The growth of internet usage, online banking, and digitalization of financial services has increased cybercrime and cyber criminals’ attack surface. Financial institutions are a prime target for cyber-attacks due to the large amounts of data and money they hold.
In the past few years, there has been a rise in cybercrime in financial institutions, with the Singaporean bank breach being one of the most prominent.
The cost of any breach can be pretty staggering, considering the cost of litigation and the reputational damage the banks might face.
During Fintech Fireside Asia’s latest panel discussion, high-powered executives representing SC Ventures, Bank Negara Malaysia, DBS Bank (Hong Kong), and Fortinet delved into the current state of cybersecurity in Asia’s financial services sector. They also discussed the importance of cyber resilience and how to innovate securely to stay ahead of the curve in 2023’s cyber threat landscape.
Increased cyber threats on financial institutions
Deputy Director of Risk Specialist & Technology Supervision Department at Bank Negara Malaysia (BNM), Ng Lee See, said there had been an increasing trend of cyber threats to financial institutions, including distributed denial of services (DD0S) and phishing ransomwares. However, these attacks were largely averted due to the system’s resilience, causing minimal impact.
With the rising threats, cyber-resilience has become a high priority for regulators and chief information security officers (CISOs).
She added that there are a few areas of development that steer policy direction in Malaysia. First, banks highly rely on third-party service providers – IT infrastructure, software, or telecommunication services. With increasing cyber attempts and incidents affecting third parties.
The central bank has its baseline requirements for security controls and oversights stipulated in the Risk Management in Technology Policy which has been updated to reflect the new cyber resilience requirements. FIs are expected to continue strengthening the management of third parties.
Moreover, Malaysia has a vibrant, innovative fintech industry in terms of payment players, digital players, and the use of cloud computing and APIs (Application Programming Interfaces) in open banking; therefore, BNM is constantly monitoring and expecting FIs to manage these aspects.
The central bank is issuing further guidance on cloud technology risk management, and the exposure draft was issued in 2022 for the industry’s feedback, with the plan to publish the final draft this year.
“We expect financial institutions (FIs) to take building cyber resilience and strategic investment as a continuous priority with oversight from senior management,” said Lee See.
AI technologies are becoming misused by bad actors
The emergence of Artificial Intelligence (AI), such as ChatGPT, is a cause of concern for CISO Viren Mantri from SC Ventures.
‘It is difficult to distinguish between a machine and a human and who is attacking us. So, we need to be careful. We need to be more cautious about it. We are moving from Web2 to Web3 and metaverse. These are the new dimensions of attack vectors; we should be cautious,” said Viren.
He gave examples of two highly sophisticated cyber intrusions that created a lot of havoc – the infiltration of the supply chain of SolarWinds and the Log4j zero-day vulnerability.
“These attack vectors will continue to exist, they will become more sophisticated, and with pervading social networks and more of us, almost everyone is going digital. This will continue to be explosive in nature,” he added.
“We want to do continuous third-party security assessments. Depending on the extent of integration we do with the industry as a third party, we need to dive in deep to ensure that they protect us and we protect them,” said Viren.
Thinking ahead
Senior Business Development Manager, Southeast Asia & Hong Kong of Fortinet, Ching Ping Wong, recommends all players to look ahead and have a long-ranging view.
“If cybercriminals can use AI and then from a security point of view, we are already using AI in certain ways. I think the continuous use of such methods as machine learning AIs to improve the detection and then subsequently to quickly or shorten the response time would be something that we all should be looking at,” he said.
Raising awareness in a new and challenging environment
Executive Director and CISO of DBS Bank (Hong Kong) Ricky Woo said that users must be more aware of cybersecurity and its threats.
“In 2022, the risk landscapes will encompass new technology, and all businessmen know that they will rely on new technologies to boost their business. So, from the cyber guys, we need to know what exposure and what sort of risk assessment or risk controls should be in place to protect the firm,” said Ricky.
“The challenges now are different and require a new game plan. We need to think about another contingency plan if both primary and secondary resources are unavailable,” he added.
Strengthening cyber resilience
The Dark Web has been a hub for criminal activity for many years. In recent years, however, there has been a surge in the number of ‘cybercrime-as-a-service’ providers. These providers offer various services, from stolen data and identity theft to DDoS attacks and ransomware.
The increase in ‘cybercrime-as-a-service’ providers has made it easier for criminals to carry out cybercrime. This, in turn, has made it more difficult for organizations to protect themselves. So, what can organizations do to protect themselves from these threats?
Lee See said that it remains crucial for our FIs to strengthen cyber resilience continuously and improve their cyber defense. This is in terms of protecting the customers using digital services.
Ching Ping said that having reconnaissance within the web is absolutely critical.
“It allows us to have both inside and outside views of our organisations, which is essential. And being able to interact with cybercriminals in some ways which are out there peddling these services will give companies leverage,” he added.
Meanwhile, Viren said it is crucial for continuous evaluation and to be resilient enough to bounce back as soon as possible from any attacks.
Ricky added that complete mediation, penetration tests, and vulnerability assessments would ensure everyone is in good shape.