Fed chief: Cyberattacks are the greatest risk to the financial sector
The U.S. financial collapse of 2008 generated losses of more than $2 trillion in global economic growth. When asked recently what could catalyze a meltdown of similar magnitude today, Federal Reserve Chairman Jerome Powell pointed to cybersecurity attacks against the financial sector.
“The world evolves. And the risks change as well. And I would say that the risk that we keep our eyes on the most now is cyber-risk,” Powell said on a CBS News 60 Minutes segment earlier this month. “…There are scenarios in which a large financial institution would lose the ability to track the payments that it’s making and things like that … where you would have a part of the financial system come to a halt, or perhaps even a broad part. And so we spend so much time and energy and money guarding against these things.”
In other words, cybersecurity attacks against the financial sector now represent the greatest risk to the industry as well as to the overall economy. Given the right circumstances, attacks on financial institutions could ultimately impact the stability of the economy and erode confidence in the U.S. financial system.
Concern over cybersecurity risks for financial institutions comes with good reason: Attacks on financial institutions are soaring. One report says that cybersecurity incidents more than tripled in 2020. And the financial sector is one of the most targeted industries also for a very logical reason: Monetary gain is often what motivates cybercriminals, and banks are where the money is.
What makes the risk of cyberattack so dangerous is that the financial industry relies on an interconnected digital infrastructure that links an array of public and private businesses, government agencies, and individuals. This interconnectivity creates an extended network in which one event can cascade across the enterprise. A low-level data breach, for instance, could spread across a financial institution’s extended networks and move to those of third-party vendors. Similarly, skilled threat actors can infiltrate one system and move laterally across the network to compromise additional applications and networks.
Top cybersecurity concerns to watch for
As cybersecurity incidents increase in frequency and impact, one threat that financial services verticals should be most concerned about is malware attacks that could disrupt operations. Malware is a particular worry because it’s often used to deliver a payload that can trigger a ransomware attack. More recently, we’ve seen an uptick in spoofing of web applications to trick users into clicking a malware-bearing website.
Another top worry is the rise in data manipulation. In the past, threat actors focused primarily on copying and stealing data. Today, more seek to infiltrate an organization’s environment to change data in ways that break processes. For example, skilled cybercriminals have found ways to manipulate time stamps in financial systems that enable them to alter critical information that financial institutions rely upon. Making matters worse, cybercriminals have found inventive new ways to evade detection.
At the same time, the expanding interconnectivity of third-party vendors and supply chains has ratcheted up the threat level. As the SolarWinds hack has proved, these attacks are increasingly sophisticated – and can quickly spread up and down the supply chain. Trusted partners typically have access to certain applications and sensitive data, so it’s important for businesses to assess and monitor the cybersecurity capabilities of their vendors and service providers.
Social engineering remains an effective attack vector, primarily because it works. Bad actors simply impersonate trusted business contacts and individuals to steal user credentials for access to networks and data. To combat this rise in social engineering schemes like phishing, many organizations must have adequate and mature, ongoing cybersecurity awareness and training programs.
You should be worried, too
Combined, these factors can create a scenario in which cyberattacks against large financial services firms can damage the institution – and potentially destabilize the overall economy. After all, if banks cannot execute payments and transfers and precisely track the flow of money, the interconnected financial system could break down altogether, leading to liquidity runs and solvency issues. And that could also shake the confidence of consumer spending, a key driver of economic growth.
If the Federal Reserve chairman is worried about cyber-risks, you should be, too. Cybersecurity is the responsibility of everyone participating in the economy. Regardless of industry, businesses should proactively build a cybersecurity program that prioritizes cybersecurity as a top business risk, rather than simply a technology issue.
InsightVirginia’s new privacy law offers a preview into the future of privacy and complianceBhavesh Vadhani, Deborah NitkaRead how the new data privacy legislation compares with the CCPA and GDPR, what affected companies should do moving forward, and more.
InsightSupport rapid delivery of secure software with DevSecOpsBhavesh Vadhani, Thomas McDermott, Tauseef ShaikhThe DevSecOps software development model has security built into all phases of its lifecycle, which can help reduce flaws and the costs of fixing them. Learn more.
InsightHow to assess risk for emerging technologies – before you use themBhavesh Vadhani, Thomas McDermottDon’t start using artificial intelligence, robotic process automation, and other newer tools without taking these steps to protect your organization and data.
InsightSolarWinds breach underscores the need for monitoring third parties’ securityBhavesh Vadhani, Deborah NitkaThe malware attack on software provider SolarWinds shows that companies must understand their supply-chain risks – and their own business environment. Learn more.
InsightUsing cybersecurity lessons learned from COVID-19 to advance your remote-work programBhavesh Vadhani, Ali Khraibani, Kiran BhujleRead about steps to take with regard to training, frameworks, protecting against phishing, and more amid the extra security challenges brought by the pandemic.