The Cost of Cybercrime in the Financial Sector

Cybercrime is a lucrative business and criminals are increasingly targeting the financial sector in their quest for quick financial reward. As cyberattacks continue to grow in both frequency and sophistication across all industries, the financial sector in particular is under relentless attack from hackers.

In 2022, for example, data from Akamai showed web application and API attacks against financial services firms grew by 257 percent compared with the previous year. This sector also sees some of the highest cost for cybercrime, with IBM noting that in 2022, the typical cost of a data breach for this sector stood at $5.97 million – more than a million dollars above the overall average.

Whilst cyberthreats vary in their approach and impact, data exfiltration, malware, phishing, advanced persistent threats and DDoS attack attempts are most prevalent with attackers who are focused on obtaining access to confidential transactional data, user account information and gaining control over transactional systems with the intent to steal funds or disrupt operations.

It’s fair to say that there are only two kinds of financial services firms out there: those that have faced a cyberattack and those that will. We know that security breaches are inevitable, and they will lead to lost revenue, GDPR and other regulatory fines, loss of customers, operational interruptions and reputational damage that can take years to repair. So what key trends are affecting this sector?

Cybersecurity issues remain a leading concern for the finance industry in 2023. Recent research by the UK’s central bank found that financial services companies rate cyberattacks as the biggest threat to the country’s financial system, ahead of inflationary pressures and geopolitical risks. Almost three-quarters of executives in this sector (74 percent) named this as their number one concern – and this can be very costly.

Among the main types of cybercrime these firms face are phishing attacks attempting to trick employees into divulging sensitive information, ransomware attacks that aim to disrupt operations or serve as a launching pad for extortion, and DDoS attacks to hammer key financial systems by making essential services unavailable to legitimate customers.

As well as financially-motivated cybercriminals, the sector is increasingly being targeted by nation-states. For example, more than half of financial firms (54 percent) interviewed by Contrast Security considered cyberattacks from Russia as their top threat. These attacks may be particularly dangerous as Russian state-sponsored cybercrime gangs are highly knowledgeable of the financial sector in terms of how it operates and where the biggest vulnerabilities lie.

For example, early this year, a ransomware attack on a Dublin-based fintech firm by Russian-based group LockBit disrupted transactions for dozens of major clients in both Europe and the US affecting the derivatives market as the victim was forced to isolate and shut down key servers.

Unfortunately, selling stolen personal information and credentials on the dark web still pays, and with its reliance on confidential customer data to conduct business, the financial industry will always be a prime target for cybercriminals. When a breach does occur, the risks are multiplied when you consider the number of users involved. Take for example the 2017 Equifax breach which affected more than 143 million consumers.

However, selling stolen data to other criminals for use in fraud is not the only motivation for hackers, and as trends evolve cybercriminals have had to diversify their efforts. For example, research by Privacy Affairs found that in 2021, the most valuable financial data for cybercriminals – credit card details for accounts with balances up to $5,000 – would sell for up to $240 on the dark web. But in 2022, this was down by half to just $120.

This does not mean hackers are becoming less focused on financial services firms. Far from it – instead, it means they are shifting their attention to other areas such as extortion, as well as ramping up the scale of their attacks, in order to make money.

No business is immune from major threats, such as ransomware, that seek to exfiltrate data and then extort firms by threatening to release it. But for companies in the banking sector, this could be a particularly lucrative tactic due to the vast amounts of sensitive data these organizations hold.

Indeed, research from Sophos found that in 2021, 55 percent of financial services institutions were targeted by ransomware attacks, up from just 34 percent in 2020. What’s more, over half of affected companies (42 percent) paid out a ransom in order to recover their data or prevent public disclosure.

If firms do fall victim to this type of threat, there’s also no guarantee they’ll be protected by insurance. Sophos’ research also noted that while 83 percent of financial services companies reported having cyber insurance coverage against ransomware, they only pay out in 32 percent of cases, compared to an average of 40 percent across all sectors.

This suggests insurers believe many incidents have resulted from financial services firms acting irresponsibly by failing to adequately secure their data. Indeed, the research noted that despite the high level of security threat facing this sector, only 54 percent of financial services firms encrypted their data. This compares with a global average of 65 percent and makes financial firms the second-worst performing sector when it comes to safeguarding data.

Mobile banking poses its own set of challenges for the industry. With customers becoming increasingly reliant on mobile apps and online web portals to complete transactions, every bank must develop new technologies to accommodate the demand, therefore increasing their exposure and level of cyber risk.

Mobile malware, third party apps, unsecured Wi-Fi and precarious customer behavior pose significant risk to mobile banking, and it’s important to note that the financial institution is responsible for tackling these threats, regardless of whether they use a proprietary or third-party mobile banking application.

Another factor to consider is tighter regulations affecting financial service firms that could make data breaches even more costly should organizations not take essential mitigation steps.

For example, since May 2022, financial institutions in the US have been required to report any cyber incidents that may impact the country’s financial system to law enforcement within 36 hours of discovery. This means a banking institution can no longer try to remedy any issues privately, for instance by negotiating behind the scenes with any hacker.

The cyber threat landscape today is infinitely more sophisticated than just a few years ago and it’s evolving quickly. Cybercriminals are always looking for new ways to attack so financial organizations must embrace new technology to defend against them. Therefore, the financial services industry must constantly play catchup to boost their cyber resilience against the latest generation of threats.

The days of relying on firewalls and Antivirus to prevent these attacks are well and truly behind us. To protect against modern-day threats, a preventative multi-layered defense system focused on preventing data loss, data profiling and data collection is required.

Cyberattacks and data breaches are inevitable, and hackers will find their way in, but with a preventative approach to cybersecurity these threats can be eliminated before the damage is done. Companies globally could incur $10.5 trillion in costs and lost revenue by 2025 due to cyberattacks, so all businesses, particularly those in the financial sector simply must prioritize cyber defense.