Cybercrimes are growing more sophisticated across all sectors, but the risks in financial services are exceptional—the industry consistently ranks among the most frequent targets for cyberattacks, with organizations facing ever-evolving conspiracies coordinated by sophisticated international cybercrime cartels with new priorities, tactics, and endgames.
That’s the topic of “Modern Bank Heists,” a panel discussion at this year’s RSA Conference 2023, led by Tom Kellermann, SVP of cybersecurity strategy at Contrast Security.
Today’s heists, while less lethal than those Bonnie-and-Clyde–style stickups of the past, certainly pack a punch, Kellermann notes. They also signal big changes for the finserv sector in the form of new cybersecurity regulations: New York’s Department of Financial Services (NY DFS), for example, has proposed mandatory reporting of ransomware payments within 24 hours.
A member of the cyber investigations advisory board for the U.S. Secret Service and a former deputy CISO for the World Bank Treasury, Kellermann will be speaking with Ron Green, CSO and chair of the Cybercrime Investigations Advisory Board at Mastercard, and Matt O’Neill, deputy special agent in charge of Cyber at the U.S. Secret Service, about the latest cybersecurity and e-fraud trends affecting the financial services sector and the countermeasures organizations are prioritizing. (Kellerman’s panel will take place Monday, April 24, at 11:30 a.m. ET / 8:30 a.m. PT, at RSAC 2023, which runs April 24-27 at the Moscone Center in San Francisco.)
Kellermann offered Focal Point a sneak peek into these discussions and the trends shaping cybersecurity in the financial services sector today.
Let’s jump right into the panel. Where did the idea for it come from?
Several years ago when I worked for the World Bank, I co-authored the first-ever book on the financial sector’s information security challenges, Electronic Safety and Soundness: Securing Finance in a New Age. Then, six years ago, I revisited that construct and began writing the Modern Bank Heists Report, a series of annual reports that gauge notable cyberattack trends, e-fraud trends, and defensive countermeasures.
Those three pillars are informing our panel discussion. But it’s not just a discussion of this report—the perspectives of the panelists on these topics are seminal and critically important.
Cyberattacks on financial institutions are evolving. What trends should we be alert to today?
Everyone keeps talking about spear phishing, but that’s not the way cybercriminals are getting into financial institutions. These highly sophisticated cybercrime cartels are getting in by attacking APIs [application programming interfaces, the mechanisms that allow two software components to communicate, frequently used in banking for payment processing and account management, for example].
They don’t just want to burglarize the bank—they turn it into a hostage situation where they use the bank’s digital transformation to attack their constituency.
More importantly, once they get in, they don’t just want to burglarize the bank—they turn it into a hostage situation where they use the bank’s digital transformation to attack their constituency. Suddenly you’ve got a mobile app attacking you, the bank website is attacking you through a watering hole, and the email you received from the mail server of the financial institution has malware or a redirection in it. This is happening more often than not because they understand the trust and confidence that you have in your financial institution and they want to use it against you.
They’re also reacting viscerally to the defenders. We’re seeing a lot of counter-incident response where they fight back to maintain persistence. It escalates to actually using destructive attacks against the institutions as they respond. More wipers and ransomware are being deployed.
You also mentioned e-fraud. What’s new here?
The most significant e-fraud trend that we really need to keep our eye on is how cybercrime cartels are going after non-public market information. They’re trying to conduct digital front-running or digital insider trading. The whole construct of how they monetize their persistence in the system in nontraditional ways is something we’re really going to unpack with the panelists.
How well are financial institutions protected against these threats today?
Financial institutions are making progress, but at the same time, they’re facing the most sophisticated and organized adversaries in the world.
There’s this pax mafiosa between the elite cybercrime cartels and four rogue nation-states and their intelligence services—that’s one reason why we’ve seen such an explosion of zero days.
Besides the cybercrime cartels, you have to appreciate that there’s this pax mafiosa between the elite cybercrime cartels and four rogue nation-states and their intelligence services—that’s one reason why we’ve seen such an explosion of zero days. They use them, but they also hand them off to their cybercrime cartels.
Given how cybercrime cartels are attacking today, what should financial institutions focus on most in the next year?
They have to appreciate that the modus operandi and the endgame of the cybercrime cartel has changed: It’s no longer about the bank heist; it’s about the hostage situation. It’s about hijacking the digital transformation and using it to attack your constituency. So they have to defend against that.
Also, because of escalating punitive actions by adversaries and this nexus between intelligence services and cybercrime cartels, financial organizations really need to reevaluate their governance structure. It’s high time that your CISO is reporting to your CEO, and it’s time that you have a cybersecurity specialist on your board.