In this second article of our series, we explore the cyber threat landscape for banks, along with the relevant regulatory requirements to consider in the UK banking sector.
Cybersecurity presents an ongoing and rapidly evolving challenge in the banking industry. As banks continuously invest in technology to streamline operations, a multitude of systems are integrated into their IT networks. While these systems serve various purposes like facilitating remote work, enhancing customer experiences, and driving value creation, they also expose potential vulnerabilities that malicious actors can exploit. Check out our previous article to learn more about why banks are prime targets for malicious actors.
Gone are the days when cyber threats were limited to individual attackers. Today, sophisticated organisations leverage advanced tools, artificial intelligence, and machine learning, expanding the threat landscape far and wide.
Exploring the threat landscape for banks
1. Escalating ransomware and phishing attacks
The banking sector has witnessed a significant surge in ransomware attacks in 2023, attributed to the widespread adoption of Ransomware-as-a-Service (RaaS) and Hacking-as-a-Service (HaaS). Sophos’ State of Ransomware Report 2023 revealed that the rate of ransomware attacks in financial services went up from 55% in the 2022 report to 64% in this year’s study, which was almost double the 34% reported by the sector in the 2021 report.[1] Phishing stands out as the most common method used for initial access, making it crucial for banks to address this primary point of entry.
2. Increased supply chain risks
Supply chain cyberattacks are becoming more common and more sophisticated. Banks are particularly susceptible to supply chain vulnerabilities as they heavily rely on privileged access to third-party software. As these software tools, including antivirus and remote access, require regular communication between the vendor network and end-user devices, malicious actors find enticing opportunities to strike. Therefore, safeguarding this critical juncture is paramount.
3. Rapid rise of ATO attacks
The COVID-19 pandemic pushed many customers into the digital banking ecosystem, presenting ATO attackers with an expanded pool of fraud targets. Financial services are by far the most targeted by account takeover (ATO) attacks, with 37.8% having experienced an attack in 2022.[2] According to Sift's latest quarterly Digital Trust & Safety Index, the first half of 2022 alone witnessed an alarming 131% increase in ATO attacks.[3] This trend necessitates heightened vigilance and proactive defence mechanisms.
4. Rise of DDoS attacks fuelled by geopolitical conflicts
The conflict between Russia and Ukraine has triggered a substantial upswing in Distributed Denial-of-Service (DDoS) attacks targeting financial service institutions. In 2022, European financial firms encountered a staggering 73% surge in DDoS attacks, as FS-ISAC and Akamai jointly reported.[4]
The global rise of 22% compared to the previous year further highlights the urgent need to counteract these attacks, which have the potential to disrupt services and undermine customer trust.
Key regulatory considerations for banks
Amidst the ever-changing threat landscape, banks must remain vigilant and continually evaluate the effectiveness of their regulatory and oversight systems. Compliance with the following regulations is crucial to prevent penalties and preserve the integrity of the financial ecosystem:
1. FCA Operational Resilience Guidelines: The FCA's PS21/3 operational resilience guidelines outline the obligations of financial services firms to establish strong measures for managing severe yet possible operational disruptions, such as cyberattacks. Banks are required to pinpoint their critical business services, establish impact tolerances for the maximum acceptable level of disruption to these services, and conduct thorough mapping and testing at an appropriate level of complexity. Additionally, banks must recognise any weaknesses in their operational resilience, including vulnerabilities related to cybersecurity.
2. PSD2 SCA: One of the key regulatory updates was the introduction of Strong Customer Authentication (SCA) to the second Payment Services Directive (PSD2). This regulation mandates that banks and payment service providers implement multi-factor authentication for online payments exceeding a specified threshold. Embracing SCA enables banks to effectively reduce the risk of fraudulent transactions, safeguard customer funds, and deliver a seamless and secure payment experience.
3.UK-GDPR and Data Protection Act 2018: The General Data Protection Regulation (GDPR) and Data Protection Act 2018 have ushered in a new era of data protection practices in the UK. These regulations place stringent requirements on banks, focusing on the protection of personal data, the need for consent, data breach notifications, and the appointment of data protection officers. Compliance with GDPR not only helps banks avoid hefty fines but also reinforces customer trust by ensuring the responsible handling of their sensitive information.
What does this mean for banks?
In the face of an ever-evolving cyber threat landscape, banks must remain vigilant and proactive in fortifying its cybersecurity defences. As technology integration expands, so do the potential vulnerabilities for malicious actors to exploit. The rise of sophisticated cyber threats demands a comprehensive and robust response from banks. By complying with key regulatory requirements, banks can enhance their resilience and security posture towards these threats.
At Synpulse, we understand the critical importance of staying ahead of the curve in an evolving threat landscape. With our expertise and comprehensive approach, we are committed to assisting banks in mitigating cyber risks and ensuring their systems and data remain secure.
In our next article, we will discuss the significance of biometric authentication in securing the future of banking. Get in touch with us to discover how you can enhance your security measures and gain further insights into this crucial topic.
[1] The State of Ransomware 2023 (Sophos, May 2023).
[2] Financial Services plagued by bad bots and account takeover attempts: Imperva (Retail Banker International, 10 May 2023).
[3] Account takeover data, trends, and insights (Sift, 25 October 2022).
[4] The Evolution of DDoS: Return of the Hacktivists (FS-ISAC and Akamai, January 2023).
