The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022.
What are the top threats?
The X-Force threat report found that backdoor attacks in the finance and insurance sector were the most commonly observed action on objective, making up 29% of attacks. In fact, backdoor attacks — the compromise of systems or data by remotely negating or bypassing security measures — were the most common type of attacker action that X-Force incident responders handled. The next top attack types for this sector, both at 11%, were ransomware (code that blocks access to data or systems until money is paid) and maldocs (files, like word processing documents, spreadsheets or PDF documents that execute malicious code when interacted with).
Why do cyber criminals use these types of attacks against the finance and insurance industry? Because they work. These attacks rely on user carelessness and distraction, allowing an attacker to gain an opening. Backdoor compromises often happen as a result of unpatched vulnerabilities or lacking security measures. Ransomware and maldoc attacks happen when a person clicks on a fake link or opens an attachment they shouldn’t. In fact, the report found that in this sector, the top infection vector was spear phishing attachments, used in 53% of attacks. The exploitation of public-facing applications came in second place at 18% of attacks. This is when criminals take advantage of a weakness in an internet-facing computer or program. Clicking on spear phishing links came in third as the initial access vector in 12% of cases.
Read the Threat Index
Geography and cybersecurity intertwine
There’s also a geographic factor to threats executed in the finance and insurance sector. Europe saw the highest volume of attacks (33%) against this sector, with Asia-Pacific a close second place at 31%. Why these two regions? First, Russia’s war in Ukraine had an impact. There is a cyber criminal element to modern warfare, and this war opened a fault line in cyber crime. Threat actor groups resided in both countries, and both have dispersed across Europe in the wake of the conflict. These criminal groups, which in the past often worked together, now frequently fight each other. Many European businesses find themselves in the middle of that conflict.
In Asia-Pacific — specifically Japan — there was a spike in Emotet malware in 2022 after a brief hiatus throughout 2021. The X-Force threat report notes that spam campaigns, driven by Emotet, appeared across several sectors, with most cases occurring in manufacturing and finance and insurance.
The defensive posture required for cyber resilience
The X-Force threat report notes that finance and insurance organizations tend to be further along in both digital transformations and cloud adoption progress relative to other industries. Another sign of maturity is the prevalence of the CISO role in this sector. A 2022 Global CISO Survey found that more than two-thirds of CISOs were at companies with annual revenue of $5 billion or more, and they worked most often in financial services and technology and telecom. The maturity within this sector often means that attackers have to work harder to successfully execute attacks against these organizations. That’s a possible clue as to why criminals have set their sights on other sectors in recent years.
How exactly do digital transformation and cloud adoption build a defensive posture? It comes down to resilience and speed. Organizations at the mature stage of digital transformation are nimbler and better able to cope with disruption at a faster clip, whether from supply chain woes or ransomware demands. Speed and flexibility are necessary when dealing with cyber criminals, as they have managed to execute their attacks faster than ever. The report notes that ransomware attacks once took criminals two months to execute in 2019. By 2021, that timeline shrank to four days. As attacks come faster, organizations need a proactive approach to cybersecurity.
Cyber resilience is part of that approach. Cyber hygiene — the steps and policies organizations put in place to maintain the health of their systems and the security of their users — is part of that. Removing the silos between security and business has also been necessary to gain resilience. Staying vigilant to threats, particularly those aimed at your sector, is critical for creating a flexible defensive posture that can repel threats and, when necessary, withstand them.
How regulations and standards affect the finance and insurance sector
Staying aware of evolving and emerging threats, as well as how to defend against them, is a necessary consideration, no matter your business sector. Becoming a public victim of a breach does reputational and financial damage. However, in the finance and insurance sector, perhaps more than any other, mandated regulations and industry-accepted standards play an outsized role. These standards place an additional burden. Nearly all cybersecurity regulations impact finance and insurance firms specifically, and have now, for decades, serving as a harbinger for other sectors. Let’s review just a sampling of the standards and regulations that affect this sector:
- PCI DSS: The Payment Card Industry Data Security Standard governs how organizations of all sizes and sectors manage credit card transactions. It aims to protect debit and credit card transactions from breaches. Begun in 1999, it’s not a new standard, but it is one that is regularly updated.
- SOX: The Sarbanes-Oxley Act is a U.S. law enacted in 2002 that governs financial reporting.
- GLBA: The Gramm-Leach-Bliley Act is also known as the Financial Modernization Act of 1999. This act requires that financial institutions explain both how they share and protect their customers’ private information.
- PSD2: The Payment Services Directive was an EU law from 2009 that outlined EU rules for electronic payments like direct debit, credit cards, mobile and online transactions, and credit transfers. Its objective was to make payments between EU countries secure. In 2018, the second Payment Services Directive (PSD2) added more consumer protection and security. It also regulates newer modes of online and mobile payments.
- New SEC rules: The Securities and Exchange Commission proposed cybersecurity rules in 2022 that affect how financial services firms handle cybersecurity. They hope to finalize the rules sometime in 2023.
Vigilance in 2023
As the IBM Security X-Force Threat Intelligence Index 2023 makes plain, cyber threats are not diminishing. In fact, they are getting more prevalent, creative and swift. As a CISO within the finance and insurance sector, the report’s writers offer three actions you can take:
- Track your assets. Know what you are protecting, its potential appeal to cyber criminals and when assets are added or subtracted.
- Know your adversaries. Who is coming after you and why? How sophisticated are they and how will they try to exploit you?
- Manage visibility. Confirm that you can see into your data sources and know what would indicate the presence of an attacker. Then outline how you would proceed to stop the attack and minimize disruption.
Download the report for more insights and recommendations and a comprehensive view of the current threat landscape.