By Ruchir Kumar
A recent ISA Cybersecurity survey revealed that 76 percent of Canadians polled are concerned about their financial institution’s ability to maintain the security of their personal information. Their concerns aren’t unfounded: 32 percent of financial services organizations in 2023 global survey on the state of security reported that they’d had data and systems held hostage, and 40 percent reported that they’d experienced a supply chain attack.
The financial sector is heading into more challenging times ahead – but with careful planning and preparation, these challenges can be overcome. Ruchir Kumar, Senior Director, Architecture and Protection at ISA Cybersecurity, shares his perspectives on the landscape for FIs in Canada – and around the world.
Today’s solutions must be able to quickly adapt to tomorrow’s threats: adopting a proactive approach is crucial. Here are some key insights about the current landscape and the future of cybersecurity in the Canadian financial sector:
Embrace AI and Machine Learning: AI is here, and here to stay. FIs that are not embracing AI to play an increasingly important role in both offensive and defensive cybersecurity measures will fall behind fast. Financial institutions should invest in AI-powered security solutions and develop in-house AI expertise to stay ahead of evolving threats. And since AI will be fundamental to many parts of the business, establishing a robust AI data governance structure will streamline safe and ethical adoption of more uses of AI as they emerge.
A 2024 global report suggests that organizations of all kinds around the world are already seeing AI having a major impact on the threats their organizations are confronting: 74 percent feel that AI-powered threats are now a significant issue, and 89 percent agree that AI-powered threats will remain a major challenge into the foreseeable future. This is a problem that is not going away, so it’s imperative to act. For more insights on the challenges of AI, I recommend reading the “AI Uses and Risks at Federally Regulated Financial Institutions” report from OSFI and the FCAC, which encapsulates the current landscape faced by FIs as AI becomes part of the fabric of everyday life.
The good news is that there are clear indications that the use of AI for defense is a sound investment across all sectors. According to data gathered by IBM for their Cost of a Data Breach 2024 report, organizations that made extensive use of security AI and automation “had breach lifecycles that were 54 days shorter and cost CA$2.84 million less on average compared to companies not using these technologies”.
Focus on Resilience: The old “when, not if” mindset about cyber incidents is a cliché, but an accurate one. I tell my clients to operate as if an attack is already happening – because it just might be. Thoughtful, well-tested incident responses plans are key to helping prepare for the inevitable. Our financial infrastructure is increasingly being operated by remote, distributed workforces on cloud-centric systems. There is no perimeter. As financial systems become hyperconnected, resilience internally as well as the ability to withstand shocks to partner networks is critical. Customer expectations are for instant access, so there is no tolerance for downtime. It’s implicit in the name: hardly anyone talks about “disaster recovery plans” anymore; the focus is on “business continuity plans”.
Collaborate and Share Information: Competition is fierce among financial institutions, but there needs to be room for cooperation on the cybersecurity front. We are seeing encouraging signs of more collaboration between government agencies and guidance for critical infrastructure within and across the financial sector as well. “Designed to be an evergreen resource that can be used by all critical infrastructure sectors, the CRGs [cyber readiness goals] will be updated by the Cyber Centre based on feedback from partners and as the threat landscape evolves over time,” according to the CSE’s press release. These efforts can significantly enhance the overall cybersecurity posture not just of FIs, but their customers and the country at large. The CBA’s September 2024 submission to Canada’s Department of Finance included a call to improve information sharing across the financial sector to strengthen cyber defenses.
A collective and proactive approach highlighted by sharing threat intelligence is crucial for financial services organizations to defend against future threats. Organizations like the Canadian Cyber Threat Exchange (CCTX) help pool and share knowledge about emerging threats, attack patterns, and vulnerabilities – helping institutions stay ahead of the cyber criminals that are constantly evolving their tactics. Collaboration allows for faster detection of new threats, more effective response strategies, and improved resilience across the entire financial sector. Sharing threat intelligence in real time through secure platforms helps create a more comprehensive and up-to-date defense, ultimately strengthening everyone’s ability to withstand and quickly bounce back from cyber attacks.
