Some surprising news emerged in mid-December. A Freedom of Information request sent to the Financial Conduct Authority (FCA) revealed that the number of c
Cybersecurity attacks reported to the regulator by large financial institutions fell 53% from the previous year. Reported data breaches also fell, by 29%. While welcome news, there are some big caveats.
The fall in reports could signify attacks are getting more sophisticated and harder to spot. The reporting periods also didn’t quite align, meaning two-and-a-half months of possible regulatory reports weren’t included in 2024’s figures. In fact, we’re seeing attacks and breaches at financial services industry (FSI) firms surging. In line with these organisations ramping up investment in digital transformation and IT modernisation projects.
Threat actors are grasping the opportunity with both hands. To keep them at bay, IT and cybersecurity leaders in the sector may need to rethink their approach to cyber risk management.
Cybersecurity controls are urgently required
Digital transformation is on an inexorable path. Driven by customer demand for seamless cross-channel experiences, and the quest for more streamlined business processes and productivity gains. Cloud adoption, mobile and app-centric services, remote workforces, and expansive supply chains are the result. However, this rapid change comes at a price. Research warns that half (49%) of global FSI leaders believe their attack surface is spiralling out of control.
Put simply, the ‘attack surface’ is the total expanse of all the IT and OT systems in a business that could theoretically be hacked. It includes everything from on-premises desktops and servers to cloud containers and even employees. Vulnerabilities and misconfigurations across these systems and services are inevitable. And the more assets there are, the more chance there is that a determined threat actor will find a weakness. This allows them to compromise the corporate network or a critical cloud account.
Heeding the warning
The likelihood of them doing so is increasing all the time. Not just because the typical FSI attack surface is increasing, but also because cybercriminals and nation-state operatives are getting better at using AI to their advantage. The National Cyber Security Centre (NCSC) warned back in January 2024 that AI “will almost certainly increase the volume and heighten the impact of cyber-attacks over the next two years”. It’s right. Generative AI in particular lowers the bar for budding threat actors by enabling them to create highly effective social engineering campaigns. And perform reconnaissance at scale to find weaknesses in organisations’ attack surfaces. In some cases, these weaknesses may exist in AI tools brought in by workers themselves. One report claims over a third of firms are struggling with shadow AI.
Our adversaries are also aided by the sheer complexity and interconnectivity of modern digital environments. APIs, microservices and third-party integrations -including frequently buggy or downright malicious open source components – expand the attack surface yet further.
Why it’s time for change
Managing risk across these environments should be a priority for obvious financial and reputational reasons. Open Banking rules and the growth of FinTech have made it easier for dissatisfied customers to jump ship. Furthermore, providing more options for those looking for a new provider. A serious breach could be the catalyst for a mass exodus. It’s also expensive in other ways. FSI is the second-top sector overall in terms of the average cost of a data breach. This is estimated to be over $6m per incident, assuming no more than 113,000 records are compromised.
However, there’s increasingly a regulatory imperative for FSI firms to rethink their Cybersecurity strategy. Any operating in the EU now has to comply with a rigorous new set of requirements in the EU Digital Operational Resilience Act (DORA). From January 1, 2025, those in the UK deemed to be critical third parties (CTPs) will be required to put in place a number of “technology and cyber risk management and operational resilience measures”.
A new mindset
So what does this mean in practice? Modern technology environments are dynamic, with new assets appearing and disappearing. Furthermore, new vulnerabilities are emerging and fresh misconfigurations surfacing on a daily or even hourly basis. Managing risk across this vast, incredibly volatile and highly distributed environment requires a new approach. Traditional perimeter defences are no longer sufficient.
Instead, FSI firms need continuous monitoring of risk across their entire attack surface. From endpoints and networks to servers and cloud workloads. Ideally, such a platform will flag areas of concern and either suggest improvements or automatically remediate. It could be something as simple as changing an insecure password, or patching a critical vulnerability newly published by a key vendor. This is the way to build resilience for the long term.
But there’s more. Some threats will always sneak through corporate defences. That’s why it’s also vital to expand security operations capabilities with AI-driven analytics and cross-layer detection and response (XDR). The goal is to correlate threat data across multiple layers and automatically prioritise alerts for stretched analyst teams. Robust incident response processes are also key here, to ensure no time is wasted in containing the threat and minimising any damage caused.
More broadly, it’s about fostering a culture of cyber resilience. Continuous improvement, proactive defence, and a willingness to adapt are ingrained in the corporate mindset. More Cybersecurity regulations are promised by the government in 2025. The clock’s ticking.
- Cybersecurity in FinTech