Site Search

Menu

Capabilities

Menu

Artificial Intelligence (AI)

Menu

Cybersecurity, Risk and Regulatory

Menu

Financial Markets & Real Estate

Loading Results

Cyber impacts of market events in the financial services sector

Our Take Special Edition - March 30, 2023

Conditions are ripe for cyber threat actors and fraudsters to exploit opportunities during this period of bank stress. Customers seeking safety are moving substantial funds and engaging in numerous transactions. They’re often operating outside their usual conventions and relationships. And they are the target of fraudulent schemes perpetrated via phishing or mis/disinformation. 

Systems at banks enmeshed in these adjustments due to bank stress are likely experiencing a capacity surge. Meanwhile, cyber and anti-fraud teams are busy implementing temporary rule changes in transaction monitoring and surveillance systems. The wave of activity and the temporary rule changes raise the probability that malicious activities by cyber adversaries could go undetected.

We see five key areas of heightened risk exposure where organizations should consider taking proactive action.

1. Combating cyber-enabled fraud across money movement business processes

Impact: 

With thousands of businesses potentially changing their banking relationships, cyber criminals are taking advantage of the environment by inserting themselves into the process and posing as legitimate users. Financially-motivated cyber criminals have been observed leveraging phishing campaigns and malicious domain registrations to impersonate financial institutions and banking consumers in an attempt to steal personal and financial information. In an uncertain and urgent environment, financial institutions can be extra-vigilant and take additional precautions to mitigate the risk of fraud via phishing attacks or compromised business email. (See PwC’s Strengthen bank fraud and financial crime defenses amid activity surge report.) 

Key actions to consider:

  • Trust but verify - Enable multi-factor authentication (MFA) to prompt two forms of verification prior to authenticating users into the network and business systems. Prior to initiating payment transactions, it is important for financial teams to be cognizant of possible fraud and to take precautions, such as assessing multiple methods of verification. For areas where third-parties support execution, include additional monitoring of vendor-executed changes to payment/transaction source files to track any anomalous activity. 

  • Prevent malicious spam - Enable advanced email threat protection capabilities such as filtering to protect against email spoofing and spearfishing and to help reduce the risk of spam emails ever reaching someone’s inbox.

  • Network hardening - Confirm network security protocols are configured to ‘deny by default,’ meaning all internet traffic is assumed to be malicious unless proven legitimate. 

  • Inform users - Advise financial and accounting employees, executives and customers to be on the lookout for suspicious activity or unusual forms of communication urging them to take action. Reassure and inform customers of secure methods for engaging with financial institutions and conducting business transactions. Provide additional guidance to agents at call centers and help desks to flag and report suspicious activity.

  • Domain active monitoring - To help reduce the risk of domain spoofing, organizations should adopt a multi-pronged strategy that includes collecting domain intelligence, analyzing domain strings and content and mitigating risks through domain takedowns.

  • Incident response planning - With a likely increase in fraud, financial services businesses should include fraud scenarios in their incident response plans and continuously update them to remain relevant.

2. Critical operational and security systems strained by capacity surge

Impact: 

Financial institutions experiencing a capacity surge should be prepared to manage people, process and technology expectations. A surge could affect a number of important processes and systems, including network infrastructure, security operations centers and cloud-based applications and severely disrupt business operations that could impact organizations and the financial markets at large.

Key actions to consider:

  • Capacity planning - Develop a capacity planning strategy that takes into account your business’s current and future needs with regards to infrastructure and resources. The strategy should include an incident response plan that outlines required steps in the event of a capacity surge.

  • Internal collaboration - Collaboration between security and IT teams is critical to determine if the infrastructure and resources required to manage capacity surges are in place. This may include reviewing network and system capacity, identifying potential gaps and evaluating backup resources. Additionally, close collaboration between fraud, insider threat and threat intelligence teams could be required to support development of new detection patterns to identify and block anomalous behavior. 

  • External collaboration - Work closely with your Managed Security Service Providers (MSSPs) to confirm cyber operations resume their Business-as-Usual (BAU) mode with previously defined Service Level Agreements (SLA). Collaborate with your Cloud and SaaS vendors to manage and handle capacity surges and scale at short-notice during a crisis event.

