Cyber threat actors are 300x as likely to target financial services firms than businesses in any other industry, and it’s no wonder why.
This sector — which includes accounting, investment, insurance, and consulting firms — works almost exclusively with funds, personal credentials, and other sensitive data. All of this has tremendous value as the attacker could redirect payments, sell confidential client or company data, or hold essential files for ransom.
And this isn’t a risk reserved for massive institutions only. No matter how many clients you have, they count on you to implement a strong defence that keeps their private data secure. Otherwise, you could lose their trust and business.
The key to building that strong defence? Understanding the offence.
Keep reading to discover the biggest financial services cyber threats and why securing your firm should be a top priority.
Top cyber security threats to financial services firms
1. Business email compromise
Business email compromise (BEC) is a low-cost cyber crime tactic that soared during COVID-19 due to the rise in remote work, putting all companies at risk. This technique is used to redirect payments to an attacker’s bank account, which makes it a major threat for financial firms that manage funds or handle transactions.
Here’s how it works.
Like many other cyber attacks, BEC often starts with phishing — a malicious email that tricks the recipient into clicking a hyperlink leading to a fake website. Once there, the victim is prompted to enter their email username and password, unknowingly exposing their own credentials.
With access to the compromised account — often one that belongs to an executive or financial officer — the attacker gathers intel about the firm, clients, and payment processes. Posing as the victim, they may make requests to initiate or redirect wire transfers to a different banking account.
The email could look something like this:
Source: US Chamber of Commerce
Virtu Financial is a recent victim of this type of attack. The global financial services provider, with offices in countries including the US, UK, and Canada, lost nearly $7,000,000 to BEC. Cyber criminals illegally accessed an executive’s email account and, acting as the victim, requested two wire transfers. Not only did the attackers get away with millions, but the company’s insurance carrier also refused to cover most of the losses.
Ransomware is a type of malware that restricts access to files or systems until the victim pays ransom to the attacker. According to the National Credit Union Administration, ransomware remains a growing cyber threat to smaller financial institutions, including credit unions.
These attacks may begin with a phishing email or by exploiting a vulnerability, such as an outdated operating system, to gain access. In the past, victims would then receive a note demanding payment in exchange for data. But threat actors today take a different approach: rather than lock or delete files, they’ll make copies and threaten to publish them.
Naz Sukhram Financial Services is a small Canadian accounting firm offering tax and bookkeeping services and recent ransomware victim. Hackers encrypted the company’s server, compromising private documents including personal and customer data. The firm paused business operations after the mid-May attack as they tried to retrieve the server’s data.
3. Nation-state attacks and organized cyber crime groups
Nation-state attacks launched by foreign governments, and state-sponsored attacks which involve affiliated cyber criminal groups, are two major risks to the financial sector. These threat actors use many of the same attack tactics — BEC, ransomware, and phishing — as less sophisticated hackers but with more technical capability, funding, and structure.
According to the Financial Services Information Sharing and Analysis Center (FS-ISAC), nation-states and organized cyber crime groups are starting to work together, sharing tools, resources, and funding, which has led to an increase in attacks. FS-ISAC warns that the financial services industry and its suppliers are prime targets for nation-states.
Why it’s important for financial services firms to know the top cyber security threats
Financial firms remain a top target
The finance industry has always been a target, but recent changes to the office environment put firms at greater risk.
The hybrid workplace — one that includes both in-office and at-home workers — may stay the norm for this sector. This business model allowed operations to continue last year despite strict COVID-19 health measures. It also introduced a wide range of new cyber risks and threats.
Firms had to quickly adopt and configure technologies to support remote access, communication, and collaboration. Each new connection or tool extends the threat surface and potentially introduces new security gaps.
A data breach can be devastating
The bulk of data breaches cost between $826 and $653,587. The financial industry is the second most expensive, coming in second only to the highly regulated healthcare sector.
Consider the 2017 Equifax attack. Often featured on several “worst data breaches of all time” lists, threat actors hacked into the company’s complaint web portal and used that entry to access Equifax servers. The unauthorized visitors went unnoticed for months, compromising hundreds of millions of customer records. In 2019, the credit reporting agency agreed to pay $700 million to those affected by the cyber attack.
The cost of a data breach extends far beyond the payout to affected customers. It includes the price of the investigation, losses from operational downtime, regulatory fees and penalties, fees to replace hardware, lasting reputation damage, and much more.
Cyber security expectations are rising
Trust is everything to your clients. Very few, if any, will hand over confidential data or money to just any firm.
Prospects may evaluate your cyber security posture before choosing your team. You should be prepared to prove that you have the right security measures in place to protect private data, backed by a proactive incident response plan. Gaps in your defence could cause you to miss out on a huge opportunity.
But it’s not just clients placing more importance on cyber security these days. A growing number of governments are enacting data privacy and security laws, with compliance requirements for data breach notification, information collection, and more. A few major regulations include:
- The General Data Protection Regulation (GDPR)
- The Personal Information Protection and Electronic Documents Act (PIPEDA)
- The New York Department of Financial Services (NYDFS) Cybersecurity Regulation
There are also several industry-specific regulations and standards. The Payment Card Industry Data Security Standard (PCI-DSS), for example, outlines cyber security requirements for any business that processes, stores, or shares credit card data.
Failure to comply with any of these regulations poses a serious risk, potentially resulting in lost clients, six-figure fines, or prosecution.
Protect what matters most
Cyber insurance is not enough. Traditional cyber security measures won’t protect hybrid workplaces and ensure compliance.
It’s important to understand the types of threats targeting your industry, and then get the visibility you need to monitor and detect them. With a view of the entire IT environment — networks, cloud services, devices, remote users — you can better protect your teams, clients, and data. But this can be hard and often requires specialized skills to make sense of data and prioritize threats.
With Field Effect’s Covalence, you get a complete cyber security solution. Purpose-built for small and mid-size businesses, Covalence allows you to identify threats across your full infrastructure, plus gain a team of experts offering 24/7 support.
Want to stay up to date on cyber security risks and tips, webinar invites, and more? Sign up for our newsletter below.