This week, Cathy Bessant, Chief Operations and Technology Officer at Bank of America gave a stark warning about cyberattacks on U.S. financial institutions saying, “there’s no question that the rate and pace of attacks, and the nature of attacks, has grown dramatically.”
“Criminals are by definition very crafty, very entrepreneurial – and times of stress produce opportunities,” Bessant told journalists during a virtual briefing Monday. The company’s centralized global information-security unit has boosted spending in recent years to about US$1bil. Further, about 64% of finance executives expect cybersecurity budgets to keep rising, a separate Deloitte survey showed.
Earlier this year, China Tech Threat published a report showing that cyber-attacks against financial organizations are growing in frequency and severity and U.S. banks are the most targeted.
Dr. Roslyn Layton wrote that The People’s Republic of PRC (PRC) is the leading adversary and advanced persistent threat (APT) actor against the United States through. It uses cyber-attack to conduct theft, espionage, and disruption. The PRC is the only threat actor with a leading information technology (IT) industry which increasingly supplies the IT products and services of US financial organizations.
US cyber policy approach which restricts some PRC-owned IT firms but not others is needlessly complex and invites exploitation. Federal policy restricts some purchases from Huawei, Lenovo, Hikvision, and others for security reasons but does not communicate the threats and mitigation in a way that is actionable for banks or end users.
Therefore, U.S. financial organizations should be proactive to conduct cyber resilience audits, remove elements with vulnerabilities, and adopt NATO’s risk reduction strategy to avoid sourcing IT from authoritarian countries.
We applaud the growing attention of Bank of America and other large US financial institutions, on this ever-important topic. As Dr. Layton notes in the paper, “there is no silver bullet but following best practices and continually auditing their systems and equipment will help financial organizations stay ahead of attackers—and better protect U.S. financial organizations assets, reputation, and shareholder value.”