Financial Services risk: Cyber

Growing numbers and new forms of financial crime, driven by Covid-19. At the beginning of the pandemic, the number of cyber-attacks rose by over 200%.
Seismic shift in the regulatory view of privacy and cyber security. Cyber resilience and business continuity a growing area of focus.
Third party service providers can be a weak link in the cyber security chain.
Investing in training helps minimize the human error at the heart of most cyber incidents

download the report: Financial services - risk trends

Cyber security experts warned of a perfect storm for financial institutions as Covid-19 led to a rapid and largely unplanned increase in homeworking and electronic trading and this soon materialized. Attacks against the financial sector increased 238% globally from the beginning of February 2020 to the end of April, with some 80% of financial institutions reporting an increase in cyberattacks, according to cyber security firm VMware [1].

Recent months have also seen a number of major global cyber-attacks. In December 2020, the Orion system of information technology firm SolarWinds was compromised, affecting about 18,000 customers. In March 2021, Microsoft revealed that hackers were exploiting ‘zero-day’ vulnerabilities in its Exchange Server mail and calendar software to access company networks. The attacks see vulnerabilities in Microsoft Exchange servers being exploited to allow malicious code to be placed on them which can be used for ransomware, espionage or even misdirecting the system’s resources to mine for cryptocurrency on behalf of the criminals.

Financial services companies continue to be heavily targeted, and typically feature in the top five sectors for severity and frequency of cyber-attacks, according to Thomas Kang, Head of Cyber, Tech and Media, North America at AGCS: “These companies hold a lot of sensitive data on individuals, businesses and governments. At the end of the day, it is where the money is.”

Cyber is an existential issue for financial institutions, which is why they invest heavily in cyber security, says Kang. However, with such potentially high rewards, cyber criminals will also invest time and money into attacking them. “Take the Carbanak and Cobalt malware campaigns, for example. These targeted [2] over 100 financial institutions in more than 40 countries over a five year period, stealing over $1bn,” Kang adds.

Seismic shift in regulatory view of cyber security

At a time when financial institutions are becoming more reliant on technology and data to provide products and services to customers, they increasingly face a changing regulatory environment. In many parts of the world, financial services firms face a growing bank of regulation, including continually changing data protection and privacy rules, as well as cyber security requirements.

In particular, there has been a seismic shift in the regulatory view of privacy and cyber security, explains Kang: “Where regulators previously looked to incentivize firms to invest in cyber security, they now see it through the lens of consumer rights and data privacy. With the General Data Protection Regulations (GDPR) in Europe and the California Consumer Privacy Act, companies now need to operationalize their response to regulation and privacy rights, not just look at cyber security.”

Where do cyber claims come from?

Losses resulting from the external manipulation of computers such as distributed denial of service attacks (DDoS) or phishing and malware/ ransomware campaigns account for the significant majority of the value of claims analyzed across all industry sectors (not just involving financial services companies). Cyber-crime generates the headlines, but the analysis shows that more mundane technical failures, IT glitches or human error incidents are the most frequent generator of claims, although, overall, the financial impact of these is limited.

Whether it results from an external cyber-attack, human error or technical failure, business interruption is the main cost driver behind cyber claims. It accounts for around 60% of the value of all claims analyzed.

enlarge graphic

The consequences of data breaches are increasing, with more aggressive enforcement, higher fines and regulatory costs, and growing third party liability. Under the GDPR, the number and value of fines for data and privacy has been growing while jurisdictions around the world have been introducing stricter data laws. Increasingly, breaches and regulatory actions are followed by litigation, with a number of group actions now pending in the UK as well as the US. A data breach at Capital One bank in 2019 – one of the largest-ever – resulted in an $80m fine [3] and a number of lawsuits by affected customers. More recently, regulators have turned their attention to cyber resilience and business continuity. Following a number of major outages at banks and payment processing companies, regulators have begun drafting business continuity requirements in a bid to bolster resilience.

