State of play: cybersecurity in financial services
Each month, Philip Benton, Principal Fintech Analyst at Omdia, explores a new topic and assesses the “state of play”, providing an analysis and understanding of the market landscape.
This month, Philip takes an in-depth look at cybersecurity in financial services.
IT outages, data breaches and scams are now a weekly headline for the financial services industry. The emergence of new technologies like cloud, AI and blockchain has positively transformed the sector, but it has also created new avenues of attack for fraudsters/criminals. So, for this month’s state of play, I’m doing a deep dive into the world of cybersecurity.
The evolving cybersecurity threat landscape
The current cybersecurity threat landscape remains dynamic and challenging. New threats continue to emerge as fraudsters leverage new technologies, such as generative AI, to create new methods of attack. Traditional attack vectors, such as phishing, continue to confound even savvy end users, while established criminal business models, such as ransomware, continue to mature and evolve.
Globally, financial services organisations face a host of cybersecurity threats. Some threats are industry agnostic, so firms may deploy many of the same security controls seen in other large organisations. But financial services companies also need to protect against targeted and sophisticated forms of fraud, much of it utilising digital infrastructure. These organisations have therefore also invested heavily in anti-fraud solutions.
Financial services companies face all the cybersecurity concerns experienced by other verticals while also operating under unique constraints and with the additional challenges associated with financial fraud. And if there is an environment as dynamic and challenging as cybersecurity, it is financial fraud.
Financial services organisations find themselves between a rock and a hard place. Customer and market demands have accelerated the speed and scale of their digital transformations. But all this must be done within the constraints of regulatory requirements and with the safety of customer data kept top of mind.
Fraud prevention is a top cybersecurity challenge
Although financial services as an industry faces many similar challenges to other verticals in dealing with cybersecurity – whether it’s budget constraints, a growing threat landscape, siloed processes or visibility into user data/devices – fraud remains unique to the FS sector along with sensitivity of data and its compliance/regulatory requirements.
Regulated financial institutions are obliged to report to authorities on a regular basis with fraud and financial crime a key component that regulatory bodies will scrutinise. Although fraud is evolving, and new types are emerging constantly, it is generally classified into four common areas:
- Card fraud (card not present, counterfeit, lost/stolen, ID theft and so on)
- Remote banking fraud (internet banking, telephone banking and mobile banking)
- Authorised push payment fraud (through deception and impersonation)
- Scams (purchase, investment, romance and so on)
Fraud is consistently a challenge for all types of financial institutions. It is closely linked with the other key unique sector challenges as it relates to the sensitivity of the data that banks hold on customers. Banks have stringent compliance and regulatory requirements, which means they must report on fraud whenever it occurs.
In fighting transactional fraud and financial crime, financial institutions face ongoing challenges. Firstly, there is the need to keep pace with new types of fraud as well as new patterns of fraudulent activity. Secondly, fraud prevention systems need to be accurate as poor fraud controls can lead to high levels of false positives to the detriment of customer satisfaction.
A sudden shift to increased online payments (as exemplified during the Covid-19 pandemic) has resulted in some detection systems recognising behavioural changes forced on to the consumer by evolving societal circumstances as potentially fraudulent, leaving banks to deal with large volumes of false positive alerts, and to then adapt their systems and processes accordingly. Not only has the sudden shift to online payments made fraud detection harder, but the adoption of digital wallets, where virtual cards are more prevalent, has created more potential loopholes for fraudsters to exploit. As new payment methods continue to emerge (open banking, crypto, BNPL and so on), scenarios for fraud to occur continue to multiply, requiring additional resources from financial institutions to monitor and prevent attacks.
According to Omdia’s Retail Banking Technology Spending Forecast, IT spending on antifraud systems for monitoring, fraud analytics, case management and the aggregation of fraud-related data services by retail banks is expected to reach $4.5 billion globally by the end of 2024, which will be an increase of 6.1% on the previous year. Use cases for addressing financial fraud are centred around automation and include transaction monitoring and response, credit line monitoring, case management for declined credit cards and third-party risk and continual vendor verification.
Digital dependence day
On 19 July 2024, the world’s dependence on technology was shown in its true light. What happens if there’s a coding flaw in just one of these cybersecurity stack components?
We don’t need to wonder anymore. We now know. It impacts airports, banks, retail outlets, healthcare institutions and more. On 24 July, CrowdStrike provided its Preliminary Post Incident Review on the cause of the outage. This review confirmed that: “The crashes were due to a defect in the Rapid Response Content, which went undetected during validation checks. When the content was loaded by the Falcon sensor, this caused an out-of-bounds memory read, leading to Windows crashes (blue screen of death).”
The FS sector was badly hit by this outage. It impacted several segments of financial services, including the ability to access vital banking services, send/receive payments or even trade in financial markets.
The UK and European banking sectors were already reeling from a separate outage that hit the Swift network the day before (on 18 July), impacting high-value and time-sensitive transactions and specifically the Chaps system in the UK, which is used for house purchases. This follows another separate outage which hit the UK’s faster payments system in June, which meant several people received their salaries late.
What can the FS sector learn from ‘digital dependence day’?
This shows that it’s not just malicious attacks which are a threat to financial institutions. Even non-malicious tech outages can bring businesses to their knees.
At Omdia, we have long warned about over-reliance on cloud services. The recent IT outages will make financial institutions rethink moving mission-critical applications (such as payments) off-premises. Looking forward, there’s a shift towards consolidating security tools into integrated platforms. However, as one CISO starkly put it, “Consolidating with fewer vendors means that any issue has a huge operational impact. Businesses must demand rigorous testing and transparency from their vendors.”
DORA (the Digital Operational Resilience Act) is on the horizon, which impacts 22,000 entities who operate in the financial services sector in Europe. The act forms the latest part of legislators’ ongoing attempts to weave together an industry increasingly reliant on an intricate network of connections.
As part of their compliance, industry players must be able to evidence and practice measures that prove an ability to withstand, respond to and recover from any angle of disruptions or threats originating from IT systems.
Cybersecurity attacks, IT outages and scams are unfortunately an inevitable problem for the financial services sector. However, how financial institutions plan for, react to and limit the disruption will be vital to ensure consumers don’t lose trust in the sector.
About the author
Philip Benton is a Principal Fintech Analyst at Omdia and writes analysis on the issues driving technological change in financial services. Prior to Omdia, he led consumer trends research in retail and payments at strategic market research firm Euromonitor.
In this column, Philip discusses the technological implications and consumer expectations of the latest fintech trends.
You can find more of Philip’s views on fintech via LinkedIn or follow him on X @bentonfintech.
