As we are in the second half of 2024, cybersecurity remains steadfast as a critical concern for financial institutions and their regulators.
The past year has presented numerous challenges, including inflation, climate issues, and geopolitical tensions—issues that have had a significant impact on the banking sector. Alongside these financial challenges, there has been a notable increase in cybercrime. Financial services attacks are the most costly with the average cost of a data breach around $6 million—making the financial sector the second costliest sector behind healthcare (See: IBM’s Cost of a Data Breach Report 2024).
In response, regulators are intensifying their oversight, paying closer attention to and emphasizing measures to strengthen the banking sector’s defenses against these cyber threats. In other words, achieving cybersecurity resilience and meeting regulatory compliance objectives is becoming increasingly challenging.
In this article, we will review what banks can expect in regulatory priorities and how these are expected to shift, cyber risks that are trending in the financial services industry, and how banks can leverage the security requirements of .Bank to defend against cyber threats and strengthen their domain defense posture.
A Brief Overview of Current Regulatory Priorities
As the entity responsible for maintaining stability and public confidence in the nation’s financial system, the Federal Deposit Insurance Corporation (FDIC) is focused on insuring deposits; examining and supervising financial institutions for safety and soundness and consumer protection; making large and complex financial institutions resolvable; and managing the resolution of failed banks.
For 2024, their focus is on five primary risk areas:
- Market, which focuses on liquidity, deposits and funding, net interest margins, and interest rate.
- Climate, where they look at the physical risk of severe weather and climate events to the banking system.
- Crypto-asset, and all its related markets and activities.
- Credit, which encompasses commercial and residential real estate, consumer, agriculture, small business, corporate debt and leveraged lending, nonbanks, and energy.
- Operational, where we find cybersecurity threats, illicit activity risks, and disruption to core business and operations from any hazard (whether internal, such as ineffective cybersecurity programs or failures in bank’s information systems; or external, such as malicious actors or natural disasters).
Likewise, the acting comptroller of the currency, Michael J. Hsu, recently emphasized several of these same risks and highlighted the examination priorities for 2024 for the Office of the Comptroller of the Currency (OCC) in congressional testimony before the Committee on Financial Services, and included among these priorities are cybersecurity and operational risk.
Previously, Hsu had offered specific remarks on Operational Resilience, noting that “as the threat surface for disruptions expands,” banks must place their “full time and attention” on managing risks to their critical systems and vendors.
Large consulting firms such as Deloitte and EY have also noted that regulatory scrutiny is increasing significantly. Unlike in the past, where regulatory focus was primarily on larger banks, mid-sized and smaller banks are now also under considerable pressure to keep track of these risks and take preventative measures.
While each institution will prioritize its own risks and strategies for security and resilience, and staying compliant and up-to-date with the realities of the current environment, one clear and consistent priority, as we will review below, is the need for robust cybersecurity measures as underpinnings of operational resilience. Banks must ensure they can respond to—and recover from—incidents, and evolve their risk, resilience, and compliance practices to meet new and evolving threats. Neglecting these responsibilities could lead to customer impact, severe financial losses, and significant reputational damage.
Operational Resilience for Banking Cybersecurity Regulatory Compliance
Here, let’s take a moment to focus on cybersecurity (both programs and systems) that underpin a bank’s operational resilience. Guidance and regulations for US banks on this topic are brought together in one place for banks of all sizes by the Board of Governors of the Federal Reserve System, the OCC, and the FDIC in an interagency paper on Sound Practices to Strengthen Operational Resilience.
Navigating the 2024 risk landscape as laid out by the FDIC presents its challenges, particularly for banks with smaller budgets. Yet every bank must address cybersecurity risk and take proactive approaches, especially in an era where cybercriminals are continuously evolving and the threat surface is expanding.
Not to mention, banks have a significant obligation of ensuring they can comply with the plethora of cyber incident notification requirements in the event a cybersecurity event has occurred.
Cyber Risks Trending in Banking
According to the FDIC, one of the most common cybersecurity threats, phishing, remains a top concern, especially as so many types of attacks begin with this infiltration strategy (particularly ransomware attacks).
The IBM Cyber Security Intelligence Index notes that in 2023, phishing “was the preferred method (identified in 41 percent of incidents) that malicious cyber actors used to gain access to victimized networks and devices.” Hence the adage: hackers don’t break in, they log in.
As for ransomware, tactics are becoming more brazen.
Cybercriminals are no longer content with just holding stolen data; they are now threatening to make valuable information public and even using multifaceted extortion, including double and triple extortion ransomware to extend the threat and ransom demand of their layered attack. Banks have more to lose, facing reputational damage and competitive disadvantages, all of which could translate into customer impact, and substantial financial losses.
In 2024, regulators are also increasingly worried about supply chain attacks.
We saw a poignant example in late June with Evolve Bank & Trust, and in 2023 with the MOVEit attack and data breach. No matter how elaborate your bank’s cybersecurity measures are, if a vendor suffers a breach, your bank’s data might be at stake too.
Cybercriminals understand this. They look for the weakest link in an organization’s cybersecurity defense posture, and many times it lies in the supply chain. Given this fact, it’s no surprise that this type of attack increased 28% from the previous year.
