Ahead of FStech’s CyberSecurity Live – taking place on 6 November at the London Hilton, Tower Bridge – news editor Alexandra Leonards speaks to industry experts, including some speaking at the conference, to investigate the latest cyber trends, risks and expectations in financial services.

Cybersecurity continues to be a key focus for the financial sector, with a rise in sophisticated cyber threats, the adoption of emerging technologies, and the roll out of new regulation such as the EU’s Digital Operational Resilience Act (DORA) making it even more of a priority for firms across the market.

Bad actors are increasingly exploiting advanced technologies like AI to break into systems, and financial services providers must keep pace by embracing these evolving tools themselves; bolstering education; spreading a culture of cybersecurity across their organisations; and meeting the latest regulatory standards.

This article explores the top trends, risks and expectations for financial services providers in 2024 as they navigate an ever-changing cyber risk landscape.

A growing wave of regulation

Partner at Hunton Andrews Kurth Sarah Pearce, who will be speaking on a panel exploring operational resilience under DORA and beyond at CyberSecurity Live, highlights this growing wave of data privacy and cybersecurity regulations as a major trend of note.

Pearce explains that while institutions often have strong GDPR frameworks in place, they must now navigate an evolving landscape of additional rules and standards. The EU’s NIS2 Directive, for example, marks a new era of cybersecurity legislation, requiring implementation into national laws 17 October, and the eagerly awaited DORA, which will come into force three months later on 17 January 2025.

“DORA is set to strengthen IT security specifically for financial entities, ensuring they remain resilient amid severe operational disruptions,” she tells FStech.
Pearce says that the trend of increasing regulatory focus shows no sign of slowing and calls on financial institutions to remain agile and proactive in their cybersecurity and data privacy measures.

“The growing complexity of regulatory requirements across different regions poses a major hurdle for the industry,” explains Daniela Waugh, IT security manager at insurance business Markerstudy, who will join Pearce on the operational resilience panel. “If companies scale their operations globally, they must navigate the complexity and plethora of not only cybersecurity regulations, but also new AI regulations (EU AI Act), ensuring compliance while maintaining robust security controls.”

Pearce agrees that the emergence of the EU AI Act and similar global regulations is creating even more complexity for firms, pushing financial institutions to adapt their compliance strategies.

Waugh also highlights the Payment Card Industry Data Security Standard (PCI DSS) which introduces a multitude of new requirements, some of which took effect in 2024, with more coming into force next year.

“The new version dictates the need for advanced technological solutions to meet the updated requirements,” continues Waugh. “This includes enhanced measures for encryption, multi-factor authentication, and continuous monitoring.

“Organisations may need to upgrade their existing systems or invest in new technologies to comply, which can be costly and time-consuming.”

Ultimately the transition to PCI DSS v4.0 requires a comprehensive scoping exercise to identify all areas where cardholder data is processed, stored, or transmitted. And this can be particularly challenging for larger companies with complex IT environments.

Evolving cyberattacks

Director of cybersecurity at Oaknorth Bank Deepak Bhandari, who will be exploring the dual uses of AI on both sides of the cybercrime equation on a panel at CyberSecurity Live, says that system intrusion – including ransomware – has been consistently amongst the top incident classifications across financial services.

“While the data in most of these breaches relates to customer or personal data, some of the recent ransomware group behaviour points to the threat actors not caring about the data they are stealing as they can look at the victim organisation as the eventual buyer for this,” explains Bhandari. “Extortion attacks, where the data is not necessarily encrypted but instead the threat actors threatening to expose this are also on the rise, cases related to the MOVEit zero-day attack are one example.”

Chris Perrin, commercial technology partner at Spencer West LLP, agrees that cyberattacks are becoming more sophisticated.

“Ransomware, phishing, and supply chain attacks are becoming more advanced, targeting financial institutions with precision,” he explains.

