Learn how and why the financial industry is often targeted and discuss best practices for remediating these evolving security challenges.
Wiz Experts Team
8 minutes read
When it comes to cybercrime, financial services institutions are a growing target. Because the sector makes up about 20–25% of the global economy, threat actors see financial services as a potential goldmine. In 2022 alone, an alarming 1,829 cyberattacks were carried out on financial services organizations around the world. Let’s take a closer look at how and why the industry is often targeted and discuss best practices for remediating these evolving security challenges.
Like many industries, financial services are increasingly adopting digital technologies for fast, cost-effective, and personalized service delivery. Two key developments in the sector have brought both benefits and drawbacks:
Mobile applications
Institutions such as banks, fintech companies, and insurance companies leverage mobile applications to give customers easy access to their accounts. Unlike traditional setups with limited hours and locations, apps facilitate 24/7 availability and remote access. However, these advantages bring security risks like fake banking apps.
Cloud data storage
The financial industry handles large amounts of data, which have traditionally been stored on-premises. On-prem storage has major downsides: High costs and limited disaster resistance are just two. By adopting cloud storage providers’ pay-as-you-go services, financial institutions limit data storage costs and ensure seamless service restoration in the event of disasters. On the other hand, this cloud storage medium also introduces security vulnerabilities, such as DDoS attacks, account hijacks, and data breaches.
Why the financial services sector needs cybersecurity
To put it simply, cybersecurity is paramount for financial services companies because there’s a lot of money at stake. The sector is responsible for protecting massive transactions, after all. With an estimated $28,115.02 billion in the finserv market in 2023, there’s a lot of money to be made from ransomware, phishing, malware, and brute force attacks on the industry. And as financial institutions continue to adopt cloud computing, their attack surface widens. That’s why financial technologies need top-of-the-line safeguards.
Key cybersecurity challenges in the financial sector
Let's take a look at six critical challenges facing the finance industry:
1. Insider threats
Employees with access to critical data may compromise security due to negligence or malicious intent. For example, Yahoo sued a former employee in May 2022, alleging that he downloaded approximately 570,000 pages of proprietary information right before he gave his notice. According to Yahoo, the downloaded information included source code.
2. Third-party risk management
Third-party solutions such as data security and compliance solutions, cloud data storage solutions, data entry/processing software, credit card processors, and customer relationship management software keep the finserv sector running smoothly. Although financial institutions enter into contractual agreements with third-party vendors, this is not sufficient because the providers may provide incomplete or inaccurate information about the true capabilities of their products/services. That’s why independent verification is necessary, and you should leverage only trusted, industry-leading platforms like Wiz.
Due to the sensitivity of PII, there are multiple international, domestic, and even regional cybersecurity regulations that financial services must comply with. Staying on top of compliance can be challenging, so let’s take a look at a few regulations in more detail:
Regulation
Overview
Payment Card Industry Data Security Standard (PCI-DSS)
PCI-DSS encourages organizations to encrypt and restrict unauthorized access to cardholders’ personal and financial information.
The Gramm-Leach-Bliley Act (GLBA)
The GLBA includes rules guiding the collection, use, and sharing of PII by all American financial service providers in—or with clients in—the U.S.
The New York State Department of Financial Services (NYDFS) Cybersecurity Regulations
NYDFS Cybersecurity Regulations require DFS-licensed institutions and financial institutions’ third-party service providers to implement strong cybersecurity policies and regularly audit them for proactive risk management.
The Sarbanes-Oxley (SOX) Act
The SOX Act compels organizations located in or operating in the U.S. to provide accurate financial audits signed by their CEO and CFO and audited by a third party on an annual basis. It seeks to ensure financial records are accurately compiled and securely stored.
The California Consumer Privacy Act (CCPA)
The CCPA mandates that organizations who either operate in California or have clients in California must properly secure and record data/processing history. The act requires organizations to provide forms that customers can fill in to state if their PII can be used or sold—and to what extent.
