Earlier this month, the Financial Industry Regulatory Authority (FINRA) posted a cybersecurity advisory highlighting the recent cybersecurity risks of third parties impacting its members and financial services organizations. The recently released Trustwave SpiderLabs 2024 Trustwave Risk Radar Report: Financial Services Sector underscores FINRA's concern about the escalating threat landscape facing the financial industry.
FINRA, which first warned of supply chain attacks in 2005, noted in the advisory that it has observed an increase in third-party attacks and outages due to other causes in the last year. To counter this and remain safe, it reminded its member obligation to establish and maintain a supervisory system, including written supervisory procedures, for any activities or functions performed by third-party providers that are reasonably designed to achieve compliance with applicable securities laws and regulations and with applicable FINRA rules.
FINRA is a non-profit organization that regulates the securities industry in the US to protect investors and ensure the integrity of the securities markets. FINRA writes and enforces rules for broker-dealers and brokers, examines firms for compliance, and educates investors. FINRA also administers qualifying exams for securities professionals and has enforcement capabilities. Sanctions can include fines, suspensions, restitution, and bars from FINRA membership.
Trustwave SpiderLabs’ report showed ransomware is the preferred malware of threat groups, as evidenced by the fact that 20% of all ransomware attacks struck banking institutions and 65% of all ransomware attacks took place against targets located in the US. The ransomware threat is pertinent to FINRA's concern about third-party vulnerabilities, which can be traced to the fact that some of the most prominent ransomware attacks over the last several years began with an attack on the victim's supply chain.
In May 2021, one of the most publicized supply chain attacks occurred when the threat group DarkSide struck the fuel distribution company Colonial Pipeline by exploiting a vulnerable component within a legacy VPN that the company should have decommissioned. The group inserted ransomware and shut down the company's ability to supply fuel causing chaos in several US states as consumers panicked.
In the July 2021 attack on Kaseya, the company said the attacker exploited zero-day vulnerabilities in its VSA product enabling it to bypass authentication and run arbitrary command execution. This move allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints. Attackers accessed Kaseya and pushed ransomware out to the company's clients.
Trustwave SpiderLabs analyzed ransomware incidents targeting the financial services sector and identified and LockBit as the predominant groups operating in this space. Last year, ALPHV accounted for 10% of attacks, but this year their share has increased to 24%. Similarly, LockBit's share was 24% last year, compared to 23% this year.
However, despite the potential for an attack against individual members and the broader FINRA membership and their obligation to shore up their supply chain security, the organization has noted several negative recurring themes during examinations of third-party provider risk management procedures among some members. These issues include:
Trustwave SpiderLabs, in its report, and FINRA noted in its advisory that it is possible for firms that experienced a cybersecurity incident related to a third-party provider to successfully respond, recover, and prevent further damage by implementing several key actions in their cybersecurity programs.
The Trustwave SpiderLabs handbook of mitigation cites:
FINRA Recommends:
Additionally, FINRA said financial services that successfully recovered from a third party attack proactively created a catalog of data types and assessed whether personally identifiable information (PII) or firm-sensitive information was transmitted to or accessed by a third-party provider. They also performed ongoing monitoring for lookalike website domains and phishing emails, and quickly identified anomalous behavior related to credential misuse and incorporated this behavior into employee phishing tests to raise threat awareness.
Furthermore, firms refined incident response and business continuity plans to prepare for scenarios where a third-party provider is taken offline or unable to operate and identified alternative communication channels to contact providers outside of the network. They regularly tested for failover situations and practiced recovery scenarios from offline backups or when data was rerouted to alternative locations.