Fed chief: Cyberattacks are the greatest risk to the financial sector
The U.S. financial collapse of 2008 generated losses of more than $2 trillion in global economic growth. When asked recently what could catalyze a meltdown of similar magnitude today, Federal Reserve Chairman Jerome Powell pointed to cybersecurity attacks against the financial sector.
“The world evolves. And the risks change as well. And I would say that the risk that we keep our eyes on the most now is cyber-risk,” Powell said on a CBS News 60 Minutes segment earlier this month. “…There are scenarios in which a large financial institution would lose the ability to track the payments that it’s making and things like that … where you would have a part of the financial system come to a halt, or perhaps even a broad part. And so we spend so much time and energy and money guarding against these things.”
In other words, cybersecurity attacks against the financial sector now represent the greatest risk to the industry as well as to the overall economy. Given the right circumstances, attacks on financial institutions could ultimately impact the stability of the economy and erode confidence in the U.S. financial system.
Concern over cybersecurity risks for financial institutions comes with good reason: Attacks on financial institutions are soaring. One report says that cybersecurity incidents more than tripled in 2020. And the financial sector is one of the most targeted industries also for a very logical reason: Monetary gain is often what motivates cybercriminals, and banks are where the money is.
What makes the risk of cyberattack so dangerous is that the financial industry relies on an interconnected digital infrastructure that links an array of public and private businesses, government agencies, and individuals. This interconnectivity creates an extended network in which one event can cascade across the enterprise. A low-level data breach, for instance, could spread across a financial institution’s extended networks and move to those of third-party vendors. Similarly, skilled threat actors can infiltrate one system and move laterally across the network to compromise additional applications and networks.
Top cybersecurity concerns to watch for
As cybersecurity incidents increase in frequency and impact, one threat that financial services verticals should be most concerned about is malware attacks that could disrupt operations. Malware is a particular worry because it’s often used to deliver a payload that can trigger a ransomware attack. More recently, we’ve seen an uptick in spoofing of web applications to trick users into clicking a malware-bearing website.
Another top worry is the rise in data manipulation. In the past, threat actors focused primarily on copying and stealing data. Today, more seek to infiltrate an organization’s environment to change data in ways that break processes. For example, skilled cybercriminals have found ways to manipulate time stamps in financial systems that enable them to alter critical information that financial institutions rely upon. Making matters worse, cybercriminals have found inventive new ways to evade detection.
At the same time, the expanding interconnectivity of third-party vendors and supply chains has ratcheted up the threat level. As the SolarWinds hack has proved, these attacks are increasingly sophisticated – and can quickly spread up and down the supply chain. Trusted partners typically have access to certain applications and sensitive data, so it’s important for businesses to assess and monitor the cybersecurity capabilities of their vendors and service providers.
Social engineering remains an effective attack vector, primarily because it works. Bad actors simply impersonate trusted business contacts and individuals to steal user credentials for access to networks and data. To combat this rise in social engineering schemes like phishing, many organizations must have adequate and mature, ongoing cybersecurity awareness and training programs.
You should be worried, too
Combined, these factors can create a scenario in which cyberattacks against large financial services firms can damage the institution – and potentially destabilize the overall economy. After all, if banks cannot execute payments and transfers and precisely track the flow of money, the interconnected financial system could break down altogether, leading to liquidity runs and solvency issues. And that could also shake the confidence of consumer spending, a key driver of economic growth.
If the Federal Reserve chairman is worried about cyber-risks, you should be, too. Cybersecurity is the responsibility of everyone participating in the economy. Regardless of industry, businesses should proactively build a cybersecurity program that prioritizes cybersecurity as a top business risk, rather than simply a technology issue.
Insight6 keys to a future-ready enterprise risk management (ERM) programMaurice L. Crescenzi, Jr., Bhavesh VadhaniAn optimized ERM program is critical to bringing your organization into the future. Ready to move yours forward? Download our infographic.
InsightCMMC compliance process: What to expect and five steps to takeBhavesh Vadhani, Daryouche BehboudiCohnReznick is sharing our accreditation journey to offer lessons learned and insights into what DoD contractors can expect on their journey to CMMC compliance. Learn more
InsightSEC proposes new rules on public company cybersecurity incident reporting, risk management disclosuresBhavesh VadhaniPublic companies could face a tight new timeline for disclosing material incidents, plus mandates to detail how they manage cyber risk. Read more.
InsightNew law requires ‘critical infrastructure’ organizations to report cybersecurity incidents, ransomware paymentsBhavesh Vadhani, Daryouche Behboudi, Deborah NitkaThe Cyber Incident Reporting for Critical Infrastructure Act requires certain entities to report attacks within 72 hours, ransomware payments within 24.
InsightFuture of cannabis – Cannabis Quarterly insights, Q1 2022Read our team’s perspectives on taxation, data strategy, and data privacy (including California’s CPRA) in CohnReznick’s CannaQuarterly newsletter.