Security for Financial Services

# Security for Financial Services

Definition

Financial services security is the discipline of protecting banks, credit unions, investment firms, insurance companies, payment processors, and fintech companies from a threat landscape that is more targeted, more persistent, and more financially motivated than almost any other sector. Finance is not a vertical where security is generally useful; it is a vertical where security is existential.

The defining characteristic of financial services security is the convergence of three conditions that appear together in almost no other industry. First, the data is immediately monetizable: account credentials can be liquidated within hours of theft through fraudulent transfers, wire fraud, or cryptocurrency conversion. Second, the regulatory environment is among the most complex of any sector, spanning federal banking regulators, state authorities, card brands, and international frameworks. Third, the availability requirement is near-absolute: financial systems cannot be offline in ways that equivalent enterprise systems can tolerate. Every minute of downtime has a quantifiable cost, measured in lost transactions, regulatory exposure, and customer attrition.

Security for financial services organizations is not a version of general enterprise security with a compliance module added. It is a distinct operational discipline that requires deep familiarity with transaction architectures, regulatory examination cycles, legacy system constraints, and an adversary community that treats financial institutions as primary targets rather than opportunistic ones.

Within CDA's Planetary Defense Model, financial services security engages all six domains simultaneously. The core (DPS) holds account data, transaction records, and market-moving information. The surface (VSD) is expansive: open banking APIs, trading platforms, mobile applications, and ATM networks. The terrain (SPH) includes legacy COBOL mainframes alongside modern cloud workloads. The civilization layer (IAT) must authenticate both internal users and external customers at scale. The atmosphere (TID) must detect fraud, account takeovers, and APT intrusions in a data environment that generates millions of legitimate transactions daily. And the outer space of governance (RGA) must satisfy a regulatory stack that no other vertical matches.

---

The Threat Landscape

Nation-State Actors: Financial Theft at Scale

The most sophisticated financial services threats come from nation-state actors with specific financial mandates, not intelligence objectives.

APT38 (DPRK/Lazarus Group) is the most prominent example. Operated by North Korea's Reconnaissance General Bureau, APT38 has stolen an estimated $2 billion from financial institutions through SWIFT system compromises, and more recently has pivoted to cryptocurrency exchange attacks responsible for billions more. The Lazarus Group's 2016 attack on Bangladesh Bank, where it compromised the bank's SWIFT credentials and attempted to transfer $951 million (successfully extracting $81 million before errant spelling in a transfer message triggered suspicion), remains the canonical case study in nation-state financial cyber operations. These are not opportunistic attacks. APT38 conducts months-long reconnaissance before initiating transfers.

Sandworm (Russia/GRU) and associated groups have demonstrated the capability to cause systemic disruption to financial infrastructure, as evidenced by the NotPetya attack (2017) which devastated financial firms in Ukraine before spreading globally and causing an estimated $10 billion in damage.

Organized Cybercrime: Persistent and Adaptive

FIN7 (also known as Carbanak) remains one of the most prolific financial cybercriminal organizations. Originating in Eastern Europe, FIN7 is responsible for over $1 billion in theft from retail and financial service targets through point-of-sale (PoS) malware and spear-phishing campaigns targeting financial operations staff. FIN7's tradecraft includes months of dwell time inside victim networks before initiating cash-out operations.

FIN12 specializes in ransomware targeting high-value organizations, with partnerships (Ryuk, ALPHV/BlackCat) that have produced ransoms exceeding $10 million per incident against financial sector targets.

Business Email Compromise (BEC) targeting wire transfers accounts for the largest single category of financial cybercrime losses. The FBI's 2023 Internet Crime Report documented $2.9 billion in BEC losses. BEC does not require technical sophistication; it requires convincing email spoofing and knowledge of payment approval workflows.