In October, 2020, a technical glitch halted trading on Japan’s stock exchanges, while, a couple of months earlier, the New Zealand Stock Exchange shut down operations after a network provider experienced an extended distributed denial of service (DDoS) attack. These incidents came just months after a ransomware attack caused almost a month of outages at foreign exchange company Travelex, which also affected services at a number of banks. In the UK, the Financial Conduct Authority (FCA) recently introduced rules and guidance on operational resilience for banks and insurers. The rules, which will come into force on March 31, 2022, require firms to address disruption to important business services from a range of events, including a cyber-attack, technical glitches and power outages. In Europe, the proposed Digital Operational Resilience Act (DORA) would introduce an EU-wide regulatory framework on digital operational resilience for a wide range of financial services firms, with a focus on business continuity and the management of third-party risk.

Cyber risk trends report

Find out more about trends in cyber risk

Ransomware one of the most prominent threats

Ransomware attacks continue to increase in frequency and severity, with ever larger ransom demands. Last year, the Securities Exchange Commission in the US warned about a rise in the number and sophistication of ransomware attacks on US financial institutions. Ransomware attacks were up nine fold between February and end of April 2020, according to VMware.

A recent development has seen hackers steal sensitive data and threaten to publish it online if ransoms are not paid. US lender Flagstar Bank, for example, suffered a ransomware attack in early 2020 that saw hackers post personal details online in an attempt to extort money. Last year, Chilean bank BancoEstado shut down branches after a ransomware attack.

“We have seen an increased frequency of these attacks in the past year,” says Marek Stanislawski, Global Cyber Underwriting Lead at AGCS. “If criminals can get access to critical systems or sensitive data they will look to monetize the attack through extortion. At the same time, the rise of cryptocurrencies like Bitcoin is making it easier for cyber criminals to carry out successful ransomware or extortion attacks.” In March 2021, CNA Hardy was also hit by a sophisticated ransomware attack which impacted its operations and email systems and significantly disrupted the insurer for a number of weeks.

Coronavirus: Fighting the rise in cyber criminals from the home office

Find out more about cyber security best practice for employees when working remotely

Rising cyber scams – “Fake presidents” and ATM “Jackpotting”

With many employees working from home and under increased stress, Covid-19 has created opportunities for cyber criminals to carry out various scams and cyber-attacks. The US Federal Bureau of Investigation (FBI [4]) received over 28,500 complaints related to Covid-19 cyber-crime alone in 2020. Many incidents looked to exploit stimulus funds and Paycheck Protection Program (PPP) loans, as well as to use Covid-19 related phishing attacks to steal money or personal data. Business email compromise (BEC) attacks, also known as “fake president” attacks, are a particular problem for financial institutions that make large numbers of high value payments on behalf of their customers. The cost of BEC attacks reached $1.86bn in 2020, accounting for almost half of all reported cybercrime losses. Such attacks are becoming more sophisticated and increasingly involve identity theft and funds being converted to cryptocurrency.

ATM “jackpotting” attacks continue to be a threat. In July 13, 2020, a Belgian savings bank Argenta shut down 143 cash machines after criminals tried to take control of their cash machines through their network servers. These attacks have become increasingly sophisticated and over the last five years, jackpotting has cost the financial services sector millions of dollars: the Ploutus family of ATM malware, which originally appeared in Mexico in 2013, has created losses of over $450mn around the world.

Cloud and supply chains bring challenges as well as opportunities

One of the largest and most sophisticated attacks of the past year, the SolarWinds incident, was a supply chain attack. Hackers accessed SolarWinds’ network and injected malware into its management software in order to target thousands of organizations, including banks and agencies. The SolarWinds breach is an important reminder of the potential vulnerabilities of the financial services sector to cyber-attacks and outages via their reliance on third-party suppliers and service providers, over which they have little or no control when it comes to cyber security. This is likely to become a bigger issue as regulators increasingly focus on business continuity and operational resilience going forward. “Third-party service providers can be the weak link in the cyber security chain,” says Kang. “We recently had a bank client suffer a large data breach after a third-party vendor failed to delete personal information when decommissioning hardware.”

Most financial institutions are now making use of cloud services-run software to access additional processing capacity, as well as for IT infrastructure or to carry out certain processes, such as fraud detection or analytics. However, the transition to cloud services has pros and cons. On the one hand, cloud providers are developing tools to help organizations manage and mitigate their cyber risks, yet a growing reliance on a relatively small number of cloud providers, and an opaque cloud infrastructure, is creating potentially large and systemic risks. A survey of banks and insurers by the Bank of England [5] last year found the provision of IT infrastructure in the cloud is already highly concentrated – the top two infrastructure-as-a-service providers had around two-thirds market share for banks.

