Read through FFIEC's 10 steps for effective business continuity management.
Banks have always been at the forefront of enterprise cybersecurity. Their enormous stores of cash and consumer data have made them a top target for hackers, and the threat of financial losses, regulatory consequences, and reputational damage has spurred them to innovate and accelerate the field of cybersecurity.
However, the intersection of cybersecurity and banking can feel like battling the Hydra. As soon as one vulnerability is addressed, another one is created. Combine this with the increasingly diverse ways consumers are interacting with their money, and you’ve got a recipe for something disastrous.
1. Mobile apps and web portals will create more security risks.
As consumers continue their long slow march away from cash, banks are becoming more heavily invested in mobile and web-based services that facilitate payment and transfers. However, these applications are creating new vulnerabilities that banks will have to address.
Want proof? Web applications were the #1 threat pattern in financial services data breaches in 2018, according to Verizon.
This supports other recent findings. A 2018 study from Accenture reported on the cybersecurity of 30 major banking applications. All 30 apps had at least one known security risk identified, and 25% of them included at least one “high-risk security flaw.” Their vulnerabilities included insecure data storage, insecure authentication, and code tampering.
And it’s not just mobile where banks are seeing problems with software. Their web-based banking applications have also been shown to lack security, with one report calling the financial sector the “most vulnerable to attack” of all the industries tested. According to these researchers, every financial site they tested contained at least one high-severity vulnerability.
It’s unclear whether this will pose a major problem for banks in the future, but one thing’s certain — people aren’t going to go back to cash transactions and weekly visits to their local branch. If banks want to keep up with consumer behavior while avoiding a major attack, they’ll need to update their web and mobile cybersecurity practices.
2. Third parties will continue to be a target.
In the last decade, banks have poured countless resources into protecting their own networks and systems from cyber attack. As a result, hackers have looked elsewhere for points of entry — and when they’ve found them, they’ve gleefully exploited them.
As we reported previously, major banking cyber attacks have been caused by vulnerabilities in shared banking systems and third-party networks. The 2017 Scottrade data breach, for example, was caused by a professional services vendor.
One of the most notable third-party beaches occurred in 2016, when hackers stole $81 million from Bangladesh Bank by exploiting a vulnerability in a shared banking system called SWIFT. Another attack occurred in 2019 in Australia, with hackers exploiting a vulnerability in the third-party PayID system to access personal information of 98,000 Westpac bank customers.
Banks have not been impervious to the decentralization of IT that has affected most enterprise businesses. As organizations become increasingly reliant on third-party vendors for their day-to-day operations, these vendors must be continuously monitored for cybersecurity vulnerabilities. Lack of awareness in regards to third-party security could cost banks millions in 2020 and beyond.
3. Cryptocurrency hacks will keep big banks on their toes.
The past few years have seen cryptocurrencies like bitcoin and ethereum transform from a fringe interest to a mainstream investment.
True believers in cryptocurrency think it should replace the global financial system, and they typically cite “security” as a reason why. Some analysts have even recommended that moving your money to a crypto wallet is a good strategy to avoid losing it in a bank hack.
However, those who have been paying attention know that cryptocurrency exchanges have had some major hacks of their own. The most famous was probably the 2014 hack of Mt. Gox, during which attackers stole 850,000 bitcoin (worth about $9 billion as of September 2019). However the largest crypto hack in history actually occurred in 2019, when Japanese crypto exchange Coincheck got drained of NEM coins worth about $534 million. In the first half of 2019 alone, fraudsters and hackers have stolen approximately $4.26 billion worth of crypto.
Now, big banks are starting to dip their toes in the crypto waters, with one in five financial firms saying they might start trading cryptocurrencies. It’s possible that the involvement of major institutions will shore up the security of the crypto industry — but if the past is any indicator, extreme measures will have to be taken to ensure the security of these digital currencies.
Banks have a responsibility to keep their customers’ funds safe from cyber criminals, and that challenge is on track to become even more difficult in 2020. We’re not sure what stories we’ll see from the financial sector next year, but as the CISO of the Federal Reserve Bank of New York put it, “Something will happen, without question.”