While many people think of defense, energy, and communications when they think of critical infrastructure, financial services is another crucial sector underpinning the nation’s health. A disruption in financial services could have devastating consequences both for individual consumers and small businesses, as well as our entire economy. Even if an attack is not widespread throughout the industry, a cyber attack against one or more financial institutions can prevent customers from accessing their account or their funds, thereby causing reputational damage and lack of confidence in the system as a whole. Protecting the safety of this critical infrastructure is a shared responsibility not only for the financial services industry, but also each and every one of us. It is something that must be prioritized during National Critical Infrastructure Security and Resilience Month, and every day of the year.
Financial institutions collect and hold large amounts of personal information of consumers and small-business owners. Because of this, it should be no surprise that the financial industry is a frequent target of cyber attacks. Whether their motive is to disrupt the financial sector or the U.S. economy or simply to steal data, these criminals will exploit any weakness. Sometimes, the hackers will attack an institution directly through a system that has not been properly patched or through an employee who downloads malware. Similarly, if the hackers obtain the credentials of a bank employee, they can wreak havoc on the bank’s systems.
Hackers will also attack an institution indirectly. Consumers regularly receive phishing scam emails from what looks like their financial institution asking them to change their account ID or password. Businesses and corporations can also become victims of such schemes in what is called corporate account takeover (CATO), resulting in the movement of funds out of a business account. Finally, third-party vendors are often connected to a bank’s systems, meaning that if the third-party fails to maintain controls as strong as the institution itself, the bank can be vulnerable.
As a former banking regulator, I can attest that financial institutions are well aware of the fact that they are at risk of a cyber attack. Being a highly regulated industry, the financial sector has put into place safeguards to prevent cyber attacks, perhaps as much or more so than other industries. However, the risks are not static and the financial industry will remain a target for cyber criminals. In addition, the financial sector is highly interconnected, meaning a successful attack on one bank or bank vendor could result in a disruption to other institutions in the industry.
So what can you do?
If you are a financial institution…
While the financial services industry is one of the most highly regulated and best prepared, every institution needs to maintain constant vigilance. Defending against a cyber attack is not simply a check-the-box compliance exercise. If you have not already done so, you should move beyond compliance to an enterprise risk approach to security. The tone is set at the top from the board and C-suite and filters down throughout the organization. Institutions need to understand their cyber risks as well as those of their third-party vendors. Training both employees and customers how to avoid phishing scams and account takeover attempts is also key.
If you are a bank customer…
As a bank customer, whether you are a consumer or small-business owner, you can help prevent a cyber breach at your financial institution. When the cyber thieves hack your account, they can not only steal your money and your data, they can also use your information to attempt to gain access to other bank information. It is important to remember that your bank will never ask you to change or verify your account information through an email. Never click on an email that looks like it is coming from your bank (or another financial institution) that claims your account information has been compromised. If your account has been compromised, you will get a letter from your bank telling you what steps they have taken and anything that you need to do. Also, be sure that you keep your operating systems and software on phones, tablets, and computers and all anti-virus software up to date. Basic cyber hygiene will prevent many cyber hacks against you and your bank.
If you are a vendor for a financial institution…
As a vendor providing services to a financial institution, even if you don’t connect to the bank’s core systems, you need to ensure that you have strong defenses against a cyber attack. In one of the most well-known data breaches, Target was attacked through a weakness in the systems of its HVAC contractor. In the financial sector, attackers have repeatedly targeted systems running SWIFT software, ubiquitous across the world’s financial ecosystem. Particularly in this growing era of the internet of things (IoT), vendors need to ensure that their systems cannot be exploited to attack a client. And just as banks need to perform due diligence on their third-party vendors, you also need to perform strong due diligence on the vendors that you rely on.
The financial sector plays an important role in our lives and in our economy. You can do your part to help keep this sector of our critical infrastructure safe.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email HSTodayMag@gtscoalition.com. Our editorial guidelines can be found here.