Fed chief: Cyberattacks are the greatest risk to the financial sector
The U.S. financial collapse of 2008 generated losses of more than $2 trillion in global economic growth. When asked recently what could catalyze a meltdown of similar magnitude today, Federal Reserve Chairman Jerome Powell pointed to cybersecurity attacks against the financial sector.
“The world evolves. And the risks change as well. And I would say that the risk that we keep our eyes on the most now is cyber-risk,” Powell said on a CBS News 60 Minutes segment earlier this month. “…There are scenarios in which a large financial institution would lose the ability to track the payments that it’s making and things like that … where you would have a part of the financial system come to a halt, or perhaps even a broad part. And so we spend so much time and energy and money guarding against these things.”
In other words, cybersecurity attacks against the financial sector now represent the greatest risk to the industry as well as to the overall economy. Given the right circumstances, attacks on financial institutions could ultimately impact the stability of the economy and erode confidence in the U.S. financial system.
Concern over cybersecurity risks for financial institutions comes with good reason: Attacks on financial institutions are soaring. One report says that cybersecurity incidents more than tripled in 2020. And the financial sector is one of the most targeted industries also for a very logical reason: Monetary gain is often what motivates cybercriminals, and banks are where the money is.
What makes the risk of cyberattack so dangerous is that the financial industry relies on an interconnected digital infrastructure that links an array of public and private businesses, government agencies, and individuals. This interconnectivity creates an extended network in which one event can cascade across the enterprise. A low-level data breach, for instance, could spread across a financial institution’s extended networks and move to those of third-party vendors. Similarly, skilled threat actors can infiltrate one system and move laterally across the network to compromise additional applications and networks.
Top cybersecurity concerns to watch for
As cybersecurity incidents increase in frequency and impact, one threat that financial services verticals should be most concerned about is malware attacks that could disrupt operations. Malware is a particular worry because it’s often used to deliver a payload that can trigger a ransomware attack. More recently, we’ve seen an uptick in spoofing of web applications to trick users into clicking a malware-bearing website.
Another top worry is the rise in data manipulation. In the past, threat actors focused primarily on copying and stealing data. Today, more seek to infiltrate an organization’s environment to change data in ways that break processes. For example, skilled cybercriminals have found ways to manipulate time stamps in financial systems that enable them to alter critical information that financial institutions rely upon. Making matters worse, cybercriminals have found inventive new ways to evade detection.
At the same time, the expanding interconnectivity of third-party vendors and supply chains has ratcheted up the threat level. As the SolarWinds hack has proved, these attacks are increasingly sophisticated – and can quickly spread up and down the supply chain. Trusted partners typically have access to certain applications and sensitive data, so it’s important for businesses to assess and monitor the cybersecurity capabilities of their vendors and service providers.
Social engineering remains an effective attack vector, primarily because it works. Bad actors simply impersonate trusted business contacts and individuals to steal user credentials for access to networks and data. To combat this rise in social engineering schemes like phishing, many organizations must have adequate and mature, ongoing cybersecurity awareness and training programs.
You should be worried, too
Combined, these factors can create a scenario in which cyberattacks against large financial services firms can damage the institution – and potentially destabilize the overall economy. After all, if banks cannot execute payments and transfers and precisely track the flow of money, the interconnected financial system could break down altogether, leading to liquidity runs and solvency issues. And that could also shake the confidence of consumer spending, a key driver of economic growth.
If the Federal Reserve chairman is worried about cyber-risks, you should be, too. Cybersecurity is the responsibility of everyone participating in the economy. Regardless of industry, businesses should proactively build a cybersecurity program that prioritizes cybersecurity as a top business risk, rather than simply a technology issue.
Bhavesh Vadhani, Principal, National Director, Cybersecurity, Technology Risk, and Privacy
Jeremy Swan, Managing Principal, Financial Sponsors & Financial Services
Press ReleaseSun joins CohnReznick as Principal, CybersecurityDavid Sun leads CohnReznick’s security incident response and recovery; computer forensic and litigation support; and cloud security services.
InsightUnderstanding Zero TrustBhavesh Vadhani, Adonye ChamberlainRead about the evolution of this cybersecurity paradigm, why it is increasingly necessary, and how to get started on its implementation.
InsightBe on guard for phishing attacks amid bank collapsesBhavesh VadhaniAs scammers take advantage of the chaos caused by the Silicon Valley Bank and Signature Bank turmoil, keep these key security principles top of mind.
InsightProposed regulatory changes increase board responsibility for cybersecurity programsScott Corzine, Bhavesh VadhaniProposed regulations may increase the responsibility of corporate board directors with cybersecurity programs. Learn more.
Press ReleaseCohnReznick adds two senior leaders to growing Cybersecurity, Technology Risk, and Privacy practiceScott Corzine, Managing Director, and Stephen P. Gilmer, Director, have joined CohnReznick's Cybersecurity, Technology Risk and Privacy practice, bringing extensive experience in cybersecurity risk, risk management, compliance, and operational impact.