25 July 2024 • 3 min read

Cyber ciminals target financial service providers to get at sensitive client data

Hackers are targeting financial service providers for sensitive client data, increasing the risk of fraud. Ryan van de Coolwijk of iTOO Special Risks discusses the growing threat, preventative measures, and the role of cyber insurance in managing these risks.

iTOO

iTOO

Cyber ciminals target financial service providers to get at sensitive client data

Financial service providers are increasingly being targeted by hackers because they hold sensitive information about their clients. This data is indeed a rich treasure trove of information that can be used to commit fraud should it fall into the wrong hands.

This is according to Ryan van de Coolwijk, Product Head: Cyber at iTOO Special Risks, who says that it is not uncommon for people to interact with their broker around making payments and transferring money or waiting for payments.

“So, looking at business email compromises, it is a great bet for cybercriminals to insert themselves into this interaction because the emails and discussions around financial transactions are commonplace there,” says van de Coolwijk.

Ryan van de Coolwijk
Ryan van de Coolwijk, Business Uni Head: Cyber, Collectables and Digital Distribution

The Financial Sector Conduct Authority’s (FSCA) Regulatory Actions Report (1 April 2023 to 31 March 2024) states that “The increasing globalisation, interconnectedness, and technological advancements have provided fraudsters with more sophisticated tools and larger platforms to exploit financial customers, requiring the FSCA and its enforcement efforts to continuously adapt”.

The report cites the rise of deep fake scams, impersonation of legitimate financial service providers, impersonation of regulators and exploitation via social media platforms as some examples of how fraudsters are exploiting advancements in technology.

“The FSCA is getting a lot more involved in trying to ensure that good security practices are being implemented by the financial service providers. The Authority is looking to publish its own standards that financial service providers have to comply with, says van de Coolwijk.

“The draft standard will touch on a lot of measures to improve a company’s overall security posture. The FSCA looking to make sure that financial service providers are treating and protecting data as they should.”

However, he notes that instead of awaiting the standard, organisations should already be looking at what they could do better to safeguard and protect against the types of impersonation attacks mentioned in the FCSA report.

“So, this sometimes feels like we are always beating the same drum, but it comes down to education, awareness and vigilance. Companies must continually educate their staff about what to look out for in emails, not to click on links and not to change bank account details without validating the request first,” says van de Coolwijk.

There is available technology such as DMARC that can be used to prevent spoofing of email domains. It allows a company to, for example, say any emails coming from it today can only come from certain locations. So, any attempt to spoof that email domain would result in those emails being automatically discarded, never reaching their target.

“There are technologies designed to help improve companies’ defences against such attacks, ultimately it’s education, awareness, vigilance and processes for companies to implement to try and safeguard against what has become the weak point in the security ecosystem – the individual,” explains van de Coolwijk.

However, should those measures effectively fail, cyber insurance coverage is the last layer of protection that organisations can rely on. There are different covers available that protect businesses and even individuals against financial losses incurred due to cybercrime.

While prevention remains the best line of defence, cyber insurance is an essential part of cyber risk management and helps businesses respond and recover from the financial costs of a cyber event. The drastic rise in cyberattacks on financial services providers should be a stark reminder that it is not a matter of if but when hackers will strike.

As featured on FANews and Smart Security Solutions.