Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

FINRA Warns of Rising Risks as Third-Party Cyberattacks Threaten Financial Services

Earlier this month, the Financial Industry Regulatory Authority (FINRA) posted a cybersecurity advisory highlighting the recent cybersecurity risks of third parties impacting its members and financial services organizations. The recently released Trustwave SpiderLabs 2024 Trustwave Risk Radar Report: Financial Services Sector underscores FINRA's concern about the escalating threat landscape facing the financial industry.

FINRA, which first warned of supply chain attacks in 2005, noted in the advisory that it has observed an increase in third-party attacks and outages due to other causes in the last year. To counter this and remain safe, it reminded its member obligation to establish and maintain a supervisory system, including written supervisory procedures, for any activities or functions performed by third-party providers that are reasonably designed to achieve compliance with applicable securities laws and regulations and with applicable FINRA rules.

FINRA is a non-profit organization that regulates the securities industry in the US to protect investors and ensure the integrity of the securities markets. FINRA writes and enforces rules for broker-dealers and brokers, examines firms for compliance, and educates investors. FINRA also administers qualifying exams for securities professionals and has enforcement capabilities. Sanctions can include fines, suspensions, restitution, and bars from FINRA membership.

 

Financial Services Under Attack

Trustwave SpiderLabs report showed ransomware is the preferred malware of threat groups, as evidenced by the fact that 20% of all ransomware attacks struck banking institutions and 65% of all ransomware attacks took place against targets located in the US. The ransomware threat is pertinent to FINRA's concern about third-party vulnerabilities, which can be traced to the fact that some of the most prominent ransomware attacks over the last several years began with an attack on the victim's supply chain.

In May 2021, one of the most publicized supply chain attacks occurred when the threat group DarkSide struck the fuel distribution company Colonial Pipeline by exploiting a vulnerable component within a legacy VPN that the company should have decommissioned. The group inserted ransomware and shut down the company's ability to supply fuel causing chaos in several US states as consumers panicked.

In the July 2021 attack on Kaseya, the company said the attacker exploited zero-day vulnerabilities in its VSA product enabling it to bypass authentication and run arbitrary command execution.  This move allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints.  Attackers accessed Kaseya and pushed ransomware out to the company's clients.

Trustwave SpiderLabs analyzed ransomware incidents targeting the financial services sector and identified  and LockBit as the predominant groups operating in this space. Last year, ALPHV accounted for 10% of attacks, but this year their share has increased to 24%. Similarly, LockBit's share was 24% last year, compared to 23% this year.

 

Third-Party Threat Warnings Ignored

However, despite the potential for an attack against individual members and the broader FINRA membership and their obligation to shore up their supply chain security, the organization has noted several negative recurring themes during examinations of third-party provider risk management procedures among some members. These issues include:

  • Not establishing adequate third-party provider risk management policies
  • Not conducting initial or ongoing due diligence on its third-party providers that support key systems
  • Not validating data protection controls in third-party provider contracts
  • Not involving third-party providers that support key systems in the testing of their Incident Response Plan
  • Not having procedures that address the return or destruction of firm data at the termination of a third-party provider contract
  • Not addressing third-party providers' use of vendors (i.e., fourth-party providers) that may handle firm data.

How to Defend Against Third-Party Attacks

Trustwave SpiderLabs, in its report, and FINRA noted in its advisory that it is possible for firms that experienced a cybersecurity incident related to a third-party provider to successfully respond, recover, and prevent further damage by implementing several key actions in their cybersecurity programs.

The Trustwave SpiderLabs handbook of mitigation cites:

  • Financial services organizations must ensure their own systems and those belonging to third-party partners are secure and protected by the latest security measures. This can be achieved through regular penetration tests and vulnerability scans.
  • Maintain an inventory management system for all software, including vendor-developed software components, operating systems, version and model numbers.
  • Implement a routine vulnerability scan before installing any new applications, devices, or technology onto the IT environment.

FINRA Recommends:

  • Conducting ongoing monitoring and risk assessments of third-party providers
  • Segmenting networks and using identity checks along with multi-factor authentication (MFA)
  • Implementing MFA for employees through an authentication application while reducing the time limits on users' session tokens
  • Prioritizing patching efforts and applied fixes to address high-risk vulnerabilities.

Additionally, FINRA said financial services that successfully recovered from a third party attack proactively created a catalog of data types and assessed whether personally identifiable information (PII) or firm-sensitive information was transmitted to or accessed by a third-party provider.  They also performed ongoing monitoring for lookalike website domains and phishing emails, and quickly identified anomalous behavior related to credential misuse and incorporated this behavior into employee phishing tests to raise threat awareness.

Furthermore, firms refined incident response and business continuity plans to prepare for scenarios where a third-party provider is taken offline or unable to operate and identified alternative communication channels to contact providers outside of the network. They regularly tested for failover situations and practiced recovery scenarios from offline backups or when data was rerouted to alternative locations.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo