A cybersecurity consortium for banks said recently the industry has faced a relatively low cybersecurity threat level in recent months, but serious risks remain, and cyber insurance premiums have risen enough to cause some institutions to reconsider their policies.
Ransomware is the primary threat driving these premium increases, but novel and malicious uses of AI also threaten financial institutions, according to
The hike in premiums comes despite a lower overall level of cybersecurity threat today compared to early 2022, the FS-ISAC said in its report. The consortium polls its members on a biweekly basis to create region-wide threat ratings on a four-level scale, according to Teresa Walsh, global head of intelligence for FS-ISAC.
As of December, the overall threat level in each region FS-ISAC covers is "guarded," the lowest of the four levels on the scale. In May, FS-ISAC reduced its assessed threat level against Americas-based institutions from "elevated," the second lowest level on the scale, as the heightened security risk posed by the Russian invasion of Ukraine and, prior to that, the Log4j vulnerability, waned.
While threat levels vary across banks, and institutions face targeted attacks from time to time, the regional threat ratings reflect the level of systemic risk the financial system faces and provides a useful baseline for institutions to compare against, according to Walsh.
But the fact that the overall threat level is down does not make cybersecurity less of a priority for banks. The threat landscape is "ever-changing," Walsh said.
But another key factor forcing banks to tend to their security practices is cybersecurity insurance.
"Following substantial year-on-year premium increases coupled with more and more exclusions and growing requests to establish minimum security standards and practices (e.g., the engagement of specialist ransom negotiators on retainer), some financial sector firms are beginning to reconsider cyber insurance," reads FS-ISAC's report.
Not only are insurers beginning to require that banks engage ransom negotiators; some Asia-Pacific members of FS-ISAC have seen cyber insurers exclude ransomware in their policies. But ransomware is far from a region-specific concern, and as new ransomware variants arise, the market of ransomware is also changing.
Ransomware as a service
By far the greatest cybersecurity concern banks identified in the FS-ISAC report is ransomware. Among strains of ransomware,
"LockBit [users], like other RaaS operators, target public and private sectors indiscriminately," the FS-ISAC report says. LockBit capitalizes on the availability of compromised networks sold by brokers who buy and sell stolen credentials that provide access to privileged business accounts. "Other notable groups from throughout the year include Black Basta, BlackCat, AvosLocker and Hive."
Ransomware does not just threaten banks themselves but also their supply chain, according to the report.
"Trending analysis of ransomware attacks conducted by FS-ISAC on data shared from a partner identified the manufacturing and professional, scientific and technical services sectors as the top two industries targeted by ransomware threat actors, with the finance and insurance sector third," the report reads. "Professional, scientific, and technical services represent the majority of third-party suppliers and vendors to the financial sector."
Hacktivism and global conflicts
FS-ISAC identified hacktivism — politically or ideologically motivated cyberattacks — as another key trend to monitor in the coming year, particularly hacktivism connected to geopolitical conflicts such as
"Financial firms in countries that Russia considers hostile have been singled out for attacks and called out by name as targets on Telegram and other hacktivist forums," reads the FS-ISAC report, which also notes such threats have "yet to cause significant impact."
State-affiliated groups pose a similarly motivated but much more sophisticated threat. This creates an extra challenge for cyber insurance; cybersecurity insurers typically include language in their policies that create exclusions for war or hostile acts, according to Jeff Costlow, chief information security officer at cybersecurity company ExtraHop.
These exclusions stipulate that insurers cannot indemnify companies against cyberattacks considered acts of war, which creates unwanted ambiguity for banks around what they can do about attacks from both state-affiliated and hacktivist groups.
Artificial intelligence and large-language models
As artificial intelligence products have become more easily accessible, cybersecurity experts have expressed concerns about the use of the technology to automate and improve cyberattacks. These concerns stem from examples of people generating phishing emails, writing malware, and accomplishing other tasks using ChatGPT and other large-language models.
Among the concerned are banks. FS-ISAC identified the malicious use of products from OpenAI, the creator of ChatGPT, as examples of how artificial intelligence is being used against financial institutions.
However, the FS-ISAC report also alludes to defensive measures that AI enables.
"The increasing number of vulnerabilities and the growing speed with which these are exploited — coupled with cyber staff shortages and increased regulatory focus on vulnerability and patch management — may drive organizations toward an increased investment in automated approaches to patching and prioritizing vulnerabilities, both new and aged," reads the report.
Just as the malicious uses of AI are limited by the operators monitoring for policy violations, the upside of AI is also limited by the lack of judgment and expertise that it can exercise compared to cybersecurity professionals.
Ultimately, artificial intelligence is
"Both attackers and defenders have been leveraging AI to improve their tactics and strengthen their defenses," Hudesman said. "It is difficult to definitively say who has used AI more effectively, as both sides are in a constant arms race to outpace the other."
