What Did Bankers Identify as Top Cybersecurity Threats for 2023?
As the process of protecting systems, networks and endpoints from attack, cybersecurity is critical to any organization. Since financial institutions must protect customer or member data, keeping up with evolving cyber threats is vital. In its annual Banking Priorities survey, CSI asked bankers across the country about their views on top cybersecurity challenges. Read on to learn more about how bankers view the changing cybersecurity threat landscape.
Want the full results of the 2023 Banking Priorities survey? Access the interactive executive report.
Exploring the Top Cybersecurity Threats
As part of our country’s critical infrastructure, financial institutions are prime targets of cyberattacks perpetrated by criminal and state-sponsored hacking groups. Financial institutions also play an important advisory role in helping their customers or members understand current scams and how to avoid them. As a result, navigating the evolving cybersecurity threat landscape will always be a full-time activity—especially given the current geopolitical climate.
Let’s examine the breakdown of the top four issues chosen by bankers in this year’s survey:
- P2P or other digital fraud:The results reveal 29% of bankers view P2P or other digital fraud as the top threat, which is unsurprising considering the surge in P2P fraud in recent years. Recent data revealed that the four biggest U.S. banks reported more than 190,000 scams in which “customers reported being fraudulently induced into making payments on Zelle.” These scams involved over $200 million of payments in 2021 and the first half of 2022. As consumers increasingly rely on P2P payments for their convenience and ease of use, fraudsters are clearly capitalizing on this popular payment method. This explains why bankers in CSI’s survey voted it their biggest cybersecurity concern. While financial institutions have shored up defenses to combat recent scams, having security-minded consumers that follow best practices to mitigate risk of P2P fraud further increases protection.
- Data breach/disclosure:23% of bankers selected data breach/disclosure as the top cybersecurity worry for 2023. U.S. banks were hit with an unprecedented amount of data breaches in 2022, and it’s estimated that more than nine million consumers across the country were affected by breaches against financial companies. Breaches can result in serious financial and reputational consequences, with many consumers losing faith in their institution after an incident. The surface area for vulnerabilities continues to grow as institutions use different applications, devices and other technology, leading to a need for increased cybersecurity monitoring.
- Ransomware:Often the result of social engineering schemes, 20% of bankers are worried about the threat of ransomware in 2023. Ransomware locks out the authorized user, encrypts the data and holds it for ransom. Cybercriminals hold data for ransom in this type of attack, but even if an institution has backups in place to avoid playing into the criminals’ hand, the data can still be released on the dark web. So, this type of attack can wreak havoc on an institution’s operations and reputation. As cybersecurity threats and vulnerabilities evolve, institutions should prioritize around-the-clock monitoring for suspicious activity and real-time threat remediation.
- Third-party vendor breach: 15% of respondents indicated a breach at a third party with whom they do business as the top cybersecurity concern for 2023. With increased reliance on third parties for a multitude of services, as well as increased scrutiny from examiners, auditors and even leadership teams and boards of directors, the pressure to properly vet vendors and minimize risk is greater than ever.
This result reinforces the importance of due diligence when choosing vendors. Your institution’s vendors are likely an enormous asset, but they could also become a tremendous liability. Knowing your vendors and the risks they pose to your institution is far more than just a compliance requirement—it’s necessary to run a successful operation.
Are Bankers Ready to Respond to Cybersecurity Threats?
Maintaining an adequate level of cybersecurity readiness is a never-ending responsibility. Let’s gain insight into banking executives’ perspectives:
- Preparing for a cyber incident: Most respondents (80%) agree or strongly agree they know what to do if their institution experiences a cyber event. With the computer-security incident rule in place, all institutions must have reporting processes mapped out. Your institution should have an incident response plan (IRP) that details the steps to take in the event of a cybersecurity incident, including processes that meet the requirements for this rule. Having an established IRP will make it easier for your institution to decisively act and minimize negative consequences if faced with a cyberattack.
