Here is a question that might intrigue many cybersecurity watchers:
Given that banks suffer the biggest losses on average in cyber breaches, could one of the big players actually fail in the wake of a cyberattack and, in doing so, put a huge dent in the entire US banking system?
The answer is yes. Almost all financial institutions have experienced a cyberattack in one form or another, not to mention the likes of accounting and check fraud, and money laundering—all these crimes are on the rise. Cyberattacks are by far the worst. According to the Federal Reserve Bank of New York, an attack on any of the most active US banks could affect 38 percent of the nation’s banking network. The bank’s report also said that cyberattacks on six small banks could threaten the solvency of any one of the top five US banks.
In a way, the infamous Willie Sutton, the most prodigious bank robber of the 20th century, hit the nail on the head when asked why he robbed so many banks. “Because that’s where the money is,” he simply replied. Since Sutton’s time, banks have become much bigger and more interconnected, enhancing the spillover of cyberattacks on other banks. In addition, US banks are particularly susceptible to state-sponsored cyberattacks from the likes of Russia, China and North Korea, all of whom bring huge resources to the table.
The cost of a cyberattack on banks and other financial service companies averages more than $18 million, according to an Accenture study, not only because of the financial losses but also because these breaches erode customer trust. Predictably, e-commerce has also become a big problem area. Signifyd, a San Jose, CA-based technology company in the business of protecting online retailers from fraud, says its Fraud Pressure Index—a measure of likely fraudulent online transactions—this month is up 180 percent over January 2020.
“There is more and more chaos for all online retailers,” says Stefan Nandzik, a Signifyd senior vice president, “partly because of the COVID-19 pandemic and an accompanying increase in fraudulent online transactions. When a retailer is vulnerable to online fraud, word seeps out,” Nandzik adds, “and then the company becomes a target.”
All this begs the question of just what banks, other financial institutions and online retailers are doing to mitigate digital-based fraud. Sadly, while financial institutions in particular say they are highly concerned about cybercrimes, most don’t seem to know how to best solve the problem—mostly because many of them don’t have an overall information security strategy.
Capital One, for example, had to pay an $80 million civil penalty last year for its role in a 2019 security breach that exposed the personal data of more than 100 million customers. In a scathing report, the Office of the Comptroller of the Currency (OCC), part of the US Treasury, said Capital One was aware that its security practices were woefully inadequate.
Among banking’s biggest vulnerabilities on the cybersecurity front is the industry’s growing reliance on cloud services—these help offset IT expenses, boost system uptime and ensure data is being stored safely. But the attraction of the cloud has been somewhat undermined by gaps in customer data and security. With so much information stored in the cloud, corporate customers have become easy prey for malicious attackers looking to gain access to financial institutions.
In fact, the OCC linked the Capital One data breach to problems with Capital One’s cloud migration plan, dating back to 2015. The agency charged that the bank failed to implement certain network security controls and identify numerous security weaknesses.
Elsewhere, a new and especially dangerous type of bank-targeted cyberattack—spoofing—is accelerating. Hackers impersonate a banking website’s URL with a website that looks and functions exactly the same. When a user enters his or her login information, that information is then stolen by hackers, to be used later to penetrate accounts.
Compounding matters, banks are resistant to change. Most banks classify security into three separate domains—financial crime, fraud and cybersecurity—even though overlap is substantial. Each unit maintains its own independent framework, offering little of the transparency needed to develop a holistic view of financial crime risk and creating security coverage gaps.
Many institutions are now finally working to partially integrate cybersecurity and fraud, and share more security information. Separate reporting is maintained, however, and so transparency is not increased meaningfully. What is still needed is a fully unified model—one that shares all analytics enterprise-wide and has a single view of customers. This approach winds up predicting risk, rather than just reacting to it.
While banks hopefully sort out their security challenges, here are some steps they can take to improve things in the interim:
+ Practice behavioral profiling. This monitors for suspicious patterns of login requests or transactions, based on account history or personal identifiers. Digital footprints can help determine whether a transaction is legitimate or fraudulent.
+ Become equipped to detect evidence of malware on a legitimate user’s login session. Malware forensics detect malware before it can inflict harm.
+ Monitor for risky devices and IP addresses that have attacked other websites. Web security defenses can be porous. This practice accesses crucial intelligence from outside your perimeter.
+ Balance the good with the bad. Ensure you have mechanisms in place to instantly recognize returning customers with no evidence of malware or other digital threats—the huge majority of customers.
Most customers today interact mostly through digital channels, making “digital trust” a significant differentiator of customer experience. Banks and e-commerce companies that offer a seamless, secure and speedy digital interface will attract more business. Those that do not will lose business. These entities must strike the right balance between managing fraud and rapidly handling authorized transactions.