Interview With Trend Micro: Navigating Risks Within the BFSI Sector

Cybersecurity is an essential requirement across various sectors worldwide for safeguarding data in the current threat landscape. However, among these sectors, it holds particularly high significance for the Banking, Financial Services, and Insurance (BFSI) industry. This sector, particularly banks, handles millions of transactions regularly and stores vast amounts of customer data. As a result, it is imperative for banks to proactively implement robust security measures to protect their data from cyberattacks.

The BFSI sector in Malaysia, just like any other nation in the world, currently stands as a prominent battleground, contending with a myriad of advanced and persistent threats. The insights gleaned from industry leaders shed light on the multifaceted challenges that this sector faces, emphasising the critical need for resilient defence mechanisms and strategic adaptation.

Goh Chee Hoh, Managing Director for Trend Micro Malaysia and Nascent Countries, points to a surge in Distributed Denial of Service (DDoS) attacks concurrent with disruptions in the International Chamber of Commerce (ICC) network as some of the threats that the BFSI sector is facing. Cryptocurrency mining too has emerged as a malevolent tactic, capitalising on these outages. He underlines the growing concern regarding the exfiltration of personal information, with campaigns targeting users within the financial sector. These developments underscore the increasing sophistication of cybercriminals.

Sapna Sumbly, Director for BFSI Business in Southeast Asia, for Trend Micro then adds a layer of nuance to Goh’s observations. Ransomware, while a longstanding concern, she said, has morphed into a more formidable adversary: Ransomware-as-a-Service (RaaS). This evolution allows malicious actors to readily subscribe to plenty of ransomware packages and launch targeted attacks. Sapna highlights the ensuing extortion techniques used by cybercriminals, including triple extortion, which involves DDoS attacks, making the landscape even more treacherous.

Geopolitical unrest has also injected a new element into the threat landscape, giving rise to hacktivism, where unaligned hackers with specific agendas target the banking and financial sectors. These actors, as Sapna notes, are not constrained by alignment with specific ideologies. They engage in cyber attacks based on their divergent motivations, intensifying the challenge of safeguarding digital assets.

Another recurring scenario in the BFSI threat landscape is the compromise of business emails, where attackers gain unauthorised access to company email accounts, often posing as executives. As Goh observes, this deceptive ploy often relies on an understanding of communication nuances rather than overt attachments or URLs. “Such insidious attacks, combined with the use of ransomware, are becoming increasingly prominent within the Malaysian cybersecurity landscape,” Goh stated.

Traditional threats, such as business email compromises and phishing attacks, remain persistent, posing an ongoing menace to BFSI institutions. Sapna emphasised that these threats are enduring and should not be underestimated.

Best Practices for a Risk-Based Security Approach

Sapna then continued with a fundamental yet often overlooked best practice: Discovering the attack surface, previously known as a security inventory. Understanding and managing this attack surface is the cornerstone of any security organisation. “If you do not know what you need to control, you cannot effectively manage risk,” Sapna emphasised.

The second “best practice” is defence in depth, a long-standing principle that entails identifying the crown jewels of an organisation, such as customer data, often referred to as Personal Identifying Information (PII). The financial sector’s crown jewel, customer data, is indeed the most critical asset to protect. A robust defence in-depth strategy involves wrapping these jewels in layers of safeguards to ensure the confidentiality and trust that customers expect.

The third practice highlights the adoption of a zero-trust approach, an architectural mindset that demands verification from every user and trust from nobody. This breach-resilient approach encompasses five pillars: Users, identity, network, applications, and more, tailored to an organisation’s specific needs.

Cyber drills form another vital element in the cybersecurity arsenal. Rigorous exercises like red teaming, purple teaming, and blue teaming, as mandated by the Bank Negara Malaysia guidelines, prepare organisations for real-world attacks, allowing them to fine-tune their Security Operation Procedures (SOPs).

Finally, it all converges on the concept of resilience, with cyber resilience becoming a central facet of business resilience. It focuses on an organisation’s ability to recover swiftly from a compromise, with an emphasis on full recovery and assessing the business impact. Service Level Agreements (SLAs) and Service Level Objectives (SLOs) extend their influence into cyber resilience, culminating in backup and recovery principles that involve maintaining copies both online and offline, and one offline copy isolated from the Internet.

The transition from a product-focused mindset to a consolidated platform approach is a pivotal one. It seamlessly weaves these best practices together and provides real-time visibility into an organisation’s risk posture. Visibility becomes paramount in managing the multifaceted cybersecurity challenges of the BFSI sector, offering a comprehensive view of risk management across the organisation.

The Dual Face of AI in BFSI

Artificial Intelligence (AI) has emerged as a transformative force in many sectors and the BFSI cannot be excluded. AI has been revolutionising everything, top to bottom, all the way from customer experiences to back-office operations. However, Goh Chee Hoh sheds light on the inherent challenges and adversarial effects that accompany AI adoption in the BFSI industry. He also highlights some of the strategies that organisations can use to maximise AI’s potential while mitigating associated risks.

“In recent years, generative AI has held significant promise for the BFSI sector, offering substantial business value,” Goh said. “The sector has enthusiastically embraced AI for various applications, including robotic process automation and robo-advisors, which enhance customer experiences,” he continued. However, as Goh Chee Hoh points out, the absence of guardrails and regulatory guidelines regarding AI usage has cast a shadow of uncertainty over its implementation. While forums and public-private partnerships have addressed ethical AI use, the onus of due diligence falls on each organisation.

The adversarial effects of AI have not gone unnoticed. Goh Chee Hoh underscores the potential for AI to be misused, leading to deep fakes, fraudulent accounts, and cybercriminal activities. Deep fakes, fabricated using stolen or manipulated documents, pose a significant challenge for organisations, especially in the context of KYC (Know-Your-Customer) processes. The AI-driven generation of convincing fake documents has the potential to compromise the integrity of digital account creation, with criminals exploiting these for illicit transactions.

Furthermore, AI can be harnessed to create social engineering campaigns that are difficult to trace to a specific source, leading to widespread confusion and destruction. Malware and data scraping, document alteration, and identity theft have already made their presence felt in Southeast Asia. While these adversarial effects have been known for some time, their potential for harm remains substantial, especially on the business side.

Organisations are proactively addressing these challenges by conducting due diligence. This includes scrutinising AI sources, conducting third-party security assessments, evaluating supply chain risks, and demanding extensive documentation, audits, and adherence to standards. While standards in the AI space are still evolving, organisations are taking strides to ensure the AI tools they adopt meet specific criteria, inquiring about the standards used for the Software Development Life Cycle (SDLC).

From an operational perspective, organisations are enhancing visibility into AI applications and processes to detect, identify, and respond to potential adversarial effects. This comprehensive approach aims to mitigate risks while capitalising on the transformative potential of AI.

The role of cybersecurity in the BFSI sector assumes unprecedented significance. In this dynamic landscape, where data breaches and cyber incidents loom large as menacing threats, a robust cybersecurity culture is imperative. Non-compliance or vulnerability in this sector could lead to severe complications, as the importance of a strong security posture cannot be overstated in today’s threat landscape.

The very essence of a cybersecurity posture in digital BFSI ensures that data is not just protected, but also secured and resilient. The need for this resilience is underscored by the multifaceted challenges posed by advanced cyber threats. It is a battlefront where financial institutions face not only conventional adversaries but also emerging foes equipped with increasingly sophisticated tactics.