Insider Threats and Market Manipulation

The financial sector faces a category of insider threat that does not exist in other industries: theft of market-moving information for trading advantage. Cyber espionage targeting M&A departments, earnings data, or regulatory decision-making can be monetized through options trades before the information becomes public. The SEC has pursued multiple cases where hackers compromised SEC EDGAR filing systems or corporate networks to extract earnings information before public disclosure, trading on that information for millions in illegal profits.

---

Industry-Specific Challenges

Real-time transaction systems and the availability imperative. Financial systems are not designed for downtime. A major payment processor handling 10,000 transactions per second generates a direct cost of hundreds of thousands of dollars per minute during an outage, before accounting for regulatory exposure and customer impact. This availability requirement shapes every security decision: controls that introduce latency or create single points of failure are not acceptable at the speed of financial transactions. Security operations teams at financial institutions run higher alert thresholds than equivalent teams in other industries precisely because false positives that interrupt transaction processing have immediate, measurable business consequences.

Legacy core banking platforms. The majority of the world's banking transactions still run on COBOL applications on IBM mainframe systems originally developed in the 1970s and 1980s. Patching these systems is not a matter of applying an update; it requires regression testing across interconnected systems that may number in the hundreds, often conducted over multi-year cycles. These platforms cannot be replaced quickly or cheaply (estimates for core banking modernization at a mid-sized U.S. bank range from $100 million to over $1 billion), so security teams must defend them in place. This means network isolation, compensating controls, and monitoring at the interface layer rather than within the system itself.

Third-party fintech integration risk. Open banking APIs, embedded finance, and buy-now-pay-later integrations have expanded the attack surface of traditional financial institutions dramatically. A community bank using a fintech vendor for digital account opening has now extended its CDE and PII environment to a third-party whose security controls may not meet the bank's own standards. Regulators have noticed: the FFIEC's 2023 guidance on third-party risk management significantly expanded expectations for ongoing monitoring of fintech partners.

Regulatory examination cadence. Financial institutions face OCC, FDIC, Federal Reserve, state regulator, and card brand examinations on overlapping 12-to-24-month cycles. Each cycle produces findings that must be remediated before the next examination. Financial services compliance is a continuous operational cycle, not a project.

---

All Six PDM Domains for Financial Services

DPS (Data Protection and Sovereignty): The Geological Core Financial services organizations hold three categories of particularly sensitive data: account and payment data (governed by PCI DSS and Gramm-Leach-Bliley), personally identifiable information (governed by state privacy laws, GLBA Safeguards Rule, and GDPR for EU customers), and non-public information (NPI) including trading data, M&A information, and regulatory filings. CDA's Sovereign Data Protocol (SDP) for financial services requires data classification that reflects regulatory sensitivity, not just internal confidentiality levels. A customer's account balance is Confidential under the organization's classification scheme. An analyst's research note on an upcoming earnings announcement may be material, non-public information (MNPI) with legal trading restrictions attached.

VSD (Vulnerability and Surface Defense): The Oceans The attack surface of a financial institution has expanded dramatically over the last decade. Open banking APIs create externally facing endpoints that must be continuously tested. Mobile banking applications represent high-value targets because they provide authenticated access to account functions. ATM networks, branch systems, trading terminals, and digital onboarding platforms each represent distinct attack surface segments. CDA's Continuous Surface Reduction (CSR) methodology for financial services begins with an attack surface inventory that treats each integration point (not just each system) as a potential entry. API security testing, mobile application penetration testing, and continuous vulnerability scanning are not compliance activities. They are the operational baseline for surface management in a sector where adversaries are actively researching exploitable gaps.

SPH (Security Posture and Hygiene): The Terrain Financial institutions operate a terrain with unusual complexity: COBOL mainframes coexist with Kubernetes clusters; branch workstations run Windows versions that cannot be updated without vendor recertification; trading desks run specialized platforms with their own baseline requirements. CDA's Autonomous Posture Command (APC) for financial services builds separate hardening baselines for each asset class rather than applying a single enterprise standard. APC in finance also requires exception management workflows that can accommodate the extended testing cycles required for core banking platforms.

