Risk Management
Managing cyber risk across an expanding financial services attack surface
Financial services companies are spending big on cybersecurity. According to Moody’s, spend as a share of overall IT budget increased 51% in the sector between 2019 and 2023. Organisations in the sector also grew their cybersecurity staff by 25% from 2019-22.
Financial services companies are spending big on cybersecurity. According to Moody’s, spend as a share of overall IT budget increased 51% in the sector between 2019 and 2023. Organisations in the sector also grew their cybersecurity staff by 25% from 2019-22. Yet security breaches continue to occur with alarming frequency. Banks, insurers and others will remain a popular target for attackers as long as there is valuable customers and corporate information to steal and hold to ransom.
Against this backdrop, the business of managing risk across an expanding digital attack surface has never been more critical. It’s also frequently expensive, time-consuming and complex. That’s why Trend Micro is running a 45-minute workshop on the topic in March.
A risky business
As the custodians of a vast trove of sensitive personal and financial information, banks and other financial services players are singled out for data theft, ransomware, account hijacking and other attacks in a daily basis. Our data reveals that nearly three-quarters (72%) have been compromised by ransomware at least once over the past three years.
A large part of the problem is the sheer size of the modern corporate cyber-attack surface. For financial services firms it may include:
- Vulnerabilities in operating systems and software/firmware. Last year saw a record-number of CVEs published by the National Vulnerability Database (NVD)
- Misconfiguration of systems. One insurer’s honeypots attracted 5.8 billion attacks in 2018, three-quarters (76%) of which targeted RDP, which is often misconfigured
- Cloud systems. We predict a surge in cloud-native worm attacks in 2024, enabling threat actors to scale potentially devastating attacks via a single entry point and compromise
- Internet-connected assets including web applications and servers and traditional computing machines/devices, which may be connecting from workers’ homes where they could be less well secured
- Blockchain technology. As private blockchains become more popular among financial services providers, threat actors will increase efforts to find vulnerabilities and misconfigurations to exploit. This could give them the ability to steal funds, disrupt operations and/or launch ransomware campaigns
- Supply chains. This could range from traditional banking partners to digital suppliers like software vendors and open source ecosystems. Such attacks could compromise back-end systems and even be used to hijack software updates sent to customers
Financial services organisations are increasingly concerned about their ability to manage this kind of attack surface risk. Nearly two-thirds (65%) admit their have blind spots, and over half (56%) say their method of assessing risk exposure isn’t sophisticated enough. Three-quarters (75%) of financial services IT and business leaders have told us they are concerned with the growing size of their attack surface.
That’s bad news at a time when compliance requirements such as the EU’s DORA legislation continue to place a heavy burden on financial services. And generative AI threatens to supercharge sophisticated phishing campaigns and fraud attempts. Even if it is customer accounts and credentials that are targeted and not banks’ IT systems directly, the financial institutions will still receive the lion’s share of the blame.
Online workshop
Unlocking Value in Financial Services: Cyber Resilience Unleashed, 21st March, 13:30 - 14:15
This is where our upcoming 45-minute online workshop could help. Join our expert panel of speakers including industry CISOs and Trend Micro executives as they outline the scale of the challenge and share their tips on attack surface risk management (ASRM), including:
- Gaining control of a fast-evolving attack surface
- Better understanding cyber risk
- Protecting sensitive customer data and safeguard brand reputation
- Enabling a seamless customer experience
- Engaging more effectively with the board to position cyber as a strategic resource and business enabler
- Maintaining pace with an evolving regulatory landscape across DORA, GDPR, NIS2 Directive, PCI DSS and PSD2
Register here for the workshop. We look forward to welcoming you.
