Authors Zhanin Al-Shargabi, Atanas Kirov – Law and Internet Foundation

Banks as financial institutions that deal with large amounts of money and assets are key targets for cyberattacks. It does not come as a surprise that such cyberattacks cost them 300 times more than any other industry.i Some accounts claim that the attacks against an average American business may amount to 4 million, while those against financial institutions reach the astonishing number of around 1 billion.ii

One of the most prominent attacks was by the Carbanak group. This cyberattack managed to steal around 1 billion dollars from more than 100 financial institutions spanning across over 40 countries.iii The members of this group managed to infect the systems of numerous banks and their malware managed to control ATMs into releasing large sums of money.iv Furthermore, another method they used was infecting the systems of the institutions and then controlling the online banking platforms into diverting money from different accounts.v It seems bank heists no longer involve the actual risks of an armed robbery, they can be done remotely and all traces can be dully hidden in a way that would leave authorities wondering where to start investigating. While the individuals affiliated with Carbanak were traced in the end, many attacks and hits against banks stay unsolved.

The Carbanak attack and other attack of this sort are extremely worrying as many financial institutions have similar if not the same IT structures and security Under such circumstances, other malicious individuals can use their tactics and target several institutions with high levels of efficiency, while cyberattack prevention units will be left to struggle to trace the attacks and limit their effects and scope.

This shows the importance of financial institutions having modern and updated cyberattack prevention structures that are adapted towards the newest risk and adequately protect all sensitive banking data, security information and personal data of users. One way to ensure this would be trough the regulatory approach – states enacting precise legislation in order to ensure compliance with the highest of safety standards. To make this process even easier, financial institutions can turn to regtech – technology that seeks to enhance regulatory and compliance processes. In this sense, virtual banking could be fully technology driven.vii

Furthermore, financial institutions must follow strict safety guidelines when carrying out their conduct. All practices must include monitoring, risk management, risk assessment, control testing and strong governance. Banks also cooperate and work with many third parties and vendors that are also part of their work process. This can raise concerns when the security awareness and measures enacted by these third parties are not up to the same standards as those adopted by banks or when financial institutions are not even aware what practices their partners carry out in order to ensure adequate cybercrime prevention. Consequently, it is extremely important that financial institutions carefully pick outside parties with whom to work with and stress the importance of them adopting safety compliance measures and risk control.viii

Moreover, financial institutions should also be aware of some unexpected circumstances that may influence the scale, scope and severity of cyberattacks against them. Firstly, it has been pointed out that demonetization of currencies may push individuals towards online banking and online payments and this in turn may cause a spike in cyberattacks.ix If banks have not considered such a rise and have not prepared adequate security measures in turn and have not insured their systems are able to withstand additional pressure, they may face great risks they were not ready to adequately deal with. Another such unexpected and unprecedented pressure was faced during the COVID-19 crisis. There a number of complications led to large and unforeseen risksx:

  • For example, there was a rise in phishing emails, with content connected to the coronavirus crisis being sent to bank users. Similarly, during the pandemic, there was a rise in call center scam calls as well. As individuals were stuck at home and had high levels of financial anxiety due to the crisis, they were an easy target for malicious individuals posing as bank officials in order to manipulate them into leaking their sensitive banking data.
  • Furthermore, another easy threat were bank employees who at times were working from home. In such unprecedented circumstances, banks were forced to loosen up some of their safety protocols. For example, some employees may have been lenient and institutions may have allowed them to work outside the Virtual Private Network (VPN) of the bank or to otherwise diverge from the high-level security measures they would have followed in the premises of their office.
  • Another interesting observation was that financial institutions found it hard to trace unusual activity since some employees started working outside of their usual work hours. In the privacy of their own homes, people began to shift their schedules in accordance with what they felt comfortable or due to being in conflicting time zones.

Some of these developments may have been predicted, while others would seem harder to foresee. Financial institutions then must ensure that they have risk assessment teams that thoroughly analyze such potential risks, so they are able to address them in due time.

The contents of this publication elaborated under the GUARD project are the sole responsibility of the authors and can in no way be taken to reflect the views of the European Commission. GUARD has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 833456.