FINANCIAL INSTITUTIONS should improve their cybersecurity systems to protect themselves from rising attacks on the sector involving ransomware, phishing, and application programming interfaces (APIs).

Security Bank Corp. Chief Information Security Officer Albert Dela Cruz said in a webinar hosted by the Asian Banking and Finance magazine that phishing and other cyberattacks are a major concern for the banking industry.   

“It all depends on a particular country or scenario, but sometimes, other types of phishing have been utilized very frequently. Lately, in the Philippines, phishing has taken a lot of the stage,” Mr. Dela Cruz said.   

“That led to some regulatory movements like how links are not allowed in some marketing messages. And some telcos (telecommunications companies) are just outright disabling links in text messages,” he said.   

However, cyber criminals are very creative, and their attacks change frequently. This means financial institutions should always be aware of emerging types of scams and attacks, Mr. Dela Cruz said.   

Akamai’s Security Technology and Strategy Director Reuben Koh said during the same webinar that customers now expect more personalized financial services and have more choice, with multiple new players entering the market almost every month.

This growing digital finance space has led to increased cyberattacks on the sector, he said.

“Financial institutions continue to grapple with challenges around regulatory compliance, protecting customer privacy, and also keeping their data secure. A lot of these can actually, and are, directly impacted by the risks that cyber threats bring,” Mr. Koh said. 

He said attacks on web applications and APIs grew by 257% in 2022 across the financial system globally. The Asia-Pacific region saw a 449% growth in the same type of attacks last year.   

Over 80% of players also fell victim to cyberattacks focused on customer data and accounts.    

“Financial services have typically strong security measures and awareness to thwart such attacks against organization but not so much from the consumer perspective, which is why the targeting has now started to shift to consumers across the world,” Mr. Koh said.   

This could lead to reputation losses and lost of trust from clients and could potentially cause a decrease in transactions and profitability in the long run.   

The window between software vulnerabilities being discovered and the time they are actively exploited has also been reduced to less than 24 hours, and only 39% of surveyed institutions said they are fully prepared to deal with an all-out ransomware attack.   

Mr. Koh added that phishing attacks caused losses of $17,700 per minute, and roughly around 55,000 new phishing websites are created every single week and are getting increasingly sophisticated.   

“When the pandemic happened, we were doing everything online. We all got used to digitalization and there’s no turning back … and this will proportionately increase the chances of attacks,” Mr. Dela Cruz said.   

He added that financial institutions cannot rely on one-time passwords (OTP) and should develop more authentication methods, such as integrating artificial intelligence in their cybersecurity systems. 

Financial institutions also have to ensure proper cyber hygiene, he said.

“Sometimes, we tend to look at these fancy new systems, fancy devices, or paradigms, but we fail to look at the basic cybersecurity hygiene. Do we have them in place right now? Because basic cybersecurity hygiene will constitute about 70 to 80% of protection already,” Mr. Dela Cruz said.   

He added that the government, regulatory bodies and companies should work together against cyberattacks.   

“I can spend hundreds of millions of dollars on advanced security systems, but when a client voluntarily gives their OTP (to attackers), that’s game over right? That’s why we need all of these stakeholders, players to come together to come up with a solution.” — K.B. Ta-asan