The global financial system runs on trust. This not only needs to be earned but also protected to keep the financial sector as well as the broader global economy running. As the digitization of financial services progresses, it is incumbent upon the financial industry to proactively protect and sustain that trust in the face of several emergent threat vectors that now threaten it.
Artificial Intelligence
Artificial intelligence is advancing so rapidly that it is hard to pinpoint the relative mix of opportunities and risks it will bring. It is a powerful driver of optimization, efficiency and cost reduction, as well as the basis for new business lines and products. It will be integrated into our companies at all levels, including in cybersecurity and risk management. But these tools are also being adopted by threat actors, who are already utilizing generative AI in various ways, such as flawless translations of phishing messages, finding code vulnerabilities and impersonating a CEO’s voice asking to make a bank transfer. As with all emerging technologies, it’s a cat-and-mouse game of threat actors evolving new tactics and security teams finding and defending against them, albeit faster than ever before.
Fraud
Almost everyone knows someone impacted by fraud, whether having their credentials stolen, being tricked into moving money or any of hundreds of other current tactics. Corporate customers too are impacted by tactics like business email compromise and executive impersonation, which will only get more complicated to spot with rapidly progressing AI tools for text, images, audio and video. As the industry moves to real-time payments and settlement, the convenience of having money instantly hit your account is a boon to fraudsters, who quickly move any ill-gotten gains through a chain of statements that are impossible to track, much less recover.
Supply Chain Risks
With the rapid growth of software, infrastructure and platform-as-a-service, the complexity of supply chain risk management has exploded. While the financial sector has a long history of robust cybersecurity, many newer technology firms do not have this same mandate. As we have seen recently, a breach of a major supplier can impact many firms and thousands of customers. The financial sector especially depends on a small number of highly specialized suppliers, which opens the industry up to concentration risk, where the impact of one incident could have a systemic impact.
Nation-State Threats
The current threat landscape is a web of highly sophisticated nation-state actors connected to and operating independently from ideologically motivated hacktivists and cybercriminal groups. The lines between activities designed to sow division and confusion versus to disrupt operations or steal money are increasingly blurred. As geopolitical hotspots emerge around the globe, it is critical to stay vigilant, cautious and prepared to defend against new nation-state threats.
Quantum Computing
While no one knows the exact time frame, the era of quantum computing is upon us, with big tech companies, nation-states and academics all racing to build large-scale quantum computers. These will almost certainly break our current modes of cryptography by taking seconds to solve cryptographic problems that take classical computers years. Further, many threat actors are hoarding encrypted data in the hope that, fairly soon, post-quantum tools will be available to decrypt it. Changing cryptographic standards across the entire internet takes years; the last one took a decade. We must start now.
Preparing Ourselves Now for the Threats of the Future
We need a multi-dimensional strategy to prepare the financial system for these emerging risks. Strategic, risk-based decision-making at the top and embedding a culture of critical baseline cyber hygiene practices at all organizational levels can help ensure a nimble security and resilience posture for the sector as well as individual firms.
These critical baseline practices include:
- Multi-factor authentication policies across internal and external interfaces
- Complete network security, including on-premises and remote access points with VPNs
- Employing threat identification with technology-backed tools rather than waiting for an incident, which can significantly reduce the impact
- Fast and efficient risk-prioritized vulnerability patching programs to limit the impact of security incidents
- Quantum-resistant security algorithms, such as lattice-based cryptography, multivariate-based cryptography, and code-based cryptography
- Simple and clear guidelines for cybercrime reporting, managing, and sharing
Our security teams must remain ahead of emergent threats in the dynamic and complex threat landscape. With the “great cybersecurity talent shortage,” financial firms are competing with other sectors for increasingly scarce expertise. While AI and automation can help identify patterns across vast swathes of data in ways human brains cannot, humans are still needed to provide context and analysis that machines will miss. We must invest in training the next generation of cyber defenders and continuously upskilling and building our human capital.
The good news is that we do not need to do this alone. The financial sector has been sharing cyber intelligence for 25 years. Our trusted, secure systems for sharing not only the tactical indicators of compromise and tools and techniques of malicious actors but also the collective knowledge and wisdom of how to protect our firms and customers as threats evolve is extremely robust. In addition, we now have tried and true models for stress-testing our incident response capabilities across all levels of the organization and ensuring we plug any gaps to strengthen our overall resilience. Together, we can meet the challenges ahead to preserve and even enhance the digital trust so critical to the functioning of the global financial system and society at large.