Covid-19 and Cyber Risk in the Financial Sector

After completing this reading, you should be able to:

• Define cyber risk and describe the elements that constitute it.
• Describe and compare causes of cyber risks and methods of enacting cyber attacks.
• Identify and explain the effect COVID-19 has had on the level of cyber threat.
• Assess how the financial sector, in particular, has been threatened by cyber risk during the pandemic.
• Identify changes in cyber risk landscape and ways to mitigate risks to financial stability.

Cyber risk can be defined as the potential exposure to loss resulting from the failure or breach of an organization’s IT systems. According to Cyber Lexicon – a specialized offshoot of the Financial Stability Board set up to address cyber resilience in the financial sector – cyber risk is the combination of the likelihood of cyber events and their effects. In turn, a cyber incident is defined as: “Any observable occurrence in an information system that: (i) jeopardizes the cybersecurity of an information system or the system processes, stores or transmits; or (ii) violates the security policies, security procedures or acceptable policies, whether resulting from malicious activity or not.” Cyber risk is actually a form of operational risk. Cyber risks can be classified on the basis of cause or method, actor, intent, and consequences.

Causes or Methods

Causes or methods include both unintended incidents and intentional attacks. Unintended incidents may include accidental data disclosure and implementation, configuration, and processing error.

Actors

Cyber attacks that involve threat actors inserting themselves into a trusted data exchange take the following forms:

• Malicious software designed to infiltrate systems and steal data;
• Man-in-the-middle attacks where attackers sandwich themselves between two parties in a transaction with an intent to manipulate figures and steal critical data;
• Phishing, where malware-infested emails are sent with the goal of gaining access to critical systems and stealing entry credentials;
• Cross-site scripting, where malicious scripts are injected into otherwise benign and trusted websites; or
• Password cracking where malicious codes are used to breach passwords to gain entry into a critical system.

Some cyberattacks may involve professional tools and planning. An example of a cyber attack under this category is a zero-day exploit where an attack against a hardware or software has been discovered but is yet to be made public.

Cyber attacks can have severe consequences. Disruption of businesses and failure of IT systems can cause harm to the integrity and hinder the provision of services. The confidentiality data may be compromised, leading to financial and reputational losses. Fraud and theft involve the loss of funds or even property.

Cyber Threats Faced By Financial Institutions Following the COVID-19 Crisis

1. Mass migration to working from home (WFH) has made institutions more vulnerable to attacks

Financial institutions have been forced to adopt a working from home (WFH) policy in an attempt to limit the spread of the virus. But the move has only served to increase the threat of cyber-attacks for several reasons.

First, households and home networks do not enjoy the same level of protection and sophistication as office networks. For instance, research shows that WFH has increased the use of virtual private networks (VPNs) and remote desktop protocol (RDP) by 33% and 41%, respectively. This has given attackers a new window to launch their attacks and penetrate systems.

Second, WFH comes with new risks. WFH means staff has to share networks with other family members and devices. This has provided new attack points for malware that could ultimately penetrate a firm’s enterprise environment.

For example, video conferencing has been the preferred way to hold meetings. But some video conferencing devices and services have been found to have suboptimal anti-threat mechanisms, making them an easy target for hackers.

2. Reliance on third-party vendors has resulted in an increase in cyber attacks

In an attempt to improve enterprise systems and better manage IT infrastructure, most financial institutions have resorted to outsourcing more and more IT services from third-party vendors. But it’s an open secret that an institution’s control over a vendor’s cyber resilience measures is limited.

Even though the institution may take steps to ensure that the vendor embraces the latest cybersecurity tools, the vendor is ultimately in charge of its own systems and may not put in place the same level of protection as the institution. This means that attackers may still be able to penetrate the institution’s platform by compromising the vendor’s systems.

In Dec 2020, for instance, hackers managed to infiltrate and insert malware into SolarWinds Orion, an infrastructure monitoring system used by more than 33,000 institutions around the world. Although the financial sector was not the main target, the attackers were able to remain undetected for months.

3. Compared to other sectors, the financial sector has faced more cyber attacks since the COVID-19 pandemic started

Data gathered by Advisen – a for-profit data provider – shows that the number of cyber-attacks increased between February 2020 and June 2020. This coincides with the increase in the uptake of WFH arrangements. The finance and insurance sector was the hardest hit, taking about 25.3% of the total number of attacks.

Insurers and credit unions bore the brunt of the attacks within this sector. These attacks were mainly in the form of phishing, suspicious scanning, and cross-site scripting.

4. Evidence suggests that COVID-19 presented new opportunities for attacks, but the same threat actors, methods, and tools have been in use.

The threat actors and attack methods used during the COVID-19 crisis are the same as those used before the crisis. Only the volume and scale of attacks went up. The most-reported attack method involved phishing. In other cases, attackers imitated well-known sources of COVID-19 information (such as the WHO) to get users to open links and files infected with malware.

Cyber Resilience Measures Taken to Mitigate Risks to Financial Stability

We have two near-term trends that should be considered. First, more people will continue working remotely than before the pandemic. Businesses need to create business continuity plans that recognize people will continue working from home over longer periods. In short, there is a need for businesses to adapt to the ‘’new normal’’.

Second, it’s highly likely that financial institutions will continue moving their IT operations to public cloud environments. As the cloud service market becomes highly concentrated, there is a danger of increased homogeneity in the financial sector and single points of failure. A survey conducted recently shows that 82% of firms have increased cloud usage, and 91% have more strategic plans for cloud usage in the near future. By using the same software, hardware, and vendors, incidents will spread more quickly, and as such, there’s a risk of industrial-wide attacks that throw the entire financial system into turmoil.

In addition, the pandemic has forced policymakers and businesses to take action and work together to find ways to mitigate emerging cyber risks. In the same vein, numerous organizations in both public and private sectors are strengthening their operational resilience. Most of these organizations are also actively participating in ‘’war games,’’ which are basically simulations of high-level cyber attacks. These practices help identify vulnerabilities, enhance preparedness, and strengthen lines of communication. In addition, financial supervisors are leveraging both national and international standards in their efforts to promote cyber resilience.