Four worries bank cybersecurity experts face

According to the results of VMware’s survey, many financial institutions face efforts by hackers to gain access to corporate information that can affect the share price of companies, such as earnings estimates, public offerings and significant transactions. This information can be about the bank itself or about other companies.

Of the cybersecurity executives surveyed, 66% said their institution had experienced attacks that targeted market strategies and 25% said market data was the primary target for cybercriminal activities.

“Portfolio managers and heads of market strategies are being specifically targeted by persistent threat actors who are not stealing money, who are not destroying data, who are not moving laterally through a system, but merely trying to become telepathic as to the positions the institution takes,” said Tom Kellermann, head of cybersecurity strategy for VMware.

Attributing cyber incidents to particular threat actors can be difficult, particularly when they are sophisticated attackers. Proving that market manipulation occurred as a result of hackers obtaining nonpublic information would be an even more difficult task, according to Peter Marta, a partner at law firm Hogan Lovells specializing in cybersecurity.

“You'd have to see certain anomalous trading activity; you'd have to tie that to a specific group or individual; you would then have to prove the activity was insider trading associated with material nonpublic information, then that the information was obtained through some type of cyber-related compromise of a specific financial institution,” Marta said.

Cybercriminals can exploit the dependencies financial institutions have on managed service providers — providers of IT services like network, application, infrastructure and security services — to gain access to the institution. VMware calls the strategy “island hopping.”

Rather than lateral movement within an organization, island hopping is lateral movement across organizations, according to Rick McElroy, principal cybersecurity strategist at VMware.

According to the company’s survey, 60% of financial institutions were victims of island hopping last year.

A major example of island hopping occurred during the 2020 cyberattack committed by Russian-backed hackers that penetrated thousands of organizations. The group injected malicious code into Solarwinds’ network management software updates, which the company unwittingly pushed down to U.S. government agencies, financial institutions, and many other clients.

Financial institutions concerned about the security of their managed service providers should review their relationships with those vendors to make sure they are making them fill out detailed security questionnaires, obtaining audit rights and gathering proof that they use recognized frameworks and best practices, according to attorney Marta.

“Ten years ago, the obligation to notify your customer of a cyber incident wasn't nearly as common in contracts as it is today,” Marta said. “It's the lawyer’s job to make sure that the contracts with vendors remain consistent with latest best practices, and it's on IT and third party oversight functions to ensure that they're conducting the right level of due diligence.”

Before banks concern themselves with their contracts, they need to concern themselves with their internal culture, according to Steve Tcherchian, chief information security officer at cybersecurity company XYPRO.

“Without a proper internal culture of security and privacy, managing security of managed providers can be a futile effort,” Tcherchian said. “Providers need to be treated as an extension of the company itself, because they are. Switching providers will just shift the problem from one bucket to another. Start at home.”

In VMware’s survey, 83% of respondents expressed concern over the security of cryptocurrency exchanges — a concern by virtue of the growing ties between banks and cryptocurrencies. The company said the equivalent of $2.6 billion has been stolen from these exchanges, and attackers using ransomware often demand payment in cryptocurrency using these exchanges.

Tcherchian said cryptocurrencies have become part of many investment portfolios and pose a potential disruption to payments, both of which make crypto an important consideration for banks.

Crypto trading typically happens in a centralized fashion on popular exchanges like Coinbase, Crypto.com, and others. For the many users on those exchanges, that makes their funds only as secure as the exchange where they are trading.

“All the fundamental vulnerabilities that exist for financial institutions still exist for the people building crypto exchanges, except the exchanges don't have the same staff; they don't have the same amount of money; and they certainly haven't been around long enough to build a good risk management program,” McElroy said.

McElroy added that, while cryptocurrencies generally assure that funds remain locked away in wallets, that does not assure the keys to wallets are secure.

“I think the community has tried to rely on blockchain as the security mechanism,” McElroy said. That handles things like assessing the integrity of transactions, but “it doesn't account for a website vulnerability” or malware that penetrates a crypto exchange’s system.

As for which crypto exchanges banks could trust, McElroy advised that banks consider which are actively seeking oversight from regulators. Coinbase, one the largest exchanges by volume, is among those exchanges.