Bhandari warns that ransomware groups, especially the state-affiliated ones, are also evolving and are looking to target crypto exchanges for a “quick payday” by compromising these institutions directly for a more ‘direct’ financial benefit via stealing cryptocurrencies.

Social engineering compounded by genAI and deepfakes

Oaknorth Bank’s Deepak Bhandari says that social engineering also continues to be a top attack pattern, with criminals using the tried and tested mechanisms of emails, text and websites, and prying on human nature and psyche for their own gains.

“Business Email Compromise (BEC), where the attackers leverage existing email trails to convince the victims into fraudulent activities like paying invoices into attackers account, have been consistently causing financial damages to organisations, with median transaction value hovering around $50,000 based on FBI IC3 complaints received for 2023,” he explained.

But he says that the use of generative AI (genAI) and rise of deepfakes has compounded the detection problem for security teams.

“The traditional social engineering motives to get customer data or financial gains have now given way to much wider impacting and complex attacks which compromise much of the organisation’s infrastructure and services,” warns Bhandari.

He points to Verizon’s Data Breach Investigation Report, which found that the median time for users to fall for phishing emails is less than 60 seconds. As such, Bhandari argues that capabilities around account protection and managing incident response have become crucial, in addition to the obvious aspects of enhancing user awareness and skills to detect any such malicious activity.

The duality of AI

But while AI is emboldening criminals, the tech is also revolutionising approaches cybersecurity, offering new tools to defend against evolving threats.

Markerstudy’s Daniela Waugh explains that AI and machine learning (ML) “are used to enhance threat detection and response capabilities and are also used in non-security-related processes such as call summarisation or similar time-consuming tasks.”

She continues, “in the security space these technologies enable financial institutions to analyse vast amounts of data in real-time, identifying anomalies and potential threats more efficiently – thus defending the organisation more effectively.”

But these advancements come with significant challenges.

Chris Perrin, commercial technology partner at Spencer West LLP, touches upon an area that is being explored at the conference.

“Leveraging AI for security while defending against AI-powered attacks presents a dual challenge for financial institutions,” he explains.

Waugh agrees that while AI offers numerous benefits to the financial services industry, it’s important to recognise that criminals also leverage these advanced technologies for malicious purposes.

“It can be used to automate and enhance attacks, making them more sophisticated and harder to detect,” she adds. “For instance, AI-driven malware can adapt its behaviour to evade security measures, and ML algorithms can be used to launch more convincing phishing attacks.

“Additionally, AI can help cybercriminals analyse vast amounts of information to identify vulnerabilities in systems and exploit them more efficiently. As AI technology continues to evolve, so too does the arsenal of tools available to those with malicious intent, underscoring the urgent need for robust countermeasures.”

Facilitating innovation whilst prioritising security and regulatory compliance remains a delicate balancing act for the financial services industry in 2024.

“Some argue AI technology has ‘a mind of its own’, but in reality, it’s something that can be tamed and managed with the right approach to help us fight the cyber security threat, possibly against itself,” concludes Waugh.

Hike in DoS attacks

If utilising AI represents a more sophisticated precision approach from cybercriminals, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are the long-effective brute-force approach. Oaknorth Bank’s Deepak Bhandari says that the industry has seen an increase in targeted attacks of this nature in the past year, with some attacker groups focusing on certain industries or geographies based on their political or regional alignment.

“Since these attacks are comparatively easy and cheap to execute (if no defences are implemented by the target organisation), a lot of attacker groups are now looking at DoS based attacks to get the services offline for organisations, to inflict potential financial and reputational damages,” he adds.

At FStech’s CyberSecurity Live, attendees will learn more about some of the key trends and challenges highlighted in this article and more. Guests will come away with a comprehensive understanding of AI’s role in modern cybersecurity and strategies for integrating AI into security infrastructure; find out the latest on network infrastructure cybersecurity; and take home practical insights to strengthen their organisation's ability to withstand and rapidly recover from operational disruptions.

The conference takes place on 6 November at the London Hilton, Tower Bridge. Register to attend here

---