How Financial Services Firms Should Respond to an IMF Cyber-Threat Warning

Financial services organisations have long been a target for threat actors. Whether they’re financially motivated groups looking for customers’ personal and financial information to sell on the dark web, or nation state actors bent on disrupting critical infrastructure – the threats are by now well documented. But that doesn’t mean they are being managed successfully. Banks may have more money than most to spend on cybersecurity, but they’re also a bigger target.

That’s why the industry should heed a recent warning from the International Monetary Fund (IMF) that the likelihood of a catastrophic attack with systemic consequences has risen in recent years. It claims the industry has lost $12bn from cyber-attacks over the past 20 years. Fortunately, there’s plenty that can be done to enhance baseline security.

What Did the IMF Say?

The concern is that things are becoming more precarious, as digital investments expand the cyber-attack surface and well-resourced threat actors take advantage. The IMF warns that “extreme losses” in the financial services sector have risen more than four-fold since 2017 to $2.5bn. Rising geopolitical tension and a growing reliance on third-party suppliers is increasing the risk exposure of many organisations, it adds.

The fund’s biggest concern is that cybersecurity incidents spill over from a single institution to threaten the entire global financial system – eroding customer confidence and/or disrupting critical services. Serious cybersecurity breaches could even precipitate bank runs, the report warns.

This has been on the radar of regulators for some time. That’s why the EU created the Digital Operational Resilience Act (DORA), which impacts entities and their IT suppliers operating in the region. In fact, several of the IMF’s suggested steps to improve cyber-resilience in the sector overlap with the requirements of the EU regulation. They are:

• Regularly asses the cybersecurity landscape and identify possible systemic risks, including from third-party suppliers
• Improve cyber-governance, including board-level access to cybersecurity expertise
• Enhance cyber-hygiene through industry best practices
• Prioritise data reporting and information sharing to enhance collective preparedness
• Develop and test incident response and recovery processes

Ian Harragan, co-founder of i-confidential, argues that governance is key.

“Good security governance helps steer an organisation’s direction, ensuring it achieves its goals. One important aspect of governance relates to incident response. Financial services organisations understand they are a target for adversaries, so how can they limit the damage caused by successful breaches?” he tells ISMS.online.

“This can be achieved through well-tested incident response plans, which lay out how different cyber scenarios could affect an organisation, and then provide guidance on how to recover from the incident. This should include attacks both on their own infrastructure, and suppliers as well.”

The Supply Chain IS a Critical Risk Factor

Other experts ISMS.online spoke to also highlight the potential security gaps in banking supply chains. As good as a financial institution’s own security posture may be, they could still be breached via a well-targeted attack on a supplier, or even via their software supply chain. Examples aren’t difficult to find. A data breach at Bank of America service provider IMS in November 2023 led to the compromise of personal information on 57,000 customers. And the infamous MOVEit campaign snared dozens of banks who used the popular file transfer software, including Flagstar Bank, where over 800,000 customers had data stolen.

Dan Potter, senior director for operational resilience at Immersive Labs, argues that as financial institutions have tried to meet customer demands for more streamlined experiences, they’ve unwittingly created points of weakness. Closer cooperation with suppliers is increasingly important to address these, he says.

“Speed is now everything for customers, and financial organisations have to constantly innovate and create friction-free, digital experiences. At the same time, financial institutions are also expected to deliver the highest level of security and data protection whilst meeting ever higher regulatory and compliance standards,” Potter tells ISMS.online.

“If a single third-party supplier, which supports multiple banks to deliver critical services, is hit by a cyberattack, then it could cause chaos across financial markets. Therefore, the well-established collaboration within the financial services sector now needs to extend to the supply chain, and in particular big tech firms.”

Sylvain Cortes, VP strategy at Hackuity, is pessimistic about the ability of financial services firms to effectively manage risk permeating their software supply chains.

“A very recent example, the xz Utils backdoor, demonstrates that using open source software in a production system can have benefits but also risks – imagine, a backdoor introduced into almost every Linux system worldwide?” he tells ISMS.online.

“Unfortunately, assessing and covering third-party risks is extremely complex, if not impossible in some cases. In the case of xz Utils, this would have required all Linux user organisations to review and analyse the entire Linux codebase, which is practically unfeasible.”

There’s a potential role for the IMF itself here to corral government efforts to drive information sharing and research in this space, for the benefit of global financial services organisations, he adds.

Best Practices Pave the Road to DORA

One of the IMF’s key recommendations is to enhance cyber-hygiene through best practice. This is where compliance with established standards can play a useful role, argues i-confidential’s Harragan.

“Industry standards, such an ISO 27001 or NIST, provide a trusted framework for financial services organisations to establish their cybersecurity foundations, such as the key controls to have in place, and helps them prioritise their ongoing activities,” he explains.

“Most financial services organisations will, however, utilise multiple standards, from vertical to cyber-specific, rather than just focusing on one. This allows them to tailor any efforts to their own circumstances. Taking a mixed approach to cybersecurity best practice ultimately improves their overall resilience.”

Reporting is also important as it allows financial services organisations to ensure they are measuring security accurately, and can tailor their programmes towards the greatest risk, Harragan adds. Choosing the right metrics are key here.

“Metrics allow organisations to systematically rate their security efforts so they can understand where they are currently in terms of effectiveness, and then set goals for where they want to be in the future,” Harragan continues. “But to deliver an effective metrics programme organisations must measure what they should, not just what they can.”

Above all, banks operating in the EU will need to get their DORA compliance programmes in order before the January 2025 deadline. The IMF report will hopefully not tell CISOs in the sector what they don’t know already. But it might help them make a strong case to the board.