Cyberthreats
directed
towards
the
financial
services
and
insurance
industry
has
grown
rapidly
over
the
course
of
2022,
driven
by
digital
transformation
and
regulation
such
as
open
banking,
according
to
new
research
from
Imperva.
Imperva
Threat
Research
found
that
more
than
a
quarter
of
all
cyberattacks
(28%)
hit
FSI
businesses,
double
that
of
the
next
most-targeted
sector.
Application
Programming
Interface
(API)
abuse,
DDoS
attacks,
and
bad
bots
were
the
three
of
the
biggest
cybersecurity
challenges
for
the
industry.
The
growing
risk
associated
with
API-related
security
threats
should
be
particularly
concerning
for
the
financial
services
industry,
as
APIs
are
the
invisible
connective
tissue
that
enables
applications
to
share
data
and
‘talk’
to
each
other.
Imperva
Threat
Research
found
that
30%
of
all
API
traffic
in
this
industry
goes
through
shadow
APIs,
which
represents
a
major
security
risk
for
businesses.
Shadow
APIs
are
ones
which
are
unsupervised
or
outside
of
the
security
team’s
visibility,
yet
connect
directly
to
backend
databases
where
sensitive
data
is
stored.
In
recent
years,
hackers
have
increasingly
targeted
APIs
as
a
pathway
to
the
underlying
infrastructure
to
exfiltrate
sensitive
information,
with
one
in
every
13
cyber
incidents
estimated
to
be
related
to
API
insecurity.
Since
2018,
open
banking
has
required
banks
and
other
financial
businesses
to
allow
third-party
providers
access
to
customers’
banking
data
through
APIs,
dramatically
increasing
the
amount
of
sensitive
financial
data
they
exchange.
Open
banking
and
digital
transformation
have
significantly
increased
the
amount
of
APIs
in
use
in
the
financial
services
industry.
Nearly
half
of
all
businesses
have
between
50-500
deployed,
while
many
large
enterprises
already
have
over
a
thousand
active
APIs.
The
scale
of
unmonitored
API
traffic
is
substantially
higher
than
in
other
industries,
suggesting
that
FSI
companies’
implementation
of
open
banking
standards
may
have
inadvertently
created
a
serious,
industry-wide
security
threat.
“The
scale
of
the
shadow
API
problem
should
be
a
concern
for
every
business,”
says
Andy
Zollo,
RVP
for
EMEA
at
Imperva.
“The
idea
that
a
third
of
all
that
traffic
is
going
unmonitored
shows
that
organisations
urgently
need
to
address
their
API
protection
strategies,”
he
says.
“APIs
connect
directly
to
the
data
layer,
so
businesses
have
to
see
API
security
as
an
extension
of
their
data
security
strategy.
Every
organisation
needs
full
visibility
over
every
API
in
their
environment,
what
data
is
flowing
through
each
one,
and
who’s
accessing
it.”
A
second
key
threat
for
FSI
businesses
is
bad
bots.
Bad
bots
–
automated
software
applications
created
with
malicious
intent
–
made
up
more
than
a
quarter
(27%)
of
all
traffic
to
FSI
businesses
last
year,
in
line
with
the
average
across
industries.
Account
takeover
(ATO),
a
common
bot
attack,
heavily
targets
the
FSI
industry,
with
almost
40%
of
all
ATO
hitting
a
financial
site.
About Author