IAT (Identity Access and Trust): Civilization Financial institutions must manage identity at two distinct scales: internal employees and external customers (potentially millions). MFA for retail banking customers must balance security with usability; abandonment rates during authentication flows directly impact revenue. For internal users, CDA's Zero Possession Architecture (ZPA) applies cleanly: privileged users require hardware security keys, trading system access requires time-bounded session tokens, and any administrative action on core systems requires dual-party authorization. The SWIFT Customer Security Programme (CSP) mandates specific IAT controls for SWIFT participants as contractual requirements, not aspirational guidelines.

TID (Threat Intelligence and Defense): The Atmosphere Detection in financial services is complicated by volume. A large bank's security operations center may process billions of events per day across transaction monitoring systems, network telemetry, endpoint agents, and application logs. Distinguishing an account takeover attempt from legitimate customer behavior in that volume requires behavioral analytics, not just signature-based detection. Financial institutions are among the most active participants in threat intelligence sharing through FS-ISAC (Financial Services Information Sharing and Analysis Center), which provides sector-specific threat intelligence including indicators of compromise (IoCs) from active campaigns against financial targets. CDA's Predictive Defense Intelligence (PDI) methodology for financial services integrates FS-ISAC feeds with internal behavioral analytics to create a threat picture that is specific to financial sector adversary behavior, not generic enterprise threat patterns.

RGA (Risk Governance and Assurance): Outer Space No vertical has a more complex governance layer than financial services. The regulatory stack includes GLBA Safeguards Rule (FTC enforcement for non-bank financial institutions), NY DFS 23 NYCRR 500 (New York's binding cybersecurity regulation with 2023 amendments that expanded CISO reporting and board oversight requirements), PCI DSS for payment processing, SOX for public companies, SEC cybersecurity disclosure rules (effective 2023, requiring material incident disclosure within four business days), FFIEC guidance, state insurance regulations for insurance subsidiaries, and DORA for operations touching the EU after January 2025. CDA's Perpetual Compliance Assurance (PCA) methodology for financial services builds a regulatory inventory as a prerequisite: which regulations apply given this organization's business model, geography, and customer type? Then PCA maps each regulation's requirements to PDM domains and identifies overlapping controls (one control that satisfies requirements from three different regulations) to reduce compliance cost.

---

The CDA Financial FRM

CDA's Foundational Risk Map (FRM) has a financial services variant that incorporates five assessment modules not present in the standard FRM:

1. PCI Scope Assessment: Map all systems touching payment data, identify CDE boundaries, evaluate tokenization and P2PE opportunities for scope reduction.

1. Regulatory Landscape Mapping: Given the organization's business activities, customer types, and geography, identify which of the following apply: GLBA Safeguards, NY DFS 500, PCI DSS, SOX, SEC disclosure rules, FFIEC guidance, DORA, state insurance regulations. Output is a regulatory matrix showing applicable requirements and which PDM domains they govern.

1. Third-Party Fintech Risk Assessment: Enumerate all fintech integrations and API connections; evaluate each for data access scope, security certification status (SOC 2 Type II is the standard expectation), contractual security requirements, and incident notification provisions.

1. Trading System Resilience Assessment: For organizations with trading operations, evaluate market data feed security, trading platform access controls, order management system logging, and market manipulation monitoring capabilities.

1. SWIFT Security Controls Assessment: For SWIFT participants, assess compliance with all mandatory SWIFT Customer Security Programme (CSP) controls across the eight mandatory security objectives.

The Shield visualization from a Financial FRM shows the full six-ring PDM diagnostic, with the most common gap patterns in financial services appearing as amber or red segments in TID (insufficient behavioral analytics and threat intelligence integration) and VSD (API attack surface not fully inventoried or tested).

---

Five First Actions for Financial Services

These are not generic security recommendations. They are the five actions that, in CDA's assessment experience, produce the highest risk reduction in the shortest time for financial services organizations that are beginning a security improvement program.

