It is a relentless battle to protect your data from hackers, fraudsters and even nation-states that commit cyberattacks against the financial services sector.
Legal requirements for data security come from a variety of places, including the Gramm-Leach-Bliley Act's Safeguards Rule, examination requirements, payment network rules and contract requirements. We have seen data security enforcement actions by the Federal Trade Commission (FTC) for many years.
Recently, the Consumer Financial Protection Bureau (CFPB) signaled its increased scrutiny of data security in an August circular, which states that the CFPB considers lax data security a potential unfair act or practice violation of the Consumer Financial Protection Act (CFPA). An unfair act or practice under the CFPA is one that is likely to cause substantial injury and that is not reasonably avoidable or outweighed by countervailing benefits to consumers or competition. The CFPB alleged an unfairness violation related to inadequate data security, most notably in the Equifax data breach case. The CFPB's circular signaled an increased enforcement focus going forward.
Information sharing between law enforcement and the financial services industry is a critical weapon in the fight against cybercrime and is evidence of your commitment to meet the CFPB's and other legal data security standards. Staying on top of emerging threats can dramatically mitigate the losses from a cyberattack.
The following federal government agencies are heavily involved in the fight against cybercrime in the financial sector, offering resources for financial services providers to protect against common cyberattacks including business email compromise, ransomware and synthetic identity fraud.
FBI Internet Crime Complaint Center (IC3)
The federal law enforcement agencies have Cyber Fraud Task Force working groups that share information and hold quarterly meetings with the industry. You can join one by contacting your local FBI Field Office. The FBI's Internet Crime Complaint Center (IC3) receives complaints of cybercrimes, tracks emerging threats, and alerts law enforcement and industry of suspected criminal internet activity. The IC3's 2021 Internet Crime Report, accessible on the IC3 home page, reports that it received 847,376 internet crime complaints in 2021. Top types of cybercrime included ransomware and business email compromise.
In a typical business email compromise scam, the cybercriminal compromises a legitimate business email account and requests that an employee make a payment for what appears to be a business purpose such as payment to a vendor. Instead, the payment goes to the cybercriminal's account.
Cybercriminals have capitalized on the pandemic's growth of virtual meeting platforms to hack emails and impersonate business executives through the use of deep fakes, or simply claim technical problems to explain sound discrepancies and avoid using the camera in video meetings. The cybercriminal typically uses social engineering to review website and information on social media to gain information about employees and their roles. Cyberattacks may include malware or other intrusion vectors to commit unauthorized transactions.
Business email compromise losses in 2021 alone totaled nearly $2.4 billion. IC3's Financial Fraud Kill Chain, an information-sharing tool between law enforcement and financial institutions, successfully stopped fraudulent transfers in process and froze $329 million in fraudulent funds.
Out of 14 critical infrastructure sectors, financial services had the second-highest number of ransomware victims in 2021. IC3 received 3,729 ransomware-related complaints in 2021, with losses of more than $49 million. Ransomware encrypts data on a computer or network and locks out the rightful owner of the data. Cybercriminals promise to return access to the data only when a ransom is paid. Attack methods include phishing emails, Remote Desktop Protocol (RDP) and software vulnerabilities. While the FBI advises against paying a ransom, many ransomware victims have found themselves with no other option.
Federal Reserve Synthetic Identity Fraud Resources
The Federal Reserve has devoted a significant number of resources to fighting synthetic identity fraud. In addition to educational materials about synthetic identity fraud and how it is committed, the Fed has a Synthetic Identity Fraud Mitigation Toolkit with modules on specific ways to battle synthetic identity fraud, including tips for detection and the use of technology. Again, information-sharing with law enforcement and fellow financial services providers is stressed as a valuable way to learn about synthetic identity fraud activity affecting your area and to protect your organization.
United States Secret Service
Many know of the U.S. Secret Service by its protective mission, but another mission of the Secret Service is fighting cybercrime. In addition to providing guidance on how to protect your organization from a cyberattack, the Secret Service also participates in cybercrime investigations. You can sign up to receive cybercrime alerts directly from the Secret Service.
Cybersecurity & Infrastructure Security Agency
The Cybersecurity & Infrastructure Security Agency (CISA) continuously posts alerts on emerging and current cyberthreats, including attacks by nation-states. For example, the Shields Up initiative alerts the industry to increased cyberattacks from Russia tied to its invasion of Ukraine. In addition to information about threats, CISA provides guidance for organizations and their leaders on steps to take to protect their organizations from cyberattacks.
The battle against cybercrime can be overwhelming, but you do not have to fight it alone. Information–sharing between law enforcement and financial services providers may keep your organization from becoming another cybercrime statistic.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.