The Cybersecurity Risks Financial Institutions Face in the Wake of Industry-Wide M&A Activity

With persistently high inflation, concerns about a looming recession, record vacancy in corporate real estate, and lingering doubts about the health of mid-sized banks, there’s a lot of uncertainty facing financial institutions. The collapse of both Silicon Valley Bank and First Republic Bank this spring set off fears of a system-wide crisis. In the months that followed the collapse of those banks, there’s been a lot of discussion about ways regulators and other stakeholders can strengthen our financial system. However, there’s been startlingly little discussion of the cyber security risks that often accompany times of upheaval and M&A. The tremors from the collapse of Silicon Valley Bank generated a seismic wave that criminals can ride. Following the bank’s collapse, security researchers reported a surge in fake domains, phishing attempts, and even business email compromise impersonating SVB customers, demanding payments, and transfers to new, illegal accounts.

The Perfect Storm

In any industry, M&A activity can create a nexus of frenetic activity that forms fissures cyber criminals can exploit. Competing priorities, new transactions and communication channels often quickly upend common procedures and can lead to the creation of new cybersecurity vulnerabilities. Cybercriminals use the fog of urgent data sharing, new communication patterns and unfamiliar systems to infiltrate businesses, They exploit these vulnerabilities through lingering gaps in security systems, weaknesses in defunct systems, stale accounts, and unwatched security controls, and policy changes not understood by employees and customers.

In fact, after M&As are complete, nearly two-thirds of firms express “buyer’s remorse” due to cybersecurity issues.

Even if the finance industry hadn’t experienced upheaval in 2023, financial institutions would still be particularly vulnerable to emerging threats. Continued digital transformation, including the increased adoption and reliance on online services, make the sector an attractive target for ransomware gangs and other cyber-criminals. The finance sector’s role in supporting the global economy also creates an appealing target for nation-state actors which may have intelligence or economic interests driving their attacks.

Covering The Basics

Knowledge is power, and understanding the most common ways cybercriminals infiltrate financial institutions and how to protect against them can make a big difference. This is especially true during times of change and transition when employees may be stressed, emotional, and more prone to making mistakes. Phishing and spear phishing campaigns, which often rely on social engineering and exploit the human element of the human-computer interaction chain, are a very common tactic for cybercriminals to access financial institutions. In fact, over the past year, 77% of cyber-attacks on financial institutions came from basic web application attacks and system intrusions, according to Verizon’s 2023 Data Breach Investigations Report. The report describes these breaches and incidents as being “largely driven by attacks against credentials, with the attackers then leveraging those stolen credentials to access a variety of different resources.” During times of transition, when employees are coming and going, and systems and departments are being reorganized, companies are particularly vulnerable to these attacks. Phishing lures are not self-obviously fake; they appear legitimate and timely. Fake communications from law firms, log-in invites to file-sharing services, and even related regulatory emails can fool even vigilant employees. Financial institutions can help protect themselves and their employees by analyzing past security incidents at both their company and similar businesses and learning from those mistakes. While cyber threats are constantly evolving, training employees about the dangers of social engineering, and reminding them of an institution’s specific vulnerabilities can be a great preventative measure. Investing in email filtering technologies that can detect and block malicious emails and implementing multi-factor authentication whenever possible can also help financial institutions protect themselves from these attacks.

Managing a Merger

In addition to ensuring that all employees have a basic understanding of how cybercriminals are targeting financial institutions, there are specific steps companies can take during a merger to protect themselves. To reduce the cyber risk associated with a merger, financial institutions should:

• Align security programs around asset protection and obligations
• Assess residual risk from system vulnerabilities or gaps in security programs
• Evaluate risks associated with supply chains and partners

Each one of these areas is a complex set of examinations that require both the buyer and the seller to provide honest disclosure. In controlled M&A (not when a market crisis is the driver) it’s important to engage cyber experts early in the deal, quantify liability and risk, understand the cybersecurity implications of the deal, factor cyber risk into the deal, and transfer liability through insurance and third-parties security agents.

The military has an expression to describe times like these: VUCA. Volatility, Uncertainty, Chaos and Ambiguity. It’s the euphemistic acronym to describe the fog of war. For businesses of all industries, and for their customers and vendors, it’s important to remember that there is something lurking in the fog, and they know how to exploit this cover to infiltrate your business.

Author: Mark Sangster, Vice President and Chief of Strategy at Adlumin