Research Outline

Cybersecurity in the Banking Sector

Goals

To understand 1) what kind of specific data banks are trying to protect, 2) why cybersecurity is important for enterprises in the banking sector, 3) what the unique cybersecurity vulnerabilities are of banks, 4) what the compliance standards are that are currently required/practiced in the banking industry and whether banks meet these standards today, 5) whether there are any notable cybersecurity/cloud-cybersecurity computing trends in the banking industry, and 6) to have a list of one sentence examples for breaches in the banking industry as well as what the impact of a typical breach is.

Early Findings

  • Banks are among the biggest profit-makers in the world and can afford the best in cybersecurity among private sector firms, but security vendor ImmuniWeb says too many of the websites and mobile apps of the world’s biggest financial institutions have vulnerabilities. Overall the results led ImmuniWeb to conclude 97 per cent of the largest banks are vulnerable to web or mobile attacks.
  • 92 per cent of 55 mobile banking applications tested contained at least one medium-risk security vulnerability, while 20 per cent contained at least one high-risk security vulnerability.
  • Too many banks are devoid of a culture in which the institution as a whole "takes responsibility for reducing information security risk, encouraging collaboration, and building systemic resilience." Often information security is the complete responsibility of the CISO, and there is insufficient leadership, awareness, and expertise at the board level. Banks most often fail to provide their staffs role models, training, tools, or incentives. Employee negligence and malicious acts account for two-thirds of cyber breaches, while less than 20% are directly driven by an external threat, according to a 2017 analysis by advisory firm Willis Towers Watson.
  • In 2018 police arrested a number of well-known cybercrime group members responsible for Carbanak/Cobalt and Fin7, among others. These groups have been involved in attacks on dozens, if not hundreds of companies and financial institutions around the world. Unfortunately, the arrest of group members including the leader of Carbanak, did not lead to a complete halt in activities, in fact, it seemingly started the process of splitting the groups into smaller cells.
  • "To keep track of the evolution of the threat landscape involving financial institutions, Carnegie’s Cyber Policy Initiative developed this timeline of cyber incidents targeting financial institutions in association with the Cyber Threat Intelligence unit of BAE Systems. The timeline dates back to 2007 and is updated regularly based on data BAE Systems provides to Carnegie. The timeline has not been designed to cover every single incident but rather to provide insight into key trends and how the threat landscape is evolving over time."
  • Banks and financial services organizations were the targets of 25.7 percent of all malware attacks last year, more than any other industry, IntSigths revealed in their latest report. These include: Trojans (banking, info-stealing, downloaders), ATM malware, ransomware, and mobile banking malware.
  • A relatively new and rarely used attack vector has been flagged in February 2019, when UK-based Metro Bank became the first publicly reported victim of SMS verification code interception. Cybercriminals exploited flaws in the SS7 telecommunication protocol to intercept messages that authorize payments from accounts and emptied a few customers’ bank accounts.
  • A single cybercriminal group siphoned $1.2 billion from over 100 financial institutions in 100 countries before its leader was arrested in 2018.
  • Financially motivated attackers traditionally targeted bank customers, but some, like the Lurk cybercriminal group, moved their attention to large business organizations’ employees. "These attacks commonly went after workers within financial departments, targeting accountants and bank employees. Cybercriminals figured out that they can steal money not only by compromising banking accounts, but by also targeting the bank’s infrastructure itself or tampering with payment documents and systems."

Summation Of The Availability Of Information Relevant To The Goals

  • In our first hour of research we were able to gather some insights relevant to a few of your goals, but we did not have time to cover everything. What we did discover is that there is a lot of data surrounding all the questions that is publicly available and is written by credible sources like Deloitte, Accenture, and PwC.
  • Please select one or more of the options provided in the proposed scoping section below.