Financial institutions and financial market infrastructures (FMIs) rapidly adopted work-from-home models in the pandemic. But the move raised the level of cyber risk, as essential employees at banks and other financial centers adopted virtual computing networks and embraced third-party service providers such as cloud banking. It could leave the organizations vulnerable to potential risks due to a single point of failure, according to a report last week by the Financial Stability Board.
The frequency of malicious cyber activity — including phishing, malware and ransomware — exploded over the past year. Incidents jumped from about 5,000 per week in February 2020 to more than 200,000 per week by late April 2021, according to the report, which cited data from the Financial Services Information Sharing and Analysis Center. Threat actors targeted bank employees and customers with malicious activity.
In many cases, banks and FMIs invoked business continuity plans that involved wholesale shifts in network security, including the wide use of virtual private network infrastructure and often unsecured Wi-Fi access points, the report said. Banks also had to shift millions of customers from in-branch banking to mobile app-based transactions or telephone banking.
The FSB's report was designed to help the banking and financial services industries bolster operational resilience for financial institutions that made wholesale changes in how they interacted with customers and how they conducted financial transactions during the pandemic.
Many of the changes implemented by the banking industry took place with little to no advance warning. The global economic system is only now beginning to shift back toward in-person education and work, which will likely result in a new set of operational challenges for banks.
"The pandemic highlights the importance of putting in place effective operational risk management arrangements before a shock hits," the report states, noting that financial institutions need to plan for contingencies that may impact business continuity.
"Continued investment in and maintenance of cybersecurity, such as firewalls, antivirus software, intrusion detection systems and security operations centers are essential. At the same time, financial institutions need to recognize the human factor as a core element of the cyber security chain," the report said.
The FSB in October published a toolkit that outlined a series of best practices for what it called Cyber Incident Response and Recovery. The report highlighted how financial institutions should prepare for a potential data breach or cyberattack, how to stress-test the system against such an incident and how to limit the potential damage from such an attack.
The agency released a discussion paper in November on regulatory issues related to outsourcing and third-party risk, to open up a public dialogue on issues like dependence on third-party cloud providers or supply chain risks.
The paper received almost 40 responses, with local experts raising the possibility of creating global standards to manage third-party risk, as well as other solutions to boost access to these technologies in emerging markets.