Banks that have been beefing up their cybersecurity measures for years remain on alert for potential attacks from Russia on the heels of fresh warnings from the Biden administration, security experts told MarketWatch.
As the keepers of the global financial circulatory system for the flow of capital, banks continue to find themselves on the front lines amid fresh cybersecurity warnings last week from the U.S. government. The administration is promoting its Shields Up Initiative from the Cybersecurity & Infrastructure Security Agency, which is part of the Department of Homeland Security.
Bill Neuman, operating partner at private-equity firm Lovell Minnick Partners LLC and a financial technology industry executive, said banks now find themselves at a “heightened stance” to spot the standard modes of engagement. Cyberattacks most often come from email phishing, unpatched software, or denial-of-service attacks that crash web servers by overloading them with data requests.
“What I’m seeing companies do is go back through their incident response plans and make sure their patching systems are in the latest version so there’s no software defects, and refreshing their user training,” Neuman said.
All told, cybersecurity costs rose to about $2,700 per employee in 2020 from $2,300 per employee in 2019, according to Deloitte.
Worldwide spending on information security and risk management is expected to grow 10% in 2022 to $170.3 billion, and then grow another 11% percent to $189.4 billion in 2023, according to Gartner data.
While U.S. and European banks remain on guard, Ukraine appears to be at the top of the list for Russia with Ukraine’s Ministry of Defense under attack in recent weeks, according to Gardner.
In 2017, Ukraine sustained the “NotPetya” cyberattack that impacted banks, ministries, and newspapers, as well as radiation detection systems at Chernobyl.
Another famous attack in 2007 knocked out Estonia’s online banking services and cash machines.
To counter such threats, NATO formed the Cooperative Cyber Defense Centre of Excellence in Estonia in 2008.
“Both Russia and Ukraine have been areas of concern from a cybersecurity perspective,” said Hadas Cassorla, chief information security officer at Chicago-based M1 Finance LLC. “If you have a solid security program with good security hygiene you stay on top of things like this.”
Both system vulnerability tests and access controls such as multi-factor authentication help protect networks, she said.
Bruce Van Saun, CEO of Citizens Financial Group
said last week’s warning from the Biden administration about cybersecurity threats from Russia shows that the government remains focused on protecting vital companies such as utilities and banks.
“The good news is [banks] have invested a fortune in protecting customer data” with banks and regulators often sharing information on potential threats such as denial of service attacks, Van Saun said.
“The system functions pretty well but you can never let your guard down for the next threat,” he said.
Communication between banks and government-backed cybercops stands out as a critical part of thwarting attacks.
Among the industry groups involved in such efforts is the Financial Services Information Sharing and Analysis Center (FS-ISAC), which is chaired by Ann Barron-DiCamillo, head of cyber operations at Citigroup Inc.
Steven Silberstein, CEO of FS-ISAC, said the group remains “vigilant to all cyber threats and anomalous activity,” according to an email to MarketWatch.
Keith Zielenski, managing director at consulting firm Protiviti, said banks have been working to reduce application-level vulnerabilities and to differentiate between legitimate and nefarious network traffic.
Banks are also starting to adopt a “zero-trust” policy to cybersecurity to require all users inside or outside the organization to be authenticated, authorized, and continuously validated.
“While this approach does not protect against all cyber-risks, it does provide a robust set of cybersecurity controls,” Zielenski said.
CFO Jeremy Barnum said at the Credit Suisse Financial Services Forum in February that the bank has been spending heavily on cybersecurity for years as a major priority.
“It’s become even more important as you try to ramp up your agility and your speed to market while preserving the sort of large bank safety and soundness standards, both for regulators and for customers,” he said. “It’s not an area where you can afford to make mistakes.”
Remaining safe on the cyber front “is a particular challenge and it makes us very happy that cyber has been a priority for as long as it has, but it’s going to continue to be and it’s obviously not cheap,” Barnum said.
Allen Denson, partner, Stroock & Stroock & Lavan LLP, said banking regulators have been preparing for years by requiring prompt notice of cyberattacks and updated points of contact at banks.
“It’s not a perfect system, but it shows that the banking agencies have been thinking about this increased risk for some time,” Denson.
Some milestones include a joint statement on cybersecurity risk by the Federal Reserve Board, Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. in 2020 to establish risk-mitigation techniques. The trio of federal agencies in late 2021 finalized rulemaking on cyberattacks to establish protocols for responding to threats.
Katell Thielemann, VP Analyst at Gartner, said chief information security officers and risk management executives need to define high value assets and build secure backups offline or in the cloud, according to a February article. Other best practices include updating personnel reporting and internal emergency communication lists and maintaining a copy offline.