1. Conduct a payment scope assessment before anything else. If your organization handles card data, the CDE defines the most heavily regulated and most targeted subset of your environment. Understanding its exact boundaries, and reducing them through tokenization where possible, is the highest-ROI first step for most financial institutions.

1. Implement hardware MFA for all privileged access to financial systems. TOTP-based authenticator apps are better than passwords. FIDO2 hardware keys are better than TOTP. The SWIFT CSP and NY DFS 500 both require MFA for privileged access. Starting with hardware keys for the accounts that can authorize wire transfers or modify core banking configuration eliminates the credential-theft vector that APT38 and FIN7 consistently exploit first.

1. Map your third-party fintech integrations and obtain SOC 2 Type II reports. Most financial institutions have added fintech integrations faster than their vendor management programs can evaluate them. A quick inventory of API connections and a collection of current SOC 2 Type II reports will surface the most visible supply chain gaps within 30 days.

1. Establish FS-ISAC membership and integrate threat intelligence feeds into your SOC. FS-ISAC intelligence is sector-specific and operationally actionable. Adversaries that have targeted other financial institutions are active; their TTPs and IoCs circulate through FS-ISAC before they reach public threat intelligence platforms.

1. Review your NY DFS 500 compliance status (or equivalent state cybersecurity regulation) against the 2023 amendments. The 2023 amendments introduced senior governing body reporting requirements, stricter CISO accountability provisions, and new incident notification timelines. Many organizations that were compliant under the original 2017 regulation have gaps under the amended requirements.

---

CDA Engagement by Organization Type

Community bank (under $1B assets): GLBA Safeguards compliance, core banking platform posture, and third-party vendor risk management. Limited internal security resources mean a C-RECON engagement must produce a prioritized list executable by a small IT team.

Regional bank ($1B-$50B assets): Regulatory examination preparation (OCC or FDIC on 18-month cycles), SOC and SIEM maturity, and operational resilience testing aligned to FFIEC guidance. Regional banks typically have security programs but lack the behavioral analytics needed to detect sophisticated account takeover scenarios.

Fintech startup: SOC 2 Type II preparation (required by every enterprise buyer), PCI DSS for payment processing, and a security program architecture that does not require a complete rebuild at Series B or C funding rounds.

Asset manager or investment firm: MNPI protection (regulatory exposure from cyber-enabled insider trading can exceed direct financial loss), SEC cybersecurity disclosure readiness, and trading system integrity monitoring.

Insurance company: State insurance cybersecurity regulations (NAIC model law adoption), policyholder PII protection, and claims system integrity to detect fraudulent claims enabled by compromised account access.

---

Related Articles

• PCI DSS 4.0 [F-PCI4]
• DORA Regulation [F130]
• NIS2 Directive [F131]
• SEC Cybersecurity Disclosure Rules [F132]
• Security for Healthcare
• Security for Legal Services
• Supply Chain Risk Management
• Business Email Compromise (BEC)
• SWIFT Customer Security Programme

---

Sources

FS-ISAC. Annual Cybercrime Report: Financial Services Threat Landscape. FS-ISAC, 2023. https://www.fsisac.com/

FBI. Internet Crime Report 2023. Federal Bureau of Investigation, 2024. https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf

Federal Trade Commission. Safeguards Rule (16 CFR Part 314), Amended 2023. FTC, 2023. https://www.ftc.gov/legal-library/browse/rules/safeguards-rule

New York State Department of Financial Services. 23 NYCRR 500: Cybersecurity Requirements for Financial Services Companies, as amended November 2023. NYDFS, 2023. https://www.dfs.ny.gov/industry_guidance/cybersecurity

SWIFT. Customer Security Programme (CSP) Controls Framework v2024. SWIFT, 2024. https://www.swift.com/myswift/customer-security-programme-csp

CDA, LLC. Foundational Risk Map (FRM): Financial Services Variant. Internal Reference.