By Mary Grlic
Protecting your financial information is important, especially when a lot of banking, investing, and transactions are done online. We often trust financial institutions when it comes to money – but how do we know our finances are truly safe? Having a secure finance company or department starts with well-managed IT (information technology) and good cybersecurity. Learn about the risks that financial institutions face as well as regulations to prevent such threats.
The Rise in Cyber Attacks on Financial Institutions
The finance sector is becoming a leading target for cyber attacks, according to the Center for Strategic and International Studies. Financial groups are up to 300 times more likely to experience a cyber attack than other services (Boston Consulting Group). Hackers are drawn to the industry because it holds money and personal banking information. If a cyber attacker can access financial data, they have the gateway to loads of money and even identity theft. Hackers attack banks to gain profit through extortion, theft, and fraud.
Financial Cybersecurity Compliance
With so many transactions and billing information on the web, companies must take initiative to protect data. In 2013, the Federal Financial Institutions Examination Council (FFIEC) created a Cybersecurity and Critical Infrastructure Working Group. It is meant to “enhance communication among the FFIEC member agencies and build on existing efforts to strengthen the activities of other interagency and private sector groups” (Cybersecurity Awareness). They also included a cybersecurity assessment tool so that institutions can identify cyber risks and vulnerabilities.
The FFIEC mandates certain regulations for financial institutions to maintain compliance. For example, multi-factor or two-step authentication is mandatory to make any online transactions. Users can confirm their identity through face ID, voice recognition, finger scanning, and more. They also require that all transactions utilize encryption, which essentially “locks” data from outside interception with a private key.
NYS Cybersecurity Regulations
The New York State Department of Financial Services publicized 23 NYCRR in March 2017. The document includes a list of cybersecurity regulations for financial institutions. The Cybersecurity Regulation (also called “Part 500”) includes definitions, policy, and detailed explanations of the cybersecurity requirements. Here are a few, but not all, of the regulations explained in Part 500. Financial services in NY should look here to read more and see if they are in compliance with the Cybersecurity Regulation.
According to 23 CRR-NY 500.4, any institution following the regulations must “designate a qualified individual responsible for overseeing and implementing the covered entity’s cybersecurity program and enforcing its cybersecurity policy.” This individual will ensure that proper cybersecurity requirements are being enforced and that a financial institution is protecting its information. 23 CRR-NY 500.5 mandates that financial groups include penetration testing and vulnerability assessments, in which the company analyzes and tests the potential risks that they may face. Vulnerability assessments should be completed bi-annually. Similarly, 500.9 is about risk assessments. Financial groups should conduct a periodic risk assessment to analyze the cybersecurity program.
500.12 and 500.15 include information about multi-factor authentication and encryption, respectively. As with most businesses that deal with sensitive information, financial groups should have some form of two-step verification “to protect against unauthorized access to nonpublic information or information systems.” Better login security will ensure that systems are safe and not vulnerable to outside access. Institutions must also encrypt nonpublic information. Encryption essentially “locks” data from unauthorized access through an encryption key that only authorized users have.
Cyber Threats for Financial Companies
The finance sector faces many cyber risks. By knowing about the top risks for finance companies, your business can better protect itself.
Many businesses face the risk of phishing, especially without proper employee understanding or training. In phishing attacks, hackers target individuals to open links that may appear legitimate but actually contain malware or a virus. For example, the attacker may pretend to be your boss sending you a file. In reality, they are a hacker trying to make you download a malicious document that will corrupt your device. The Akamai threat report shows that in 2019 almost 50% of phishing attacks were linked to financial institutions.
Phishing can allow unauthorized users to gain access to finances and give them the ability to wire money. There was an instance in which an employee at a company fell for a phishing scam by clicking on the wrong link and thus gave a hacker access to the entire financial department. The hacker then got access to the company’s email, faking the email address with only a letter difference that allowed them to continue to correspond with the company. This was extremely dangerous for the business.
Another huge threat for the finance industry is ransomware, in which hackers lock private information with encryption until the victim pays a fee to get it back. These attacks can be quite costly to recover from. Ransomware attacks are becoming a huge threat for all industries, like healthcare and manufacturing. The number of financial services hit by ransomware attacks has increased from 34% 2020 to 55% in 2021. In the case of a financial company, a hacker might lock or hold private information “ransom.” This can lead to identity theft for people who trust their data with that company. Additionally, a ransomware attack might lead to a lack of trust in the affected business. People will not want to trust a company that may be hacked.
Banks and financial companies are at the highest risk for DDoS (distributed denial of service) attacks. A DDoS attack is a malicious attempt to make an online service unavailable to users by interrupting the host operation. You may have seen a DDoS attack if you have ever tried to access a website or online service that was “down” or created a bad gateway.
Like many industries, financial institutions face many cyber risks, so it is important to keep your finances safe as well as protect your financial business.
Protect your Business’ Financial Information
Whether it’s your own banking information or a company list of financial documents, you need to use the best practices to securely protect your online finances. Here are some practices you or a financial business can take to protect your financial information.
- Be hyper aware of any conversation related to requests for funds or sensitive financial information. For example, a phishing email may ask for your credit card number or tell your recent service payment did not go through. Make sure the source is real before providing information or clicking any links.
- If a company says that they are changing its instructions or payment methods (etc.), make sure you get some sort of confirmation before going through with any actions. Perform a verbal call back with a trusted member of the company.
- When sending funds or paying for a transaction, get a verbal confirmation. Oftentimes, when you call up your bank or try to make a payment, the system will ask for vocal recognition or a phone number and zip code to verify your identity.
- Have a good managed IT service provider who can help filter spam/illegitimate messages or you can contact in the event that you sense something fishy. A good managed IT service, like Computero, will also help you protect your server, network, phone system, and more for maximum cybersecurity.
Cybersecurity Awareness Training
One of the best ways to ensure that your employees understand the ramifications of poor online security is through cybersecurity awareness training. In the aforementioned NYS Cybersecurity Regulation, 500.14 mentions “training and monitoring.” Financial institutions must include cybersecurity awareness training as a part of their cybersecurity program and implement policies, controls, and procedures to monitor the activity of authorized users and detect unauthorized access of data.