There are a lot of different things that might keep a bank CEO awake at night. An economic contraction, inflation, climate change, competitive threats from new fintech companies, increasing government regulation, to name just a few.
Yet it should come as no surprise that despite all those concerns, many financial industry CEOs identify cybersecurity as their biggest worry.
JP Morgan CEO Jamie Dimon told his shareholders that cybersecurity “may very well be the biggest threat to the US financial system.” In the wake of a 2014 cyberattack that impacted 83 million of the bank’s customers, the firm upped its spending on cybersecurity from $250 million to $600 million per year.
In May, CEOs of the six largest banks in America were called to testify before Congress about the state of the US financial system. When Representative Bill Huizenga of Michigan asked them to share the biggest risk facing the financial sector, four out of six named cybersecurity. James Gorman, CEO of Morgan Stanley, said, “Cyber, and specifically the potential impact on consumer data and data privacy.”
David Hunt, CEO of Prudential Global Investment Management went further:
“The next crisis is going to come from a different place. I think it’s going to come from technology and cyber. If I were looking for the thing that worries me the most, it would be an actual attack on the infrastructure of the financial markets that really bursts into it and creates a shutdown of the major pipes we use to do business.”
Joining the chorus, Federal Reserve Chairman Jerome Powell recently told “60 Minutes” that “the risk that we keep our eyes on the most now is cyber risk.”
The financial system is, of course, vulnerable to threats to entities other than banks and brokerage firms as well. An attack that shuts down a clearinghouse such as ACH or a major credit card payment processor could create havoc.
Is the financial industry prepared to deal with cyber threats?
A survey of financial institutions conducted by Deloitte identified “rapid IT changes and rising complexities” as the top cybersecurity challenge. 87% said that improving their ability to manage cybersecurity risk will be an extremely or very high priority over the coming two years. The survey showed that spending on cyber security has been growing, although the respondents report finding qualified staff is a big problem. The general sense is that the industry is working hard on cybersecurity, but a lot more needs to be done before banks can feel that cybersecurity concerns have been reduced to the same level as physical security concerns.
The need for a new cybersecurity paradigm
While theft of customer data was cited by the Morgan Stanley CEO as a big fear, in many ways an equal or greater threat is from ransomware capable of shutting down the financial system or causing widespread financial havoc. Newer types of ransomware are especially dangerous because they combine theft of customer data – and extortion – with locking up the victim’s networks, forcing operations to shut down.
Since many ransomware attacks start with a phishing email containing a link to a malicious or fraudulent site, or a weaponized attachment, one of the best forms of protection is an innovative technology called Remote Browser Isolation (RBI). RBI is based on the Zero Trust principal that all websites or email attachments must be considered by an organization to be malicious since they cannot be 100% verified as safe.
With RBI all web content is run in a virtual browser located in an isolated cloud-based container. Only safe rendering data reaches the standard browser on the user device. If a user clicks on a link to an infected site, the ransomware or other malware remains in the isolated container along with all executable code: It cannot infect endpoints or network servers. That means that RBI also stops zero-day threats that evade conventional signature-based anti-malware solutions.
Ericom RBI, which is integrated in ZTEdge Web Isolation Gateway (WIG) as well, provides additional protection by opening suspected fraudulent sites in read-only mode, so users cannot mistakenly enter credentials. Email attachments and downloadable files on websites, which are frequently weaponized, are sanitized in the cloud before being downloaded to endpoints.
For financial institutions, a “Zero Trust” approach to web browsing is the best way to prevent most ransomware attacks—in fact, today, the only reliable way. Whether as a standalone solution that can be integrated with existing security stacks, or as a key element of the ZTEdge Secure Access Service Edge (SASE) architecture, RBI is an essential protection for financial institutions, and one that is affordable and easy-to-manage, even for midsize and regional banks and S&Ls.