- Understanding cyber risk: An overwhelming majority (77%) agree or strongly agree they understand cyber risk. But as risk evolves, banking executives must stay abreast of the latest threats and tactics. If your institution hasn’t already, consider implementing a cybersecurity framework to guide risk mitigation. In addition to implementing a framework such as the Cybersecurity Assessment Tool (CAT) or the NIST Cybersecurity Framework (CSF), adopting the CIS Controls can help identify and implement strong controls for the highest risk areas in your organization, maximizing your compliance initiatives and cybersecurity spending.
- Implementing a cybersecurity education program: Only 68% agree or strongly agree that their cybersecurity program is effective, and 26% of respondents were neutral. If your employees receive a suspicious email, do they know the proper steps to report it? Educating employees on evolving threats and the latest social engineering schemes is one of the most effective ways to mitigate cyber risk.
- Producing a business case for cyber spending: A little less than half (47%) of respondents feel their CISO can produce a strategic business case for cyber spending. Since cybersecurity affects the entire organization, it should be viewed as a business issue. IT governance helps your institution ensure your technology investments support your unique goals while mitigating IT- and cybersecurity-related risk. IT governance experts can also supplement your CISO’s efforts in making a business case for cyber spending.
Embracing Recommendations from the FFIEC AIO Booklet
Financial institutions have had over a year to digest the most recent addition to the FFIEC’s Information Technology Examination Handbook, Architecture, Infrastructure and Operations (AIO). This year’s survey asked bankers which of the recommendations from the AIO Booklet they have embraced.
Nearly half (47%) of bankers are increasing cybersecurity training for senior management and boards, and 31% use a cybersecurity framework, such as the CAT or NIST CSF. It’s concerning that less than one-third of bankers are using a cybersecurity framework, especially since regulators are actively examining this issue within financial institutions.
43% of respondents reported establishing risk tolerance, which is the level of risk your institution is willing to take when pursuing a goal. This is an encouraging result, as the level of appropriate cybersecurity protection should be determined by your institution’s goals and risk tolerance.
Nearly 30% are partnering with a consultant for IT governance services to ensure technology investments support an institution’s goals. Instead of viewing IT and cybersecurity as technical issues, institutions should view these areas through a business lens. IT and cybersecurity initiatives should align with an institution’s goals for optimal effectiveness. As mentioned in the AIO Booklet, IT governance is critical to an institution’s success. A lack of governance could negatively affect cybersecurity readiness and result in inefficient use of resources.
Since more than a quarter (27%) of bankers participating in the survey indicated that they weren’t sure or didn’t have enough information to indicate whether their institution was using any of these recommendations, consider having a C-level discussion about the intent of this new handbook and your institutional alignment with it.
Why Institutions Should Understand Top Cybersecurity Threats
Dealing with cybersecurity threats is nothing new for financial institutions. Still, institutions should exercise constant vigilance and stay abreast of the latest threats to ensure they mount the most effective defenses. Falling victim to a cyberattack or data breach can have lasting financial, operational and reputational consequences.
Because of evolving cyber threats, it is no longer enough to think of cybersecurity as segmented pieces of a strategy. Your institution should embrace a holistic approach to cybersecurity, which involves deploying multiple layers of defenses. This helps ensure that if a threat makes it past the first lines of defense, others exist to increase the likelihood that it is detected and remediated. By keeping a pulse on current threats and where the cybersecurity landscape is headed, your institution will be better positioned to keep your network, data and users secure.
Learn more about bankers’ perceptions of the 2023 financial services landscape in the full Banking Priorities Executive Report.
Steve Sanders serves as CSI’s chief information security officer. In his role, Steve leads CSI’s information security vision, strategy and program, and chairs the company’s Information Security Committee. He also oversees vulnerability monitoring and awareness programs as well as information security training. With almost 20 years of experience focused on cybersecurity, information security and privacy, he employs his strong background in audit, information security and IT security to help board members and senior management gain a command of cyber-risk oversight.