The impact of cybersecurity on the banking and payments sector

Cybersecurity efforts in the banking sector are split among those that are mandated by regulations, those that are considered to be best practices, and emerging technologies and initiatives. Currently, a large proportion of banks’ cybersecurity-related efforts are implemented by force as a result of stringent requirements placed on them by nation-states.

The prominence of cyber-attacks in the banking sector has led to the creation of several cybersecurity regulations, placing constant pressure on banks to maintain robust cybersecurity practices. These regulations have implications for data handling, cyber risk testing, and incident reporting, among other items. Non-compliance with cybersecurity-related regulations will often result in fines for banks, levied by governing authorities.  

For example, in October 2023, Paytm was fined $645,000 (INR53.9 million) by the Reserve Bank of India for not reporting cybersecurity breaches on time. Furthermore, in March 2024, the Italian Data Protection Authority fined UniCredit $3 million (EUR2.8 million) over a 2018 cyber-attack on the bank’s mobile banking platform, which impacted the data of over 750,000 customers.  

Many cybersecurity regulations in the banking sector overlap, creating challenges for banks in dedicating resources toward compliance. A 2023 study conducted by ServiceNow found that 80% of banks struggle with data protection and privacy regulations. To address this issue, most banks prioritize mandatory regulations and avoid or give less importance to optional ones, such as the ISO 27001 which advocates for risk-based threat identification.  

While implementing optional standards may enhance security, the overlapping security control requirements between mandatory and optional standards can hinder overall effectiveness. Global banks face the most hurdles as they must comply with cybersecurity and data handling laws in several jurisdictions. 

Regulatory compliance and reporting also place upward pressure on banks’ operating costs, creating difficulties for smaller banks with lower capital reserves. Such issues have led to calls across the industry for more streamlined cybersecurity regulations. For example, in November 2023, the Bank Policy Institute and the American Bankers Association urged the White House’s Office of the National Cyber Director to take action to address multiple overlapping regulations.  

For an overview of the key cybersecurity-related regulations in the banking sector, download GlobalData’s latest report on cybersecurity in banking and payments.  

Compliance alone is not enough to achieve cyber-resilience in the banking sector. Banks must also incorporate and execute effective strategies to prevent, identify, and address cyber threats, in addition to recovering from any cyber-related incidents.   

A natural first step for banks is implementing an internal cybersecurity framework or policy that governs how they intend to respond to changes in their risk posture. While banks could develop their own frameworks from scratch, many banks use existing guidelines, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, as substructures. Following this, banks can start implementing other best practices such as fostering a strong cybersecurity culture, monitoring threats and vulnerabilities, swiftly responding to cybersecurity-related incidents, implementing zero trust architectures, and managing third-party risks.  

Such efforts can also help banks comply with cybersecurity regulations. Some of these practices, such as third-party risk management, are legally required by certain regulations but not all, so they have also become best practices within the sector.  

A best practice that has received significant attention in the last two decades is hiring a chief information security officer (CISO). CISOs are critical to a company’s cyber resilience as they work to understand cyber threats and vulnerabilities and communicate this to key stakeholders across the company. In some cases, a CISO will be on the board of the company they work for, allowing them to correspond their findings to other executives.  

Many banks are exploring the prospect of using other technologies alongside existing security controls to improve their risk postures and protect against potential future threats.   

While AI is being used by malicious actors to increase the sophistication of cyber-attacks, several banks are using AI to strengthen their cybersecurity efforts. For example, Nubank offers what it calls Intelligent Defenses, a protection system built with AI that recognizes, alerts, and can prevent transactions that deviate from the customer’s purchasing patterns. The rise of generative AI has opened up further opportunities for banks in proliferating secure digital environments. For example, some banks like Wells Fargo are training AI models using synthetic data, which is data that has been artificially generated by algorithms rather than produced by real-world events. This additional data introduces examples of unusual scenarios, which are crucial for allowing models to learn data patterns efficiently and address cybersecurity challenges. For instance, generative AI can create realistic emails to mimic spear phishing attacks, allowing security experts to train models to better detect fraudulent emails and reduce false positives. A test run by Nvidia in December 2023 demonstrated that with just 24 hours of training, synthetic data can result in a 20% improvement in a model's ability to detect phishing attempts.  

Biometric authentication systems have become commonplace in the banking sector. In particular, payment processors have integrated biometrics into digital and physical payment interfaces. At the most basic level, fingerprints are frequently used as a method of identity verification for customers. In Feb 2024, BBVA’s Turkish unit launched its Bonus Platinum Biometric Card, allowing users to make secure payments by simply scanning their fingerprints.  

Some companies have also started experimenting with iris scans, which are virtually impossible to counterfeit. For example, Worldcoin, Sam Altman’s crypto venture, verifies a user's identity by scanning their eye to create personal, secure identification codes before issuing its native cryptocurrency. However, such practices raise concerns over biometric data handling processes. For more advanced biometric identification methods to become widely accepted, significant and explainable guardrails will need to be implemented to ensure biometric data is being properly protected.  

Examples of other initiatives include using behavioral science to help customers and employees better understand and protect against fishing attacks and taking preemptive measures to protect data from quantum computers.  

The matrix below details the areas in cybersecurity where companies operating in the banking and payments sector should focus their time and resources. Banking and payments companies should invest in technologies shaded green, explore the prospect of investing in technologies shaded in yellow, and ignore areas shaded in red.

The actors and vehicles of a cyberattack are many and varied. The actors include human error, external hackers, and malicious insiders. The vehicles of an attack include cloud and mobile services, operational technologies, physical and virtual services, and web applications, all of which banks use to facilitate business processes. Such threats are exacerbated by the sector’s growing dependence on digital interfaces. Due to the interconnected nature of the cybersecurity value chain, GlobalData recommends that banks invest in almost all segments.   

Banks do not need to specialize in chip-based security as semiconductors, especially those that are inherently secure, would be unnecessarily complex and costly for banks to design in-house. Instead, they should aim to partner with leading vendors such as AMD, Intel, and Nvidia to integrate this technology into their cybersecurity investments. Tech companies like Samsung Electronics that design and produce secure chips and also offer payments services are well placed to incorporate chip-based security in a financial context.  

Banks have always placed a strong focus on providing tech-oriented services, and this ethos has extended toward cybersecurity initiatives. Some banking and payments companies are acquiring specialist cybersecurity vendors to offer clients the same platforms and technologies that they use internally to promote online safety. Furthermore, many banking companies have started focusing on providing services to small-to-medium enterprises, which often lack the adequate resources to develop a resilient risk posture.  

New vulnerabilities are constantly forming and can be difficult to fix. The challenge for banks’ security teams is knowing which systems are likely to be impacted when unexpected vulnerabilities come to light. Questions that typically need answering include: who is leading our response?; how will we know if we are being attacked?; how should we respond?; what is the impact on our key providers?; are they covering themselves?; and, most importantly, when did we last check our business continuity plans and crisis response protocols? A major part of a bank’s reputation rests on its ability to prevent and counter cybercrimes.