4 big risks cyber attacks pose for financial institutions

Strong cyber security has never been more vital, especially for financial institutions.

While the majority of cyber criminals are financially motivated, the data financial institutions store makes them very appealing targets. Attackers are interested in information they can sell or use to extort payment from victims.

Cyber attacks on the financial sector—including banks, accounting firms, and insurance providers—all spiked in 2020, in part because of the rapid shift to remote work due to COVID-19 concerns.

This shift expanded threat surfaces everywhere, giving hackers a greater opportunity to stage an attack and increasing the cyber risks facing the financial sector.

As financial services firms further digitalize their operations, the threats they face continue to grow. A single attack can have devasting consequences—and monetary loss is just the tip of the iceberg.

Damages extend far beyond the cost of paying a ransom or stolen funds. Like an iceberg, the real dangers lurk below the surface.

Let’s dive in to the four biggest risks cyber attacks pose for financial institutions and why strengthening your cyber security should be a top priority this year.

1. Lasting financial damage

A single successful cyber attack carries immediate financial consequences that directly impact your firm’s bottom line.

In the event of a ransomware attack—where a hacker deploys a type of malware that locks up IT systems, offering to restore access if the victim pays a ransom—the average cost of a payout rose to $150,000, though some reports found some victims made payments over $1.2 million.

Other attack types come with similar immediate price tags. Business email compromise (BEC), where criminals impersonate a firm’s employees via email to redirect funds to an account they control, can cost anywhere from $250 to $985,000. A data breach, meanwhile, will run an organization $148 on the low end of the scale and as much as $1.6 million on the high end.

That doesn’t even touch on what it means for share price. Following an attack in 2019, Capital One Financial saw shares drop by 5.9%, a serious concern for stakeholders and investors.

By no means small change, these figures pale in comparison to the average total cost of a cyber attack at $4.24 million. This includes a wide range of far-reaching expenses that linger well after the incident has been resolved.

That total covers a wide range of expenses and fees, including:

• Ransom payments
• Fees for forensic and investigative activities
• Expenses for customer/client outreach and notification
• Legal expenses and regulatory fines
• Communications and crisis management spending
• Damages to affected clients and customers
• Lost revenue from operational downtime
• Additional IT investment to replace and/or augment systems

Ensuring your business can get up and running as quickly as possible after the incident can help minimize these financial losses.

The Cyber Security Handbook for Financial Services Firms

Learn what our experts say about cyber security in the finance industry, including top tips to protect your practice.

Download the eBook

2. Business disruption and lost productivity

A cyber attack can interrupt operations in any business, but this can have long-lasting and far-reaching consequences for financial institutions. Once criminals have found a way into an IT environment, they can restrict access to business-critical infrastructure. This could include:

• Access to important databases and files
• Technology that increases customer contact, such as card readers and ATMs
• Network routers within an institution

• Secure financial transfer software, such as SWIFT networks
• The software staff rely on for business-as-usual operations

In fact, the Nasdaq Stock Exchange’s 2020 annual report warned of the risk and impact a potential attack could have on normal operations. Earlier that year, a distributed denial of service (DDoS) attack brought the New Zealand Stock Exchange to a standstill for three days, halting all trading for the duration.

More recently, German authorities stopped an in-progress cyber attack on over 800 co-operative banks. Nation-state hackers staged a DDoS attack on a third-party IT services provider used by these banks. The attack shut down various bank website operations or slowed them dramatically. Attacks on third-party software providers like these may lead to significant damage to an entire financial system, which is why firms must take the time to assess cyber risks throughout their IT supply chain.

The disruptions caused by a cyber attack don’t just impact your business, after all. Your customers rely on you for a variety of financial needs, and interruptions to the services they use could affect future business opportunities and success.

3. Regulatory enforcement and legal consequences

Cyber security regulations are maturing around the globe, and the financial sector is no exception.

These regulations outline various requirements that firms must adhere to. By and large, each one is focused on ensuring that organizations that interact with confidential data or personally identifiable information (PII)—such as banking credentials—take steps to keep it secure.

Some of these regulations include:

• The Sarbanes-Oxley (SOX) Act in the United States, which introduced controls designed to protect investors from fraudulent financial reporting and accounting. The SOX Act has implications for cyber security programs and information security at financial institutions.
• The Payment Card Industry Data Security Standards (PCI DSS), a widely used and accepted set of standards that govern how companies handle credit card information.
• The Gramm-Leach-Biley (GLB) Act, which outlines steps financial institutions must take to protect customer information and develop and maintain an information security plan. As these institutions accelerate their digital transformation, the GLB Act also discusses cyber defences.
• The Personal Information Protection and Electronic Documents Act (PIPEDA) establishes requirements for how companies in Canada collect, use, manage, or disclose personal information. Under PIPEDA, organizations must obtain consent to collect and use this data, and provide clear communication about what that data is and how it is being used.
• The General Data Protection Regulation (GDPR), a European Union regulation that establishes rules and protections for how personal data is collected, stored, and used by organizations operating within the EU. It also includes specific breach notification requirements that these organizations must follow if any of this data is compromised.
• The California Consumer Privacy Act (CCPA), a State of California law with similarities to both the GDPR and PIPEDA. The CCPA allows California residents to request additional information about what personal data is being collected from them, its use, access to said data, and the right to deny the sale of this personal data.

Non-compliant organizations may find themselves facing regulatory activity, including fines, lawsuits, and even loss of market access.

4. Reputation damage

The common thread uniting each of these risks is what they all mean for your business’ reputation.

Business disruptions, financial loss (particularly if it impacts your clients), regulatory enforcement, and lawsuits can all tarnish an otherwise stellar reputation. Reputation damage makes it harder to attract new business and retain your existing clients. You may also have difficulty finding other organizations to work with./p>

In fact, in a recent survey, 87% of respondents said they would take their business elsewhere if they felt a business wasn’t taking adequate steps to protect their data.

But it’s not just customers and potential partners assessing your dedication to security. Credit rating agencies are looking at cyber incident impacts and responses in the financial sector and assessing them as part of an overall risk management and governance framework. How a bank responds to a breach or attack, for example, could severely impact its rating and affect its ability to earn new opportunities.

Cyber security tips for the finance industry

The good news is that improving the security at your firm doesn’t have to be all that challenging. By following a few easy-to-implement best practices and taking a more proactive approach to cyber security, you can establish resilient cyber defences and eliminate risks before they can damage your business.

Download The Cyber Security Handbook for Financial Services Firms to learn what our experts say about cyber security in the finance industry, including:

• Who’s targeting you, how they’ll attack, and what they want
• Four big consequences of experiencing a security incident
• Best practices proven to strengthen your company's defence