business Email Compromise is a type of attack where the hacker relies on people’s innate inclination to elaborate, by taking over the account of someone they trust. BEC attacks imply that the hacker sends emails as someone already working for the bank, asking customers for credentials or asking a colleague to complete a fraudulent transfer.
Sometimes these requests are made to seem as if they are coming from a manager or higher hierarchy official, thus being nicknamed CEO fraud.
#4. Cybercrime as a Service (CaaS)
Cybercrime as a Service is an insidious trend that shows just how profitable and innovative malware technology is getting. Similar to legitimate endeavors, malware creation is becoming a haven of collaborative communities, often sheltered by the dark and deep webs. Once there, hackers can find software for sale aimed to help attackers increase the scale of their attacks, mounting hundreds of attacks per day without having to do the legwork from scratch.
Ransomware-as-a-service is a sub-type of CaaS which is also extremely dangerous to the banking and insurance cybersecurity efforts since it allows attackers to target multiple targets at once.
#5. Insider Threat
Even if internal employee fraud is not significantly rising in the past few years, this should not lull the industry into a false sense of safety regarding insider threat. A lot of external-generated frauds are starting with help from within the organization, as an initial entry point. While it’s true that many instances of insider threat are not intentional, the result is still the endangerment of the bank or insurance industry they work for.
#6. Composite Malware (Adaptative)
By using various types of malware, often forms not related to the fintech sector, hackers are able to get their hands of compromised credentials. Once they hack their way into a user account (or an API), the path is clear to hijack even more of the bank’s systems and accounts.
Some of the techniques the attackers could use include:
- Authorized Push Payments (Scams);
- Stolen credentials (impersonation fraud);
- Card not present fraud;
- Cyber-fraud through one-size-fits-all approaches or brute-force attacks;
- Cyber-fraud through well-tailored cybercrime-as-a-service (CaaS) code;
Pairing multiple techniques or types of attack together is not something new. Attackers do it all the time to help each other reach their targets and share the spoils since every type of malware is good at taking down a particular defense layer.
In a notorious example, the Ryuk, Emotet, and Trickbot trifecta is known to have been extremely effective against the banking and insurance sector.
#7. Social Engineering
Social engineering is a category of scams and cyber-attacks that rely on the social nature of humans to achieve their goals. BEC, phishing, fake prize cards, fake charity scams, and more. All of these are forms of social engineering.
Since often the hackers’ first entry point into an organization is through its human factor, social engineering scams are very widely used. Even if there’s not much to be gained from fooling just one person inside the bank, once the entry point has been breached, more information will be gathered and used to help attackers reach their goal.
Banking and Insurance Cybersecurity Legal Guidelines
Unfortunately, because financial cybercrime is such a rising threat, most governments have issued regulations aimed to incentivize banks to treat the problem seriously, by placing the burden of responsibility on upper management. In some instances, when cybercrime occurs, this can lead to criminal charges against bank management personnel, even if they are not direct accomplices of the hackers.
A Deloitte study on Cybercrime and Regulation in Europe for Banks has pinpointed the main rules that financial and insurance sector companies have to follow. The study also highlights the main difficulties in abiding by the official regulations when the technology changes much faster than the laws do.
Banking and Insurance Cybersecurity Must-Haves
#1. Multi-Factor Authentication (MFA)
The three key identifiers that can be used for a strong MFA strategy are:
- Something the user knows (a secret password);
- Something the user has (a bank token which generates a code, their phone, etc.);
- Something the user is (a biometric factor – such as their fingerprint, retina scan, or voice).
Usually, experts feel confident relying on just two of these for a strong 2FA (two-factor authentication), but it’s even safer with all three. Note that none of these types of information are unbreachable – even biometrics can be faked by malicious parties, often with devastating consequences.
#2. Privileged Access Management
It’s essential to make sure hackers cannot exploit privileged accounts within your IT ecosystem, since that can expose your entire digital activity to them. To close critical vulnerabilities right away, remove admin rights from your entire organization and start using a reliable Privileged Access Management solution to secure your workforce.
Heimdal® Privileged Access Management
- Automate the elevation of admin rights on request;
- Approve or reject escalations with one click;
- Provide a full audit trail into user behavior;
- Automatically de-escalate on infection;
#3. A Business Email Compromise Shield
Business Email Compromise (BEC) is a growing threat to businesses in every type of sector, but especially when it comes to banking and insurance cybersecurity.
To get protection against this type of threat, we recommend Heimdal™ Email Security & Fraud Prevention, a solution imbued with AI training that recognizes and flags fraud attempts that would otherwise surpass common spam filters.
Heimdal® Email Security
- Completely secure your infrastructure against email-delivered threats;
- Deep content scanning for malicious attachments and links;
- Block Phishing and man-in-the-email attacks;
- Complete email-based reporting for compliance & auditing requirements;
#4. Network Defenses
Your endpoints are not the only ones in need of strong protection. Your perimeter network is also vulnerable to attacks from malicious insiders or anyone in the proximity of the office. To make sure you are not exposed, you need to review and secure the most common network vulnerabilities as soon as possible. Banking and insurance cybersecurity measures can’t ignore perimeter entry points, since so many people visit banks every day.
#5. Customer Cybersecurity Education
The bank or the insurance companies that follow all of the right guidelines but fails to educate their customers is doomed nonetheless. No matter how sophisticated your defenses are, many breaches start out from a poorly informed choice from the user’s end.
Lately, banks and institutions have started to educate their customers on how to spot phishing and so on, through the form of newsletters and other communications, but even more consistent effort is needed. The better-prepared customers are, the stronger the entire banking community is.
#6. A Multi-Layered Defense Strategy or EPDR
A strong defense comes in multiple layers, designed to address and remediate all possible entry points for attackers. EDR (Endpoint Detection and Response) has long been considered the gold standard in cybersecurity, but our own and improved version, Endpoint Prevention, Detection and Response truly provides everything you need to stay one step ahead of malicious attackers.
- Next-gen Antivirus & Firewall which stops known threats;
- DNS traffic filter which stops unknown threats;
- Automatic patches for your software and apps with no interruptions;
- Privileged Access Management and Application Control, all in one unified dashboard
#7. Extend Your Defenses to Customers as Part of Customer Care Packages or Insurance
Financial sector studies have proven a positive link between the more information customers have about defensive measures taken by the bank and a reduced reputational loss if malicious incidents do happen. Furthermore, customers are even happier with their choice of bank or insurance company if the same advanced protection is extended to them as well.
Our experience with securing the systems of Royal Bank of Scotland (RBS) business customers over the past few years has shown us what a tremendous positive change this makes.
Heimdal™ for Banks, Insurance, and Union Customers is a specially designed package designed to boost your ROI by securing both you and your customers against cybercrime (minimizing loss) and by greatly reducing your customer churn, as well. Our data shows how happy banking and insurance customers are and how much more likely are to stay at your side, year after year when stellar cybersecurity is offered as part of the package. Secure your business and your customers’ future in one move, with Heimdal™’s unique EPDR, wrapped in this package of unified solutions designed for flawless baning and insurance cybersecurity.
Re: “Every extra security check is hindering that UX, so this may occasionally result in security being laxer. After all, who wants to go through multiple factor authentications? With simpler security, users are happy. And so are hackers.”
I am using online banking however I also have one bank account without phone and online banking for security reasons. I opened this account after reading a lot about cyber-security. This is the easiest way to achieve security and I don’t mind visiting branch occasionally.