How banking and payments companies are tackling cybersecurity challenges

Businesses are grappling with the increasing frequency and sophistication of cyber-attacks. Visa estimates that global cyber threat mitigation costs will reach around $10.5 trillion by 2025 and that businesses are losing over $4 million annually, on average, to cybercrime.   

In response, in October 2023, Visa partnered with Expel, a security operations provider that offers managed detection and response (MDR) and phishing support. The collaboration sought to equip Visa’s clients with proactive security measures, transitioning them from reactive approaches to risk-based decision-making frameworks and offering them 24/7 monitoring and incident response. Expel's MDR capabilities prioritize detections based on a client’s critical assets, significantly reducing response times and mitigating potential threats before they escalate. This focus also helped Expel enhance visibility across several attack surfaces such as on-premise infrastructure and software-as-a-service applications. This partnership was initially rolled out to Visa’s clients in the US and Canada, with plans for a global expansion.   

Companies, particularly those from the banking sector, are constantly faced with evolving digital threats. This prompts them to seek new ways of protecting valuable assets such as intellectual property and customer data. Additionally, small and medium-sized enterprises struggle to quantify cyber risks in monetary terms, making it difficult to justify new cybersecurity investments. As risks evolve, platforms that enable visibility across several assets and threats will become crucial for assessing and managing cyber risks.  

In May 2020, Mastercard launched its Cyber Quant platform, a cyber risk quantification solution that helps companies assess their cyber threat exposure and subsequently develop a more robust risk posture. The launch was facilitated by Mastercard’s acquisition of Cytegic in the same month. Mastercard had already offered Cytegic’s cyber risk management solution through its Cyber Security Services division and chose to acquire the company.  

Cyber Quant seeks to answer four key questions for a company: 

• Which security gaps pose the greatest threat? 

• What is the potential financial impact of cybersecurity risks? 

• How can potential cybersecurity investments be identified? 

• How can the cyber threat landscape be integrated into risk assessments? 

The platform does this by performing three core functions: pinpointing and assessing security gaps, quantifying cyber risks as dollar values, and providing recommendations. This allows businesses to understand their digital vulnerabilities from a financial standpoint and thus prioritize potential future investments. 

Before starting an assessment, clients first need to set up a company profile by entering details about their company’s business environment and technology stack. Following this, clients can prompt the platform to create a cyber risk assessment, with all the contextual threat landscape data provided by Mastercard. Assessment is performed using various questionnaires that clients must fill out. Insights from the questionnaires are used to process security configuration data and understand security gaps as per best practices. Once an assessment is finished, a client will have full visibility over the risk posture of their organization.  

Cyber Quant also offers simulation capabilities, allowing clients to vary input parameters to conduct sensitivity analyses, which helps them understand how changes in their business will impact their cyber threat resilience and financial risk scores. Mastercard Data & Services, the company’s consulting arm, also wraps advisory services around the platform to help companies integrate the product alongside their existing security controls and technology stacks. Mastercard conducts three-week projects with companies to maximize the value of Cyber Quant's output score and minimize the impact of future data breaches.  

Mastercard plans for Cyber Quant to become a one-stop shop for a company’s cyber risk management needs. The solution was initially rolled out to banking and payments companies that were already receiving Mastercard’s core payments products and solutions, but the company has since expanded into other industries such as technology, healthcare, and the public sector. Mastercard also sees future potential for the platform to incorporate information from governance, risk management, and compliance (GRC) tools to perform additional risk analyses and vice versa.  

Quantum computers, should they achieve sufficient size and power, could break the encryption methods currently used by banks to secure financial data and transactions, such as Advanced Encryption Standard, Rivest-Shamir-Adleman, and Diffie-Helman. This makes banks susceptible to a form of cyber-attack known as “Harvest Now, Decrypt Later” whereby adversaries store encrypted data over extended periods until they can decrypt it in the future using quantum computers. HSBC holds a large amount of sensitive data, with nearly 42 million customers across 62 countries and territories, and is subsequently exploring solutions to protect against quantum threats.   

In July 2023, HSBC became the first bank to commercially trial the Quantum Secure Metro Network (QSMN), a project led by BT and Toshiba that uses quantum key distribution (QKD) to secure data transmission between customer sites in London. QKD is a method of encryption that uses the properties of quantum particles to create a key for encrypting and decrypting messages. The key is transferred using entangled qubits, which are units of quantum information that cannot be described independently of each other. Each key is completely random and cannot be predicted or duplicated, making it virtually impossible for anyone to intercept and decode the message. HSBC used the QSMN to transmit test data between its global headquarters in Canary Wharf and a data center in Berkshire, 38.5 miles away. QKD was trialed in multiple scenarios including financial transactions, secure video communications, and one-time-pad encryption.  

After a successful first trial in December 2023, HSBC conducted further testing of QKD to protect a foreign exchange trading scenario in December 2023. The bank safeguarded a simulated $32 million (EUR30 million) trade from euros to US dollars using its HSBC AI Markets trading terminal. HSBC plans to share insights about its quantum cybersecurity approach with other banks in the future to help counter the threat of quantum computing on the global financial system.  

While many cyber-attacks across the banking sector are a result of technological vulnerabilities, a significant proportion stem from human behavior. Phishing scams target banking customers and employees by capitalizing on cognitive biases such as impulsivity and inattentiveness as well as an overall lack of cybersecurity awareness. As such, understanding human behavior has become essential for developing effective cybersecurity strategies.  

BBVA has set out to use behavioral economics techniques to encourage employee participation in cybersecurity and phishing training. The bank has been investing in the concept since 2017 when it established its Behavioral Economics Team, which studies how people make decisions and what obstacles prevent them from making good ones in a financial context. In 2019, BBVA collaborated with Oracle to launch its Behavioral Economics Learning Algorithm (BELA) tool. BELA identifies the cognitive mechanisms that are most relevant when generating a marketing campaign for different targets using machine learning algorithms. In August 2023, BBVA used the tool to investigate which behavioral assumptions worked best among its employees when sending emails to market cybersecurity training. It did this by analyzing the kinds of messages that are most effective in increasing interest in training courses.  

The team found that messages highlighting the agility and speed in completing phishing training almost doubled interest in the course. Additionally, messages targeting curiosity and ego increased visits to the training page by up to 70%. The initiative was also recognized by the Global Association of Applied Behavioral Scientists at its 2023 awards.  

Many banking customers are concerned with the lack of security posed by traditional payment methods that rely on PIN codes or signatures. In addition, the cumbersome nature of managing multiple passwords exacerbates these concerns, leading to a demand for more secure and convenient payment methods.  

In December 2023, Thales collaborated with Fingerprints, a Swedish biometrics company, to launch the fourth generation of its biometric payment card. The newest version integrates Fingerprints’ trademark FPC1300-series T-Shape sensor (T2), which features two rows of components, creating more connection points and making it easier for card manufacturers to align the sensor to a card’s circuitry. This simplifies the production process and reduces the likelihood of errors, subsequently reducing e-waste. Customers place their finger on the sensor while tapping the card on a payment terminal to verify a transaction. The sensor captures the user’s biometric data, matches it with the stored information, and authenticates the payment. As a result, payments that have not been executed by the card’s owner will be blocked. Furthermore, the card can be used on existing point-of-sale systems without requiring upgrades.  

Fingerprints has looked to partner with major banks to increase the adoption of fingerprint sensors. In March 2024, it collaborated with BBVA, to launch the Thales’ fourth-generation card in Turkey. The card has also been certified by major Europay, Mastercard, and Visa payment schemes, ensuring it can be used in multiple countries.