Compliance Challenges
Financial institutions are facing growing regulatory pressure on all fronts, but particularly regarding cloud security. Recent regulations like the NIS2 Directive and Digital Operational Resilience Act (DORA) in the EU, as well as SEC disclosure guidelines in the US, have increased compliance requirements. And AI regulations aren’t far behind.
Here in Canada, Bill C-26 – “An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts” – was tabled in June 2022. The Act cleared the House of Commons in June 2024, and was under consideration in committee as of November 2024. If the Bill passes, it would enact the Critical Cyber Systems Protection Act (CCSPA), which would impose a series of cybersecurity-related obligations on private-sector entities in the four key, federally-regulated sectors: finance, telecommunications, energy, and transportation.
The CCSPA would apply to industries providing vital services or systems as set out in Schedule 1, and classes of designated operators identified in Schedule 2. This Act will have a profound effect on organizations in the affected sectors, so preparation is vital. It’s essential to stay abreast of the proposed Act and how it may evolve in the future.
Fighting Credential Abuse
As financial institutions continue to digitize their operations and services, managing identities and access rights has become increasingly complex and critical for cybersecurity. MFA is an important preventative step, but robust Identity and Access Management (IAM) and Privileged Access Management (PAM) programs with zero-trust architectures are necessary for a more complete solution.
In my conversations with executives from financial organizations, access management is definitely one of the areas garnering the most attention. Adaptive and continuous authentication measures are being adopted by sophisticated players to keep the bad actors out of their networks. I can’t stress enough how important it is to develop a comprehensive IAM strategy. AI-powered IAM solutions that consider both employees and customers can provide risk mitigation from external attack as well as insider threats (indeed, a 2024 global survey showed 31 percent of recorded attacks on financial institutions were as a result of malicious insider activity).
Enforce the principle of least privilege and regularly review and update access controls. Develop comprehensive insider threat programs that include employee training and monitoring. Implement AI-powered user and entity behavior analytics (UEBA) to detect anomalous user activities. And deploy Privileged Access Management (PAM) tools to control and monitor high-risk privileged accounts. These strategies will also help address the next threat: supply chain attacks.
Supply Chain Management
The interconnected nature of the financial sector makes it vulnerable to supply chain attacks, where threat actors target third-party vendors or software to gain access to multiple organizations. The financial services sector is particularly vulnerable to supply chain attacks due to its extensive use of third-party services for online platforms, cloud storage, data processing, and other crucial functions. As an example, I’d point out the 2023 incident involving open-source software that specifically targeted the banking sector via a third-party compromise. The MOVEit incident also counted dozens of financial institutions among its global victims.
The implication here is that you need to have the same expectations of your suppliers as you should have of yourself. Implement rigorous vendor risk management processes, including regular security assessments of third-party providers. The (AMF) in Quebec has one of the country’s most comprehensive risk management programs concerning outsourcing. Even if your FI does not operate in Quebec, it is an excellent resource. AI has a role in the supply-chain risk management space as well, with modern AI-powered tools available to continuously monitor and assess vendor security postures.
Sophisticated Phishing and Social Engineering Attacks
Phishing and social engineering attacks continue to be a primary threat to the financial sector. But the new angle we are seeing today is the increasing use of AI, and the broad support from nation-states and organized threat actors in making these attacks more sophisticated than ever before. Generative AI is being used by malicious actors to carry out new strategies for their cyber attacks at low cost. FIs of any size can be victims of ransomware, credential abuse, BEC, or fraud, all front-ended by a phishing attack.
I am seeing FIs fight fire with fire by aggressively adopting AI to keep pace with the bad guys. They are using modern email technologies that use AI-driven email filtering systems to detect and block sophisticated phishing attempts, and modern XDR solutions to identify and neutralize attacks immediately. Security awareness is crucial: the importance of regular employee training on recognizing and reporting phishing attempts is heightened by the higher-quality attacks that are being launched.
