29 February 2024. Originally published on CS Hub
Financial institutions are prime targets for malicious actors seeking to exploit vulnerabilities for financial gain or disruption. With the stakes higher than ever, the need for financial regulators and central banks to intensify their efforts in conducting intelligence-led simulated cyber attacks (simulated attacks) on financial institutions has never been more pressing.
Financial institutions are the lifeblood of the global economy, handling trillions of dollars in transactions daily and safeguarding sensitive customer data. This makes them lucrative targets for cyber criminals looking to exploit vulnerabilities in their systems for monetary gain or (increasingly) state-sponsored threats designed for espionage or to disrupt financial markets.
The interconnected nature of the financial sector, with multi-dependencies, further amplifies the risk, as a breach in one institution can have cascading effects, leading to systemic instability. Whether it’s ransomware attacks on critical systems, sophisticated phishing schemes targeting employees or insider threats exploiting privileged access, the threats facing financial institutions are multifaceted and constantly evolving.
READ: Cyber attack forces Toyota Financial Services systems offline
To mitigate cyber threats, traditional defensive measures alone are not sufficient to adequately safeguard financial institutions. This is where simulated attacks, also referred to as red teaming, intelligence-led penetration testing and threat-led penetration testing, come into play.
Simulated attacks involve employing skilled cyber security professionals to simulate real-world cyber threats and attempt to breach the defenses of financial institutions. By adopting the mindset of an adversary, teams are able to identify vulnerabilities in an organization’s people, process or technology that may go unnoticed by traditional security measures. These provide valuable insights into the effectiveness of an institution’s cyber security posture.
Threat intelligence is pivotal in informing the design and execution of these exercises. It provides valuable insights into the tactics, techniques and procedures employed by cyber adversaries, allowing organizations to tailor their simulations to consider real-world threats accurately. By leveraging threat intelligence, financial institutions can anticipate and prepare for emerging cyber threats, identify potential vulnerabilities in their defenses and proactively mitigate risks before they materialize. Threat intelligence also enables organizations to stay ahead of the curve in an ever-evolving threat landscape, empowering them to adapt their cyber security strategies in response to emerging threats and evolving tactics.
These exercises allow financial institutions to test their incident response capabilities, evaluate the effectiveness of their security controls and identify areas for improvement.
READ: Securing data and systems with proactive penetration testing
Financial regulators play a crucial role in ensuring the stability and resilience of the financial system, including cyber security. Recognizing the systemic importance of financial institutions, financial regulators have a growing obligation to enhance cyber resilience within the sector.
One way financial regulators fulfil this mandate is by setting standards and regulations for cyber security practices, including simulated attacks. By mandating minimum requirements for these activities, financial regulators ensure that financial institutions are adequately prepared to defend against cyber threats and mitigate potential risks to financial stability and national interests more broadly.
Simulated attack service providers are vital to help financial institutions bolster their cyber security defenses. It’s essential that they and their employees undergo thorough vetting processes and financial regulators should regulate minimum requirements.
Given the sensitive nature of the information handled by financial institutions, the integrity, professionalism and trustworthiness of service providers is paramount. This includes verifying the qualifications and expertise of their employees, conducting background checks to ensure they have no conflicts of interest or malicious intent and implementing strict confidentiality measures to protect sensitive information.
In the maturing cyber security market, company accreditations and individual certifications serve as a benchmark for competency and professionalism. CREST has been working with financial regulators for a decade to set standards and measure the competence of both companies and individuals performing simulated attacks against regulated financial institutions.
By obtaining accreditations and certifications, service providers demonstrate their commitment to upholding the highest standards of professionalism, ethics and technical proficiency.
In 2024, CREST is launching updated company accreditations for threat intelligence and intelligence-led testing, as well as fully refreshed Simulated Attack Specialist and Manager certifications. These updates will be aligned with the MITRE ATT&CK framework, a standardized taxonomy of adversary tactics and techniques based on real-world observations.
READ: Utilizing cyber security standards and frameworks
While the Bank of England has taken proactive steps for a decade to mandate minimum requirements for simulated attack service providers, many other financial regulators have yet to follow suit with some just providing a baseline of optional recommendations. However, the case for mandating minimum requirements is compelling.
Without clear, consistent and mandated requirements, there is a high risk that the tests will not adequately surface the vulnerabilities that may exist or could in fact do more damage to live environments if not performed by skilled and trusted personnel, leading to potential customer detriment.
There is the potential for this to be exacerbated as simulated attack services become more widely adopted and more providers enter the market. Left to market forces, there could be a “race to the bottom” of quality, deliverables and price, undermining confidence in the services performed.
The standards and capabilities of the service providers must match or even better those of the threat actors, with the quality professional practices to avoid the real possibility of a live banking system being taken offline.
Mandating minimum requirements sends a clear signal that cyber security is a top priority for regulators and the financial sector as a whole. It provides a framework for consistent, repeatable and standardized cyber security practices, enhances transparency and accountability, provides measurable assurance and fosters greater collaboration between regulators, financial institutions and cyber security service providers.
Furthermore, driving and maintaining harmonization with other international frameworks that do require these standards would match the interoperability and cross-border nature of the financial institutions themselves. This prevents some national or international frameworks seeming inconsistent, or less rigorous than others.
As cyber threats continue to evolve in complexity and sophistication, the need for financial regulators to continue to evolve strategies that provide actionable outcomes is vital. Simulated cyber attacks against financial institutions pressure test response capabilities and provide real-world insight into the effectiveness of deployed security controls. By mandating minimum requirements for service providers, regulators can strengthen the resilience of the financial sector, increase assurance, protect against systemic risks and safeguard the stability of the global economy. In doing so, they reaffirm the benefits of global standards to underpin the integrity and trustworthiness of the financial system in the face of ever-present cyber threats.
To learn more about our accreditations, you can visit our dedicated webpage here: About CREST exams – CREST (crest-approved.org)
Alternatively, if you would like to learn more about our providers who can help with simulated attacks etc, you can visit our members search page here: Members – CREST (crest-approved.org)