  • Increase licenses - Assume that there will be a capacity surge and procure necessary licenses and required storage space in advance, especially for networking and security operations. Historically, license acquisition/approval processes are known to take a few days to weeks - this will likely need to be accelerated to adapt to the immediate capacity needs. 

  • Enhanced monitoring of security performance - Review existing security and performance metrics related to critical cyber defense operations (vulnerability, path, application security management) to monitor any deviations from standard operations and detect any outliers or performance degradation.

3. Heightened monitoring of insider activity

Impact: 

Turbulent market conditions and significant customer transaction activity increases the risk of not detecting insider threats. Malicious intent or compromised insider access could be used as an avenue to take advantage of the situation to commit an act of fraud for personal gain and/or to manipulate existing technology and business controls. Additionally, waiving of certain monitoring activities could embolden individuals with privileged access to transfer confidential information via email or their personal devices.

Key actions to consider:

  • Fusion center - Work closely with vendors and partners to confirm cyber operations resume their business-as-usual (BAU) mode with previously defined SLAs. Leverage robotic process automation capabilities to expedite manual reviews of reported findings. Set alerts, review SIEM logs regularly and prioritize investigation of insider incidents.
  • User activity monitoring - Map user privileges against roles and responsibilities to help identify anomalous behavior. Flag large downloads, transfers or other potential indicators of data exfiltration.
  • Protect data - Leverage data loss prevention capabilities to monitor web and email traffic, uploads to cloud storage sites and use of unsanctioned or non-approved SaaS applications. Inventory and classify sensitive information to enable additional data security controls.

4. Dis-information, mis-information campaigns affecting customer trust

Impact: 

Malicious actors may be taking advantage of recent events by using digital dis- or mis-information to amplify customer distrust and prey on fear. While misinformation might be spread with no ill intent, disinformation is intentionally distributed or presented in a false context to damage corporate reputations, to lower social and customer trust and, potentially, to cause financial loss. In addition, threat actors may send anxious employees fake recruitment offers that include malicious links; one click of the mouse can compromise a corporate network.

Key actions to consider:

  • Enable data trust - Prioritize customer-facing data governance, discovery, protection and minimization practices. Disinformation attacks are most successful when directed at companies that haven’t engendered trust. Brands which possess a high level of trust may be able to thwart disinformation campaigns. 
  • Monitor public information forums - Monitor mainstream media and social channels for real-time alerts on nascent disinformation campaigns; alternatively engage third-party monitoring and sentiment analysis services.
  • Plan and test - Create a disinformation recovery plan aligned with your existing incident and crisis management programs. Develop a playbook, periodically test it and be ready to put it into action when disinformation arises. Practice for a disinformation attack like you would for other types of attacks through simulations and exercises.

5. Customer online account takeovers and transaction activity

Impact: 

Cyber criminals use stolen credentials, social security numbers and personal data to hijack legitimate accounts and execute fraudulent activities such as diverting funds, changing shipping addresses, increasing spending limits. This can impact consumer and corporate account holders alike, who may be responsible for increased transaction disputes, chargebacks, reputational damage, loss of consumer trust and potentially high customer churn.

Key actions to consider:

  • Authentication during customer service - Enforce heightened authentication checks and validation during service transactions with customers to help reduce risk of impersonation and potential fraud.
  • Strong passwords - Enforce password complexity requirements and password rotations. Ensure passwords are not easily guessable. Limit the number of log-in attempts. Restrict the use of the same password across multiple accounts, especially privileged accounts, and leverage multi-factored authentication (MFA).
  • Monitor security - Monitor transaction accounts and flag unusual activity for rapid response and recovery.
  • Secure networks - Block IP addresses from countries where you do not conduct regular business.

Download

Cyber impacts of market events in the financial services sector - March 30, 2023

{{filterContent.facetedTitle}}

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Hide
Audit and Assurance services Consulting Tax services Newsroom Alumni US offices Contact us

© 2017 - 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.