And of course, multi-factor authentication (MFA) for all critical systems and customer accounts is essential… but not enough. I’ll refer back to our recent report on this point: 95 percent of Canadians surveyed are willing to use extra security measures, so the appetite is out there.
Ransomware Attacks
Just as threat actors are stepping up their game with respect to phishing, we are still seeing ransomware attacks that pose a significant threat to the financial sector, with attackers constantly evolving their tactics. In an independent, global survey in 2024, a stunning 65 percent of respondents representing financial services organizations responded that they had been “hit by ransomware” in the preceding year, with 90 percent of those victims reporting that the ransomware attack attempted to compromise their backups at the same time.
The basics I mentioned for protecting against phishing and social engineering are the same table stakes for defending against ransomware attack as well. Developing and regularly testing your incident response plan with custom playbooks dedicated to a ransomware attack is really important, and will often yield insights on how to improve defenses and responses. And resilience measures like robust backup and recovery systems with offline storage options are critical as well, as a fallback in case of cyber incident.
Cloud Security Vulnerabilities
I know firsthand that FIs still have a lot of in-house and legacy systems to deal with. They have decades of experience in defending these classic network resources. Cloud-based services, however, are a different game altogether. Dealing with these new environments presents a steady diet of challenges. There are multiple cloud services to consider and manage, new technologies to configure, and an array of disparate systems that need to talk to each other securely. Most financial services organizations have cloud migration at top of mind – a global survey by the Institute of International Finance and McKinsey & Company found that 84 percent of FIs have cloud migration on their radar, more than any other technology (even AI!).
Managing this transition through sound governance is essential here. It’s deceptively easy to spin up resources and databases in the cloud. But without a comprehensive cloud security strategy, including proper configuration management and access controls, you’re asking for trouble. Once your model is in place, AI-powered cloud security posture management (CSPM) tools can be used to continuously monitor and remediate misconfigurations. And conducting regular security assessments and penetration testing of cloud environments is vital. It’s always better to find out if you have any vulnerabilities before the bad guys do.
Another pitfall that many organizations – not just financial institutions – encounter is to fully understand their shared responsibility model for security in their cloud deployments. The line between the cloud provider and the FI must be clear, and the responsibility for securing customer data – both on premises and in the cloud – must be well-defined.
Preparing for Quantum
As you’re trying to get your head around today’s challenges, it may be tempting to punt quantum computing concerns down the road. It’s unclear when we will enter the “quantum era”, but with major milestones like Google’s quantum chip Willow making headlines, it may not be as far off as you think.
When that era does arrive, there won’t be enough time to react “in the moment” to the new challenges introduced. Financial institutions must proactively prepare for quantum computing cyber threats by understanding the risks, conducting thorough risk assessments, and developing comprehensive risk mitigation plans.
They should invest in quantum-resistant cryptography, closely following and preparing to implement new standards as they emerge. Collaboration within the industry, knowledge sharing, and staying informed about technological advancements are crucial. Institutions should also enhance security awareness among staff and continuously monitor developments in quantum computing.
What’s Next?
As cyber threats continue to evolve, financial institutions must remain vigilant and proactive in their cybersecurity efforts. The stakes are higher than ever, with customer trust, financial stability, and regulatory compliance all hanging in the balance. But as I hope I’ve demonstrated, while the challenges are significant, they aren’t insurmountable. By staying informed about the latest threats, investing in robust security measures, and fostering a culture of cybersecurity awareness, financial institutions can significantly reduce their risk exposure today, and tomorrow.
If you’re ready for a conversation about these challenges, contact me at ISA Cybersecurity today. My team is ready to help you take action to protect your customers, your institution, and your reputation.
Ruchir Kumar is Senior Director, Architecture and Protection at ISA Cybersecurity and shares his perspectives on the landscape for FIs in Canada and around the world.
Related Posts
