What banks are — and aren't — doing to repel cyberattacks

Many banks plan to spend big to protect their data and computer systems in the coming year, potentially leaving behind others that are responding less aggressively to cyberattacks.

That was one of the findings of a new survey conducted by Arizent — the publisher of American Banker and several other financial services publications — of financial industry executives involved in or aware of their organization’s cybersecurity policies and practices. It also highlighted the widening use of two-factor authentication, the broad range of methods that some banks use to test their security and the many modes of attack cyberthieves and fraudsters have at their disposal.

A full report on the results, Enabling Innovation: Cybersecurity's Next Act, is available to subscribers.

Of the 192 survey respondents to the survey, about 100 worked in banking. Arizent collected feedback between late November and late December. Summarized here are four key findings from the report and its conclusion, as well as commentary from outside experts.

Banks are opening their wallets

Four out of five bankers said they expect overall spending on cybersecurity to increase over the next 12 months compared with the previous 12 months. About three in five expect to invest at least 10% more, and a third of that group anticipates an increase of at least 25% more.

The heavier spending “reflects increased prioritization” among banks, says Teresa Walsh, global head of intelligence for the Financial Services Information Sharing and Analysis Center. Digital security is “no longer simply a back-office cost — it has become a critical business risk,” she said.

“Rapid digitization of financial services was already underway but accelerated with the pandemic and remote working,” Walsh said. “More digitization expands the attack surface of the industry, including through extensive use of third-party providers of software and infrastructure.”

“Institutions that are not heavily investing now because they believe they have a best-in-class cybersecurity enterprise will find themselves as ‘average’ or even ‘laggards’ in a short matter of time,” the Arizent report said.

The only way for an organization to reduce losses stemming from cyber crimes is to shore up its defenses, according to Keith Zielenski, managing director at the consulting firm Protiviti.

“This capability may come through greater intellectual knowledge, technology solutions, reducing an organization's attack surface, etc.,” Zielenski said. “The downside is these capabilities cost money.”
AB - Budget - 022322.jpeg

Multifactor authentication is the go-to defense

Arizent asked financial institutions which strategies they are employing to protect their customers, and it allowed respondents to select multiple options.

Sixty-seven percent of respondents in the banking sector said they require two-factor authentication compared with 39% who said they require geolocation and 43% who limit functionality on mobile banking.

While multifactor authentication is not impregnable, it can provide an extra layer of support if properly implemented. “We recommend all firms implement MFA as part of a robust cyber-hygiene program,” Walsh said.

Though multifactor authentication can annoy users, it is also “imperative under the current environment to have this line of defense,” said Raj Dasgupta, director of fraud strategy at the digital identity company BioCatch.

Cybercriminals facilitate most breaches “by way of weak or stolen passwords,” which makes multifactor authentication an important security measure, Zielenski said. “Therefore, this should not be a question of [return on investment] but rather ‘doing the right thing’ to increase client/consumer confidence in the banking entity,” he said.
AB-022422-CYBER1.jpeg

Only about half of banks vet the strength of their security each year

On the subject of steps that organizations are taking to vet their vulnerabilities, 53% of banks said they review their cybersecurity practices and policies on an annual basis. The annual review practice could be getting supplanted by even more regular reviews.

“At the rate that cyber-criminal tools, techniques and procedures evolve today, many firms no longer believe that annual cybersecurity policy reviews are sufficient to maintain a robust cybersecurity posture,” Walsh said. “Some firms are implementing continuous controls monitoring, which can give real-time feedback on the firm’s security posture and controls.”

According to Dasgupta, annual reviews are far from sufficient.

“Companies should have cybersecurity task forces that meet regularly, as often as daily to review their vulnerabilities and the need to change policies and tools,” Dasgupta said. “At a minimum, these groups should be meeting weekly.”

Zielenski said a review should also follow any “major cyber event,” however an organization defines the term, and involve cybersecurity and business leaders from the firm.

“It should include a full review of cyber incidents and the related lessons learned from those incidents,” Zielenski said. “Additionally, the review and updates of cyber policies must be followed by an effective communication plan to drive compliance and/or required trainings.”
AB-022422-CYBER2.jpeg

Cyber crooks have many effective means of attack

The 74 survey respondents who said their company had suffered a data breach in the past five years reported a variety of factors that contributed to the breach, leaving no single factor as the major threat against which to defend.

According to Walsh, cybersecurity risks are on the rise broadly as the shift toward digital banking creates new opportunities for hacks. She pointed to zero-day vulnerabilities — security holes that go unnoticed or unaddressed by software vendors — as driving many of the major incidents from the past year. Still, other threats remain, she said.

“Our member firms have reported high levels of social engineering such as phishing and business-email compromise, the persistence of some of the most notorious strains of malware that are used to drop ransomware, and widespread distributed denial-of-service attacks, resulting in the lack of availability of third-party services,” Walsh said.

Zielenski cited supply chains, emails, insider threats or users, remote-access portals and web applications as “attack vectors that deserve special attention for banks.”
AB - attack vector - 022422 - Arizent research (1).jpeg

Cybersecurity should be viewed as an opportunity, not an obstacle

Changes to consumer expectations, new workplace realities and increased demand for third-party access to data constitute challenges that “provide an opportunity, perhaps even an urgency, to reimagine the role of cybersecurity as an enabler of industry and organizational transformation,” the report concluded.

“Cybersecurity is no longer about fortifying the perimeter but enabling secure access to data, systems, tools for employees, partners, customers to build resilient, agile financial services organizations that can serve consumers and other stakeholders how and where they want to be reached,” the report said.

Yet to make the most of cybersecurity, banks are going to have to pour more money into it, according to Zielenski. Cyber risks, he said, “are on the rise as organizations expand their digital presence.”

Dasgupta agreed. “The need for security online experiences has never been higher than today, hence the spending on cybersecurity,” he said.
cloud security irl
MORE FROM AMERICAN BANKER