In the shadows of international conflicts and geopolitical tensions—a growing number of state-sponsored cybercriminal groups are increasing their activities, motivated to act by their social and/or political ideologies. This is particularly true with respect to distributed denial of service (DDoS) attacks (Cloudflare reported a 117% increase YoY) and email spoofing (including North Korean actors exploiting improperly configured DMARC security).
Finally, as with many newer technologies, Artificial Intelligence (AI) comes with both risks and benefits. There has been an increase in use of generative AI technologies and law enforcement are warning about how AI is being used by cyber criminals to perpetuate cybercrime and fraud. This new class of advanced and easily accessible tools can create highly convincing phishing emails, deepfake videos, and other deceptive content that make it easier for cybercriminals to execute their schemes. The ability of AI to quickly analyze and exploit vulnerabilities in security systems is another significant concern of regulators.
CISA has developed an agency-wide AI roadmap to promote responsible and good use of AI to enhance cybersecurity capabilities, ensure AI systems are protected from cyber threats, and deter the malicious use of AI to threaten critical U.S. infrastructure. The financial sector likewise must prepare to embrace the benefits of this technology, especially in assisting cyber threat detection and monitoring, while mitigating the risks associated with AI-assisted fraud too.
So, what’s the takeaway from all of these trends?
The regulatory focus for 2024 brings to light a landscape fraught with multifaceted, ever-evolving cybersecurity risks that demand urgent time and attention from financial institutions. Banks must take what they already have in place and adapt it proactively, taking a more dynamic approach to cybersecurity, leveraging advanced technologies, and applying rigorous risk management practices. By doing so, they will safeguard their operations and maintain the trust of their customers, while meeting regulatory expectations.
How Banks Defend Cyber Threats with a .Bank Domain
With ever-evolving cyber threats, protecting your banks’ online presence can seem complex and daunting. Cyber-attackers are looking for a small window of opportunity—and can wreak havoc in a matter of minutes.
A secure foundation is crucial for effective cybersecurity. Switching to a .Bank domain overseen by a trusted domain partner in fTLD Registry and registered with a security-focused registrar sends a clear message that your bank is prioritizing cybersecurity and taking proactive steps to improve your website and email security. Your bank’s domain must be as resilient as possible, avoiding fundamental security flaws in domain cybersecurity, and .Bank has taken domain security to the next-level with its built-in security requirements and proactive compliance monitoring.
According to Chris Feeney, board member of fTLD Registry, while the banking sector continues its cybersecurity work, there are immediate measures banks can take to address and improve fundamental domain security:
“Examining recent security breaches shows attackers often capitalize on basic security gaps. A .Bank domain effectively mitigates many domain-based vulnerabilities through stringent security measures that are secure-by-default from the moment the domain is activated. This foundational security approach, combined with .Bank’s enhanced supply chain standards, verification, and proactive security monitoring, significantly elevates consumer trust and safeguards customer communications, ultimately benefiting the bank’s website and email cyber posture.”
At .Bank, we are committed to domain security for the banking sector. With a .Bank domain, banks guard against the most common cyberattacks and enjoy:
- Comprehensive domain and email security
- Protection of customer trust and loyalty
- Employee confidence and clarity
- A powerful marketing message about your bankʼs cybersecurity
Regulatory scrutiny is likely to intensify, and this is expected to drive higher security standards. With a .Bank domain, bankers can ensure their security needs are met. Our exclusive domain allows your bank to focus on your core operations, as .Bank’s security requirements are designed to protect banks from the cyber risks and threats to their online presence and email communications. Banks can showcase to their customers and evidence to your regulator how you prioritize cybersecurity.
fTLD Registry, the domain authority for .Bank, only works with banks and registrars that meet stringent standards, keeping .Bank exclusive to legitimate banks and security-focused registrars. Our Security Requirements include, among others, DNS Security Extensions (DNSSEC) to offer a first line of defense against spoofing attacks—a vulnerability that, unfortunately, impersonates a bank’s brands that customers can fall victim to.
Digital identity and data controls, and with them data security, are essential for banks to be at ease—with a .Bank domain, only authorized users can modify your bank’s data. That same data can only be accessed via robust encryption, to prevent data theft, manipulation or compromise.
Domain security wouldn’t be complete without secure email. With .Bank email, it is clear to your employees and customers that your bank’s email is safe to engage and are legitimate, thanks to the .Bank mandatory email authentication requirements. Plus, banks get the added benefit of better delivery rates complying with these .Bank email requirements (which align with the Google and Yahoo bulk email requirements), meaning more customer attention on your emails.
Bank employees are still susceptible to cybersecurity threats, and that’s why we go the extra step to provide educational tools and resources to empower and educate bankers to help foster your cybersecurity culture.
.Bank: Your Ally in Banking Cybersecurity
The landscape of cybersecurity for banks in 2024 is complex and evolving.
Financial institutions face numerous challenges, from phishing and ransomware to supply chain vulnerabilities and AI-driven cybercrime.
This is where a .Bank domain comes in. By offering an exclusive domain tailored for banks, a .Bank domain helps banks keep their online presence and email channel secure. As cybersecurity threats continue to grow in complexity, leveraging trusted solutions like .Bank will be crucial for maintaining operational resilience and trust in the digital age.
Schedule a meeting, and discover how a .Bank domain can keep your bank’s good name protected and secure.