The move to the cloud raises questions around managing risks and liability, according to Kang. “How financial institutions manage risks presented by the cloud will be critical going forward. They are effectively offloading a significant portion of cyber security responsibilities to a third-party environment. Your cloud service vendors become your exposure. However, by partnering with the right cloud service provider, companies can also leverage the cloud as a way to manage their overall cyber exposure.”

New cyber risk management solution for the cloud

Companies are increasingly using cloud-based solutions: according to Gartner Research. By 2024, more than 45% of IT spending will shift from traditional solutions to the cloud. Cloud usage comes with many benefits, such as lowered cost, enhanced data analytics and expanded collaboration, but also new potential risks around security, compliance and data privacy, especially for those in heavily regulated markets such as financial services and healthcare.

AGCS and Munich Re have recently developed a new commercial cyber risk insurance solution called Cloud Protection +, designed for customers of Google Cloud enrolled in Google’s new “Risk Protection Program.” The Risk Protection Program consists of two components: Risk Manager, a new tool that helps determine a customer’s security risk posture on the cloud, and Cloud Protection + – a new cyber insurance solution built for Google Cloud customers. Under Cloud Protection +, companies are offered, subject to underwriting eligibility, protection against cyber incidents within their own corporate environment as well as incidents related to Google Cloud. Customers are US-based at present, although it may be offered globally in future.

find out more

Risk mitigation – prepare, practice, prevent

Cyber-attacks often include a human element, where employees, contractors or even customers are unwittingly complicit in incidents. “When talking to clients, they say cyber is the number one concern of every C-suite executive, in particular we see growing concern for the human factor. Just one click on a link or a download can lead to a costly ransomware attack or a data breach, with reputational damage and loss of data. This is the number one concern for financial institutions,” says Stanislawski.

“Training and technology can help minimize human error. Employees are the first line of security and defense. The human factor can make or break an organization’s cyber security position, and often its reputation. Those that are well trained can significantly reduce the impact of a breach or even prevent it from happening. Employees should be regarded as part of the cyber security team, and, as such, there should be a corresponding investment in their training and education. The same applies to top management, who should periodically rehearse scenarios in order to prepare and respond to a major cyber incident - building resilience and business continuity planning is absolutely key to reducing the impact. Cyber security goes right up the chain.”

Companies should consider taking the opportunity to carry out a desktop exercise with their insurer and broker, and include key internal and external stakeholders. This builds trust and can take the sting out of any crisis. Cross-sector exchange and cooperation among companies – such as what has been established by the Charter of Trust – is also key when it comes to defying highly commerciallyorganized cyber crime, developing joint security standards and improving cyber resilience.

[1] VMware, ‘Modern Bank Heists’ Threat Report from VMware Carbon Black Finds Dramatic Increase in Cyberattacks Against Financial Institutions Amid COVID-19, May 2020 [2] Europol, Mastermind Behind €1bn Cyber Bank Robbery Arrested In Spain, March 2018
[3] Reuters, Capital One to pay $80mn fine after data breach, August 2020
[4] FBI, Internet Crime Report 2020
[5] Bank of England, How reliant are banks and insurers on cloud outsourcing? January 2020

Photo: Adobe Stock

Our experts

Marek Stanislawski

Global Cyber Underwriting Lead

+46-8-5050-2106 email

Further information

Financial services insurance

financial lines insurance

d&o insurance

alternative risk transfer

our esg approach

claims in focus

cyber insurance

Thanks for joining our webinar! You can now watch the replay here

Report

Allianz Risk Barometer 2024

The most important corporate concerns for the year ahead, ranked by 3,069 risk management experts from 92 countries and territories.

Global I Press release

A cyber event is the top global business risk

Allianz Commercial publishes the 13th annual survey of key business risks around the world, according to 3000+ respondents.

Allianz Risk Barometer 2024 | Expert risk article

Risk in focus: Climate change

Climate change (18%) may be a non-mover year-on year at #7, but this risk’s importance is clearly also reflected in natural catastrophes’ rise in the rankings.

Allianz Risk Barometer 2024 | Expert risk article

Risk in focus: Cyber incidents

Cyber incidents is the top global risk in the Allianz Risk Barometer – for the first time by a clear margin (36% of responses, 5 percentage points ahead).