The U.S. financial collapse of 2008 generated losses of more than $2 trillion in global economic growth. When asked recently what could catalyze a meltdown of similar magnitude today, Federal Reserve Chairman Jerome Powell pointed to cybersecurity attacks against the financial sector.  

“The world evolves. And the risks change as well. And I would say that the risk that we keep our eyes on the most now is cyber-risk,” Powell said on a CBS News 60 Minutes segment earlier this month. “…There are scenarios in which a large financial institution would lose the ability to track the payments that it’s making and things like that … where you would have a part of the financial system come to a halt, or perhaps even a broad part. And so we spend so much time and energy and money guarding against these things.”

In other words, cybersecurity attacks against the financial sector now represent the greatest risk to the industry as well as to the overall economy. Given the right circumstances, attacks on financial institutions could ultimately impact the stability of the economy and erode confidence in the U.S. financial system.

Concern over cybersecurity risks for financial institutions comes with good reason: Attacks on financial institutions are soaring. One report says that cybersecurity incidents more than tripled in 2020. And the financial sector is one of the most targeted industries also for a very logical reason: Monetary gain is often what motivates cybercriminals, and banks are where the money is. 

What makes the risk of cyberattack so dangerous is that the financial industry relies on an interconnected digital infrastructure that links an array of public and private businesses, government agencies, and individuals. This interconnectivity creates an extended network in which one event can cascade across the enterprise. A low-level data breach, for instance, could spread across a financial institution’s extended networks and move to those of third-party vendors. Similarly, skilled threat actors can infiltrate one system and move laterally across the network to compromise additional applications and networks. 

Top cybersecurity concerns to watch for

As cybersecurity incidents increase in frequency and impact, one threat that financial services verticals should be most concerned about is malware attacks that could disrupt operations. Malware is a particular worry because it’s often used to deliver a payload that can trigger a ransomware attack. More recently, we’ve seen an uptick in spoofing of web applications to trick users into clicking a malware-bearing website.  

Another top worry is the rise in data manipulation. In the past, threat actors focused primarily on copying and stealing data. Today, more seek to infiltrate an organization’s environment to change data in ways that break processes. For example, skilled cybercriminals have found ways to manipulate time stamps in financial systems that enable them to alter critical information that financial institutions rely upon. Making matters worse, cybercriminals have found inventive new ways to evade detection. 

At the same time, the expanding interconnectivity of third-party vendors and supply chains has ratcheted up the threat level. As the SolarWinds hack has proved, these attacks are increasingly sophisticated – and can quickly spread up and down the supply chain. Trusted partners typically have access to certain applications and sensitive data, so it’s important for businesses to assess and monitor the cybersecurity capabilities of their vendors and service providers. 

Social engineering remains an effective attack vector, primarily because it works. Bad actors simply impersonate trusted business contacts and individuals to steal user credentials for access to networks and data. To combat this rise in social engineering schemes like phishing, many organizations must have adequate and mature, ongoing cybersecurity awareness and training programs. 

You should be worried, too

Combined, these factors can create a scenario in which cyberattacks against large financial services firms can damage the institution – and potentially destabilize the overall economy. After all, if banks cannot execute payments and transfers and precisely track the flow of money, the interconnected financial system could break down altogether, leading to liquidity runs and solvency issues. And that could also shake the confidence of consumer spending, a key driver of economic growth. 

If the Federal Reserve chairman is worried about cyber-risks, you should be, too. Cybersecurity is the responsibility of everyone participating in the economy. Regardless of industry, businesses should proactively build a cybersecurity program that prioritizes cybersecurity as a top business risk, rather than simply a technology issue. 

Contact

Bhavesh Vadhani, Principal, National Director, Cybersecurity, Technology Risk, and Privacy

703.847.4418

Jeremy Swan, Managing Principal, Financial Sponsors & Financial Services

646.625.5716