Cybersecurity risks evolve as war in Ukraine continues

Andrea D’Ambra

Community banks must properly vet their managed security service providers and frequently update employee passwords to protect against the ever-evolving cybersecurity threat landscape, experts say. This comes as Russia’s war in Ukraine brings fresh fears that Russia could use hacking against U.S. companies to strike back against punishing sanctions levied in response to the invasion. 

Andrea D’Ambra, a partner at the New York City-based Norton Rose Fulbright firm, said though cybersecurity threats have been a pressing issue since the advent of online banking, most large banks today have security operations centers to monitor those challenges with multi-factor authentication and other protections. Password complexity and multi-factor authentication have gotten more robust. Protecting against cyber threats remains harder for community banks, she said, because they have fewer resources to deploy against similar threats. Many smaller banks still use managed security service providers — frequently targeted by cybercriminals because doing so often unveils a trove of information on organizations the bank serves — to manage their network security. 

To D’Ambra, community banks must vet their managed security service providers to ensure they are well-managed. Well-run providers offer the latest security patches, monitoring software, and have an internal process to appropriately vet incoming alerts. As cybercriminals start to evade multi-factor ID, D’Ambra suggested employees change their passwords every 45 to 90 days to prevent being hacked. 

Some hackers have undertaken elaborate schemes: In one instance, D’Ambra noted that a a fraudulent website was set up to harvest login credentials, which showed up on Google searches. Though the hackers tried to transfer a significant amount of money, the bank’s standard operating procedures of delaying large transfers and using a voice-to-voice system minimized the impact of the fraud.  

The cost of cyberattacks reached $18.3 million annually per company in 2021, according to the data firm Fortunly. The United States sustained 1,473 cyberattacks over the last year, leading to 164.6 million successful data breaches. It is estimated that spending on cybersecurity training will reach $10 billion in 2027. The report found that more than nine-in-10 ATMs are vulnerable to hacks. According to a 2021 Conference of State Banking Supervisors survey, 81 percent of community bankers said cybersecurity concerns are on the rise, more than doubling the rate of other types of operational risk. 

Threat actors are attacking bank authentication security to access customer information as well as deploy ransomware and initiate transactions, said Lisa Arquette, associate director of the FDIC’s anti-money laundering and cyber fraud division, during an industry event. She added that banks have reported more sophisticated cyber attacks since the pandemic started, due to an increase in bank employees working remotely and more customers accessing digital banking services.

This comes as the United States continues to prepare against possible Russian cyberattacks. President Joe Biden on March 20 urged U.S. companies to make sure their digital doors were locked tight because of “evolving intelligence” that Russia is considering launching cyberattacks against critical U.S. infrastructure targets. Corporate CEOs have a “patriotic obligation” to strengthen their systems against such attacks, Biden said. “The magnitude of Russia’s cyber capacity is fairly consequential, and it’s coming.”

Biden’s top cybersecurity aide, Anne Neuberger, expressed frustration at a White House press briefing earlier in the day that some critical infrastructure entities ignored alerts from federal agencies to fix known problems in software that Russian hackers could exploit, according to the Associated Press. 

“Notwithstanding these repeated warnings, we continue to see adversaries compromising systems that use known vulnerabilities for which there are patches,” said Neuberger, who is the president’s deputy national security adviser for cyber and emerging technologies. “That makes it far easier for attackers than it needs to be.”

Cybersecurity breaches can leave banks at risk of losing both customer trust and large sums of money through the breach itself and subsequent legal and regulatory penalties. D’Ambra noted that the jurisdiction of any related legal or civil action would be where the data subject is from, not where the bank is headquartered. She said that if the impacted bank takes the proper steps following the breach — good front-end messaging, immediately stopping the hack, assessing the data that could have been exfiltrated, held hostage, changed or deleted — and had reasonable security standards ahead of time, regulators are less likely to punish the bank following a breach.