Financial institutions are a prime target for cyberattacks due not only to the money they have but also the data their systems house. Money and data equal a goldmine for bad actors. In many cases, the data—an institution’s crown jewels that can include PII, payment card data, credentials and other sensitive information—may be more valuable than the currency itself. So it should come as no surprise that financial services is one of the most breached verticals.
To their credit, banks, insurance companies and other financial institutions have often been ahead of the curve with regard to their regulatory commitment to cybersecurity best practices. However, many of the breaches associated with this industry occur via third-party vendors or business associates.
Consider the incident at U.S. Bank last year. The bank disclosed that an estimated 11,000 customers were impacted by a breach of one of its third parties. According to NBC News, the breach resulted in hackers accessing “names, Social Security numbers, closed account numbers and outstanding balances.”
Attacks on financial institutions’ vendors have also been on the rise globally. In October, an S&P Global Ratings report found that Australia’s four largest banks (totaling 76% of its banking industry) were at risk due to their third parties.
Obviously, the magnitude of any financial institution’s data is substantial, especially when you consider that if it were to be breached, a cybercriminal would have keys to the kingdom—someone else’s financial records. This data can be used to develop financial fraud-based attacks, perform identity theft, inform spear-phishing campaigns and more.
Threat actors will often seek out the path of least resistance when looking for security gaps and ways to penetrate larger organizations. Third parties with weaker controls can prove to be very attractive targets. In fact, a Forrester study (commissioned by my company) found that 67% of breaches are through third parties. Yet, third-party cyber risk management strategies are not as robust as they should be, often taking a backseat to compliance and regulatory requirements.
Without a doubt, banking and financial institutions are heavily regulated and have more compliance requirements than those in most other industries. Many of these regulations go to great lengths to protect data privacy and consumer preferences. But compliance doesn’t equate to security. Checking the box on compliance may not address major gaps and can still leave your organization vulnerable.
Prioritizing Security And Compliance
Given the increased usage of third parties to enable business operations and efficiency, the financial services industry must focus on prioritizing risk management and mitigation. Prioritizing the identification, measurement and subsequent actions to reduce risk will not only help with ensuring compliance but also empower institutions to proactively address cybersecurity gaps before they become a crisis.
Many of the security requirements in compliance frameworks do not actually help an organization gain a full understanding of their attack surface, the most likely threats they will face, the techniques those threats are likely to use and their own internal security gaps. Satisfying a compliance requirement seldom provides a material understanding of potential issues with third parties and any other associated vulnerabilities, but a robust risk management program does.
To illustrate this point: Equifax held compliance-focused certifications, including ISO certifications. Yet, in 2017, criminals were still able to access Equifax’s networks and steal customer data, including Social Security numbers, addresses and birthdates. Why was Equifax breached? A vulnerability was discovered in the Apache Struts open-source software that it relied on but didn’t patch. While the company may have been compliant, its customers’ data wasn’t entirely secure.
Prioritizing risk is important to help organizations navigate the challenges of cybersecurity, especially when it comes to handling issues with third parties. For banks and financial institutions, the first need is to make sure they understand the breadth of their attack surface or security boundary, including their third parties.
Organizations need to ask the question, “Who am I even exposed to?” This can range from the bank’s digital payments partner, payroll system, or, as we’ve seen, even their HVAC provider. The last thing you want is to be notified by a third party—one you didn’t even know you were using—that they had a breach. The goal here is to be proactive and informed.
What Improved Risk Management Looks Like For Financial Services
Proactively managing third-party risk means you don’t need to feel as if you are waiting around and holding your breath in fear that one of your vendors will be breached. Take stock of where your crown jewels are processed, transmitted and stored. Consider the threat actors with the motivation and capability to compromise your data and its location. Use threat research tools like MITRE ATT&CK to learn about the techniques those threat actors are most likely to use. Then evaluate your environment to determine where you have gaps or weaknesses that are likely to make those techniques successful.
After collecting this data, attempt to apply an objective evaluation of the probability that these threats will materialize and the expected impact if they do. This approach will produce a prioritized and highly defensible roadmap for addressing risks in an effective and efficient manner, both within your own environment as well as your third-party ecosystem. As an added benefit, you will have satisfied many of your compliance requirements as well, without the need to follow a static checklist.