On January 31, 2023, the Financial Services Information Sharing and Analysis Center (FS-ISAC) released a report entitled “The Evolution of DDoS: Return of the Hacktivists.” This report warns financial firms to expect a 22% rise in Distributed Denial of Service (DDoS) attacks in 2023. Cyber-attacks against financial institutions sharply increased in 2022, as Sophos, a commercial security software and equipment manufacturer, claims that 55% of financial institutions reported ransomware attacks in 2022 (up from 34% the previous year).
The FS-ISAC’s report follows announcements by the Russian hacktivist group Killnet, of its intent to target the healthcare and transportation industries in retaliation against NATO countries providing support to Ukraine. Confirming its assaults and adding pressure to its threats, Killnet published a list of the healthcare institutions it purportedly infiltrated on a public Telegram page, some of which are sorted by state. While Killnet did not *yet* publicly threaten the financial industry, the rise in hacktivism and widening net of victims is troubling given FINTECH's historic issues with adapting to a modern cybersecurity climate.
Approximately 1 year ago, formed Chief Innovation office of the Federal Deposit Insurance Corporation (FDIC), Sultan Meghji, announced his resignation in an editorial for Bloomberg. While Meghji’s role was to “kickstart a technological transformation of America’s financial system, focusing on modernization and confronting threats from criminals, terrorists and especially Russia and China[,]” he encountered resistance from within the FDIC and its partner organizations. Identifying a lack of subject matter expertise, Meghji chastised the financial regulators, stating that “I estimate that across the agencies I encountered, less than one-tenth of staff had a basic understanding of the technologies they regulate. Even senior officials — those who lead regulatory development and implementation — are baffled by concepts like fintech, the dark web and even financial apps.”
Last week the FDIC’s Office of Inspector General released an audit report on the FDIC’s Information Technology Risk Examination (InTRex) program. Audit results were scathing, noting that current IT policies are incomplete, outdated, and ignored by untrained staff. Consistent with the current rage of DDoS attacks by hacktivist groups, the audit identified phishing campaigns, data breaches, supply chain attacks, and DDoS attacks as the largest risks to the financial industry.
With cybersecurity a rapidly changing environment, Courts across the country often apply a basic negligence standard to determine if a business or organization owed a duty to the impacted victims to protect them from harm following cyber-attacks. Generally, the concept of negligence is rooted in prior knowledge of the party with the alleged duty of protection. For example, if a grocery store just mopped its floors, it will post a warning about wet floors and the risk of slipping to avoid claims that the grocery store negligently failed to warn its guests of a potential hazard.
While the “Safeguards Rule,” (recently amended in January 2023) under the Gramm-Leach Bliley Act requires financial institutions to protect consumer information, provide privacy policies, conduct cybersecurity risk assessments, and conduct staff training, individual consumers cannot enforce the Safeguards rule. Rather, it is up to the Federal Trade Commission (FTC) to enforce compliance.
Left with negligence as an individual’s likely source of legal, civil recovery, against financial institutions lacking caution or preventative efforts in cybersecurity, potential victims carry the burden of proving that a financial institution “knew or should have known” of the risks and taken precautionary measures to defend against cyber-attacks.
Given the recent FDIC audit, reports from commercial security vendors, intelligence distributed through the FS-ISAC, and updates to the Safeguards rule, FINTECH must heighten its alerts to potential threats to avoid future damages and litigation. Whether through procuring secondary DNS servers to combat the effects of DDoS attacks, updating firewall configurations, implementing overlapping defenses, and prohibiting use of certain web applications ripe for exploitations, Banks and financial institutions should expect both increased cyber-adversity from bad actors and expectations for heightened cybersecurity measures in 2023.