The General Data Protection Regulation (GDPR)
The GDPR covers all financial services providers in the European Union. It limits the collection of PII to only absolutely necessary data and provides strict guidelines for its processing and storage.
For organizations with customers who are distributed around the globe, ensuring compliance with these (and other) policies can be cumbersome. And failure to comply with these regulations often results in hefty fines. For instance, Danske Bank, a Danish bank that violated GDPR and Danish Data Protection Agency (Datatilsynet) regulations was fined €1.3 million. The bank was unable to provide evidence of properly processing customer PII, including deleting data that was no longer necessary. Institutions can protect themselves from steep fines by adopting a comprehensive compliance solution.
Mergers and acquisitions are common in the financial services industry. When they occur, getting full visibility into diverse cloud-hosted resources in order to manage potential cyber risks can be difficult and require expert intervention. To avoid this, verify your service provider’s reliability.
5. Cost and expertise required to maintain security standards
Deploying cloud services means security responsibilities are shared between CSPs and financial institutions. In addition to the overhead associated with paying for cloud storage and security solutions, extra costs stem from employing and training staff who can manage them. For small and medium-sized institutions seeking to leverage the benefits of tech solutions, staffing and costs can be unmanageable.
6. Legacy infrastructure
Although there is industry-wide cloud adoption that will continue for years to come, there’s an abundance of legacy applications and infrastructure in the financial services sector that are not immediately movable to the cloud. Since those immovable resources are on-prem, they could be backdoors to an organization, introducing risks that the cloud could have abstracted away. For example, outdated software components, natural disasters, power surges and outages, disk malware, and other forms of manual attacks can compromise on-prem functions.
Recommendations for building a cloud security foundation at financial services firms
For financial institutions, the biggest driver of digital transformation is the need to meet competitive challenges and high customer expectations for digital financial products that include robust features and data. These digital products must also be supported by cloud services that can interact with a range of partner institutions and banks. When financial institutions are planning this digital transformation, security is foundational.
Cloud security is especially important for financial institutions because of the increasing volume and sensitivity of the data they handle. Furthermore, financial institutions are subject to stringent regulatory requirements, including SOC 2, PCI DSS, and GDPR. These regulations require robust security controls, necessitating a strong cloud security framework. Financial institutions migrating to the cloud also must contend with the challenge of modernizing legacy data storage and transaction systems.
Avoid risks of migrating to the cloud
Provide complete visibility into the organization's cloud footprint: you can’t assess your security posture if you don’t know what’s in your network
Adopt a single multi-cloud security platform as they migrate to the cloud: a centralized platform reduces the complexity of managing multiple security solutions
Employ a shift security left approach that incorporates security assurance processes as early as possible into the software development process, enabling developers to address and identify vulnerabilities early
Address compliance requirements
Get a holistic view of compliance across the organization, including the rules and regulations that must be followed and a list of services/cloud real estate impacted by each of those regulations
Measure/establish a baseline for compliance: get a detailed view of compliance with exec reports, allow individual stake holders to measure compliance, allow team level visibility for compliance, provide guidance and remediation
Build guardrails by allowing compliance violations to be detected early in pipeline
Manage changes due to Mergers and Acquisitions
Pre-acquisition: Provide an inventory of the cloud infrastructure, controls, inventory, and compliance early in the M&A process. Set a clear understanding of the current state of the organization's digital assets and security measures
During acquisition: Establish an order of priority that needs to be tackled in the first few days of the M&A process. Manage the complexity of merging distinct IT environments and operations by focusing on the most crucial tasks first
During integration: Help to architect security systems and workflows in the post-acquisition process. Ensure the continued protection of sensitive data during a time of significant change
Post-acquisition: Resolve compliance gaps in the M&A process that the acquiring institution needs to address as part of the cloud risk analysis
Embrace a Shift Security Left approach
Foster a collaborative culture: Encourage a culture where development, operations, quality assurance, and security teams collaborate closely
Integrate tools and processes: Utilize tools and processes that facilitate early testing and security checks, such as automated testing tools and continuous integration/continuous deployment (CI/CD) pipelines.
