Cyberthreats directed towards the financial services and insurance industry has grown rapidly over the course of 2022, driven by digital transformation and regulation such as open banking, according to new research from Imperva.
Imperva Threat Research found that more than a quarter of all cyberattacks (28%) hit FSI businesses, double that of the next most-targeted sector. Application Programming Interface (API) abuse, DDoS attacks, and bad bots were the three of the biggest cybersecurity challenges for the industry.
The growing risk associated with API-related security threats should be particularly concerning for the financial services industry, as APIs are the invisible connective tissue that enables applications to share data and ‘talk’ to each other. Imperva Threat Research found that 30% of all API traffic in this industry goes through shadow APIs, which represents a major security risk for businesses. Shadow APIs are ones which are unsupervised or outside of the security team’s visibility, yet connect directly to backend databases where sensitive data is stored. In recent years, hackers have increasingly targeted APIs as a pathway to the underlying infrastructure to exfiltrate sensitive information, with one in every 13 cyber incidents estimated to be related to API insecurity.
Since 2018, open banking has required banks and other financial businesses to allow third-party providers access to customers’ banking data through APIs, dramatically increasing the amount of sensitive financial data they exchange. Open banking and digital transformation have significantly increased the amount of APIs in use in the financial services industry. Nearly half of all businesses have between 50-500 deployed, while many large enterprises already have over a thousand active APIs. The scale of unmonitored API traffic is substantially higher than in other industries, suggesting that FSI companies’ implementation of open banking standards may have inadvertently created a serious, industry-wide security threat.
“The scale of the shadow API problem should be a concern for every business,” says Andy Zollo, RVP for EMEA at Imperva.
“The idea that a third of all that traffic is going unmonitored shows that organisations urgently need to address their API protection strategies," he says.
"APIs connect directly to the data layer, so businesses have to see API security as an extension of their data security strategy. Every organisation needs full visibility over every API in their environment, what data is flowing through each one, and who’s accessing it.”
A second key threat for FSI businesses is bad bots. Bad bots - automated software applications created with malicious intent - made up more than a quarter (27%) of all traffic to FSI businesses last year, in line with the average across industries. Account takeover (ATO), a common bot attack, heavily targets the FSI industry, with almost 40% of all ATO hitting a financial site.