In response to the increasing frequency and sophistication of cyberattacks, regulators worldwide are tightening cybersecurity regulations. Financial institutions must comply with frameworks like the European Union's Digital Operational Resilience Act (DORA) or the U.S. Cybersecurity Maturity Model Certification (CMMC). These regulations emphasise the need for robust cybersecurity resilience, requiring organisations to demonstrate their ability to prevent, detect, respond to, and recover from cyber incidents. Failure to meet these regulatory requirements can result in significant penalties, mandatory remediation efforts, and reputational damage.

Data protection regulations like GDPR, CCPA, and other laws require financial institutions to promptly report data breaches to regulators and affected individuals. The window for reporting incidents is short (e.g. 72 hours under GDPR), and failure to comply can result in hefty fines. In 2024, regulators are expected to enforce these requirements more rigorously, emphasising the need for financial institutions to have robust incident detection, response, and reporting mechanisms in place.

With the proliferation of high-profile data breaches and growing concerns about data privacy, regulators are likely to increase penalties for non-compliance with data protection laws. This includes not only the immediate financial penalties but also potential restrictions on business operations, such as limiting data processing activities.

Financial institutions must ensure comprehensive compliance with data protection regulations, including secure data storage, encryption, access controls, and the ability to demonstrate accountability through audits and documentation.

As financial institutions increasingly rely on third-party vendors and service providers for various operations, regulators are placing greater emphasis on third-party risk management. Financial organisations must ensure that their vendors comply with cybersecurity standards and do not introduce vulnerabilities into the supply chain. This includes conducting regular assessments, audits, and due diligence to ensure that third parties meet regulatory requirements. Regulatory bodies are likely to impose fines or other penalties if a third-party breach leads to significant security incidents.

AI & Fraud:

The trend for AI to be used to exploit weaknesses in financial services systems is growing. As financial institutions increasingly use AI to detect fraud, attackers are developing AI techniques to bypass these systems. This includes using AI to understand how fraud detection algorithms work and then crafting transactions that avoid detection.

For instance, adversaries are using AI to bypass AML (Anti-Money Laundering) and KYC (Know Your Customer) checks by creating realistic but fake identities or transactions.

Automated Phishing Attacks:

AI is being used to automate and scale phishing attacks, making them more convincing and harder to detect. AI can analyse social media and other data to craft highly personalised phishing emails, increasing the likelihood of success.

Deepfakes and Synthetic Identity Fraud:

AI-generated deepfakes (both video and audio) can be used to impersonate executives or customers, leading to unauthorised transactions or the theft of sensitive information. Similarly, AI can create synthetic identities that can be used for fraudulent activities.

AI-Driven Malware:

Attackers are using AI to develop more sophisticated malware that can adapt and evolve to avoid detection. This includes self-learning malware that can change its code in response to security measures.

Model Inversion and Extraction:

Adversaries can also use AI to reverse-engineer machine learning models used by financial institutions, potentially exposing proprietary algorithms or sensitive data used in the training process.

Poisoning Attacks:

Attackers can also inject malicious data into the training datasets of AI models, causing the model to behave unpredictably or incorrectly. In a financial context, this could lead to incorrect risk assessments, credit scoring, or trading decisions.

AI in Insider Threats:

AI can be used by malicious insiders to exfiltrate data more efficiently or to cover their tracks. Conversely, AI tools designed to detect insider threats can themselves become targets for adversarial manipulation.

AI-Augmented Social Engineering:

Cybercriminals are leveraging AI-powered chatbots and voicebots to conduct social engineering attacks, tricking employees or customers into divulging sensitive information. These AI systems can mimic human interactions with high fidelity, making them particularly dangerous.

AI & Ransomware: As an attack methodology, typically combined with phishing as a point of entry, ransomware attacks are still one of the most core risks for financial services firms. AI is also being integrated into ransomware to improve its effectiveness. AI can help ransomware identify and prioritise high-value targets within an organisation, making it more damaging and increasing the likelihood of a ransom being paid.

Within 6 months in 2023, the Financial Conduct Authority (FCA) received 51 cyber incident reports and 31% of these attacks were categorised as ransomware. In order to prevent this type of attack, organisations should adopt strong security measures and user awareness training to identify these issues before they cause mass disruption and impact.

To address these emerging threats, financial services organisations should adopt several key strategies:

AI-Driven Defence: Use AI to bolster cybersecurity defences, such as using machine learning for anomaly detection, threat intelligence, and automated response systems.

Continuous Monitoring and Updating: Implement continuous monitoring of systems and regularly update models to guard against adversarial attacks and data poisoning.

Robust Data Governance: Establish strong data governance frameworks to ensure the integrity, confidentiality, and availability of data used by the organisation.

Employee Training: Conduct regular training for employees to recognise cyber threats particularly using social engineering and phishing attempts.

Collaboration with Regulators: Engage with regulators to develop frameworks that address the unique cyber risks posed in financial services.

Tested incident response plans:

Test your incident response plan against multiple scenarios to ensure that, in the event of a major disruption, teams are prepared and understand their roles/responsibilities.

As digital estates expand, the risks from the supply chain also increase. Whilst a financial organisation might not have responsibility for securing their supply chain, they are accountable for understanding where their data is, how it’s protected and the potential impact if it was breached. From here, they can profile their supply chain risks and have a better understanding of how they can be impacted.

To mitigate against many cyber security risks, it is recommended that financial organisations adopt and align themselves to key governance frameworks and standards such as NIST, ISO27001 or adopt best practice by implementing the Cyber Assessment Framework (CAF) or Center for Industry Standards (CIS) benchmarks. With the incoming NIS 2 Directive, it is important for organisations to adopt a formal and full process for their cyber security processes. The directive aim is to protect systems from incidents by having at least;

• Policies on risk analysis and information security
• Processes for incident response
• Business continuity plans
• Cyber security due diligence across their supply chain
• Basic cyber hygiene practices and cyber security training
• Defined methods of encryption
• Structured approaches to access control and asset management
• The use of MFA and secured communications

With the broader regulatory landscape's growing emphasis on cybersecurity and data protection in 2024, financial institutions must navigate these evolving requirements to maintain compliance, protect customer data, and safeguard their operations against emerging threats.