Integrate cloud security tooling into security and engineering workflows
Invest in training and skills development: Provide training to help teams understand and implement shift-security-left practices effectively
Create “cyber resilience”
Establish risk management frameworks and conduct regular risk assessments: carry out periodic risk assessments to identify potential vulnerabilities and develop strategies for managing and mitigating these risks
Develop Incident Response and Disaster Recovery Plans: these should detail how the organization will maintain operations during attacks and restore normal operations as quickly as possible after an incident.
Prioritize Third-Party Risk Management: Assess the security measures of any third-party vendors or cloud service providers the organization works with. Ensure these parties meet strict security standards and have procedures in place
Establish an order of priority that needs to be tackled in the first few days of the M&A process
Help architect security systems and workflows in the post-acquisition process
Identify compliance gaps in the M&A process that the acquiring institution needs to address as part of the cloud risk analysis
Examples of financial institutions doing cybersecurity right
Blackstone, the world’s largest alternative asset manager, tackles advanced cloud-native security
Lili, an all-in-one banking app, achieves PCI DSS compliance by remediating its most critical risks and perform deep architectural reviews
Tide, a financial platform for micro small and medium enterprises, uses a unified cloud security platform to keep its infrastructure and customers’ data safe, and automate its approach to securing its containerized environment
Revolut, one of Europe’s best known money applications, enhances its response to potential cyber threats with clear, concise reporting that creates focus in a large, fast-moving engineering team
Aon, a risk management and insurance brokerage firm, automates risk identification and compliance reporting, while successfully fast-tracking remediation and M&A integration
Bridgewater Associates, an asset management firm, unifies its hybrid and multi-cloud security posture
Wiz for Financial Services - Secure everything you build and run in the cloudDownload now
Protecting customer data in the cloud
Financial institutions have a large amount of sensitive data they need to protect in the cloud in order to gain their customers’ trust. It can be challenging to understand where your sensitive data is, how it can be accessed, and how different risks come together to result in a risk of a data breach.
Wiz’s unified cloud security platform makes it easier for financial institutions to stay secure in the cloud by offering:
Sensitive data protection: Wiz can automatically identify and classify sensitive data, such as customer PII and financial transaction data. It can then be used to create policies to protect this data from unauthorized access or disclosure.
Comprehensive risk assessments: Wiz provides a unified view of all cloud assets, including workloads, infrastructure, and configurations. This allows financial institutions to identify and prioritize security risks across their entire cloud environment.
Deep risk analysis: Wiz uses a variety of techniques, including machine learning and graph analysis, to deeply understand the relationships between cloud assets and identify complex risks that traditional cloud security tools may miss.
Prioritized remediation: Wiz prioritizes remediation actions based on risk, business impact, and other factors. This helps financial institutions to focus their efforts on the most important risks and reduce their overall risk exposure.
Compliance and reporting: Wiz helps financial institutions to comply with a variety of industry regulations, including PCI DSS and HIPAA. It also provides comprehensive reporting capabilities that can be used to track and demonstrate compliance over time.
Multi-cloud enablement is at the heart of our transformation strategy and security is paramount. Wiz helps us visualize our entire cloud environment and drive actionable insights, in minutes. They’ve made cloud security an enabler for Morgan Stanley and helped us break down the barriers between security and development teams.
Application detection and response (ADR) is an approach to application security that centers on identifying and mitigating threats at the application layer.
Secure coding is the practice of developing software that is resistant to security vulnerabilities by applying security best practices, techniques, and tools early in development.
Secure SDLC (SSDLC) is a framework for enhancing software security by integrating security designs, tools, and processes across the entire development lifecycle.
DAST, or dynamic application security testing, is a testing approach that involves testing an application for different runtime vulnerabilities that come up only when the application is fully functional.
Defense in depth (DiD)—also known as layered defense—is a cybersecurity strategy that aims to safeguard data, networks, systems, and IT assets by using multiple layers of security controls.