Cybercrime is as old as the Internet, but threats grow as each year passes – in numbers and sophistication. Because of the highly regulated nature of the financial services industry, banks are typically ahead of the curve in terms of cyber defense. However, they continue to be targeted by attackers and are particularly impacted for several reasons: high-value assets, deeply distributed infrastructures, exploitable Internet of Things (IoT) devices, and the human factor.
The topic of how financial institutions (FIs) can safeguard their systems and data was discussed at last year’s Summit by Leonard Burger, SBS (ex-Sopra Banking Software)’s Product Marketing Specialist, Erwan Brouder, Deputy Head of Sopra Steria’s Cybersecurity Business Unit, and Jean-Marc Velasque, Head of Business Consulting, MEA at SBS (ex-Sopra Banking Software). We explore their insights below.
Prevalence and cost of cyberattacks
Cyberattacks on financial services players have risen over the last decade, particularly due to digital transformation, accelerated by the global pandemic. As entry points into IT systems and data volumes increase, opportunities open up for cybercriminals, state-sponsored groups, hacktivists, and inside threats. According to Statista, there were 1,829 reported cyber incidents in the financial industry in 2022 (477 with data breaches).
Meanwhile, IBM’s Cost of a Data Breach Report 2023 says finance firms lose around $5.9 million per breach – almost 33% more than the global average figure. Across industries, finance reported the second highest costs, behind only healthcare. The true cost goes beyond money, with successful attackers often accessing innumerable transactions and sensitive client records. At the same time, the bank’s reputation is dented, revenue is lost, and insurability may become an issue.
Major cybersecurity threats
Cloud computing company Akamai uses a single word to capture the landscape in 2023: pivot. “Attackers shifted their tactics to circumvent security measures, looking for novel attack surfaces and untapped targets to wreak havoc.” Top concerns for banks include:
- Malware (particularly ransomware) attacks
- Malware-as-a-Service
- Endpoint security
- Cloud-based cyberattacks
- Phishing and social engineering attacks
- Supply chain attacks
- Attacks on third-party providers
- Human/user error
For Jean-Marc Velasque, “Banks have to consider the unexpected as the new normal.”
Looking to the future
Artificial intelligence (AI), especially machine learning, also play a part fuelling attacks. “AI looks like it’s at the start of a similar evolutionary curve to ransomware,” says Matt Lane, Director and Co-Founder of XCyber. The threat stems from its “ability to automate tasks at a scale previously not possible”.
Meanwhile, as additional emerging technologies like quantum computing, blockchain, and 5G develop, the threat landscape broadens in complexity and scope. For example, according to a security expert at Thales: “A single powerful quantum computer may be able to break the current public key encryption algorithms (cryptography) used by virtually every FI, threatening to compromise everything from client data and the secure websites and software they use to interact with customers, to the hardware that authenticates, encrypts and decrypts payments.”
A recent outlook report by Moody backs that up, identifying quantum computing and AI as possible innovations that may “strain cyber resources in 2024”.
Central Bank Digital Currencies (CBDCs) present further cybersecurity challenges, with a UK House of Lords report highlighting two major risks: The potential for individual accounts to be compromised via cybersecurity weaknesses and a centralized CBDC being targeted by “hostile state and non-state actors”.
How can banks become more cyber resilient?
On the flip side, technology can help banks. With that in mind, they’re future-proofing by recalibrating and learning new methods to mitigate cyberattacks and better protect themselves.
According to IBM, investment in AI and automation “reduces costs and minimizes time dealing with breaches”. Organizations using those capabilities extensively spent 108 days less on average identifying and containing a breach and reported $1.76 million lower associated costs on average, compared to businesses not using them.
Artificial intelligence-powered tools are also being leveraged to fight payment scams. For example, in July 2023, nine UK banks partnered with Mastercard, using its Consumer Fraud Risk solution to gather real-time intelligence and stop phony payments before funds were lost.
Additional considerations for banks include implementing adaptable cybersecurity solutions, real-time monitoring, risk assessments, encrypted security standards, and a zero-trust approach. On top of that, collaboration with industry bodies and other banks is vital, helping anticipate and identify new threats.
While prioritizing cybersecurity is key, so is innovation and remaining competitive – a delicate balancing act for banks.
Role of regulations and standards
Regulatory frameworks and initiatives are also important, helping banks better protect themselves, counter cyberattacks effectively, and build and maintain trust with customers. The following play a major role:
- Digital Operational Resilience Act (DORA): FIs and third parties must follow rules for “the protection, detection, containment, recovery, and repair capabilities against information and communication technologies-related incidents”.
- Network and Information Security Directive (NIS2): Legislation outlining measures for a “high common level of cybersecurity” across the European Union (EU).
- Cyber Resilience Act (CRA): Aims to ensure safer hardware and software, safeguarding businesses and consumers.
- G7 Cyber Expert Group: Discusses finance sector-related cybersecurity issues such as ransomware resilience and third-party cyber risk management and produces “Fundamental Elements” publications on those topics.
- Guidelines for Secure AI System Development: In place to raise AI cybersecurity levels, helping ensure systems are designed, developed, and deployed securely.
- ISO/IEC 27000: Family of information security management systems (ISMS) standards spanning cybersecurity, IT security, and privacy protection.
Working with a trusted partner
With open banking and finance, platformification, and a collaborative approach on the rise, many players are involved in a bank’s ecosystem. As such, it’s imperative they choose the right partners.
SBS (ex-Sopra Banking Software)’s component-based cloud banking platform is secure by design. It offers a range of tools, including zero-trust architecture and protection layers like anomaly detection, a bug bounty program, AI, penetration testing, and phishing campaigns.
Furthermore, our strategic partnership with Axway is important, facilitating API-first solutions that are open, compliant, and connected. We’re also part of Sopra Steria – we can call on the cybersecurity expertise of the wider group in terms of prevention, protection, and detection.
Combined, those factors help ensure our clients have the optimal level of protection when they use our products and services.
Navigating the cybersecurity landscape
It can take years to build a reputation and a few minutes for a cyber-incident to ruin it. To safeguard their future, banks need to stay one step ahead, and cybersecurity must remain a top priority. As part of that, leveraging the cybersecurity community, sharing information, ensuring their entire ecosystem has mature cybersecurity levels, and investing in new technologies are crucial.
Watch the “Cybersecurity in banking: Safeguarding the future” session here.
For more expert content on industry outlooks and innovation, subscribe to our newsletter or visit our Insights page.