Financial institutions are looking to AI and generative AI to mitigate the rising risk of cyberattacks as fraudsters themselves take advantage of the technology. 

Generative AI has allowed financial institutions to beef up their cybersecurity but has also lowered the barrier of entry for low-skilled adversaries to launch sophisticated attacks, according to cybersecurity company CrowdStrike’s 2024 Global Threat report, published earlier this year. 

This year, cyberattacks are expected to account for $9.2 trillion in losses globally, according to a recent study by software company Kiteworks. 

“The risk of cyberattacks has always been there, but with the technology improvements, what we are seeing is technology helping attackers and defenders at the same time,” Alicja Cade, director of financial services in the office of chief information security officer at Google Cloud, told Bank Automation News. “It’s like fighting fire with fire,” she added.

Reported losses related to cyberattacks have nearly doubled in the U.S. in the past several years, according to an April release by the Federal Bureau of Investigation. Financial institutions are the fifth-largest targeted sector with health care topping the list followed by critical manufacturing and government facilities. 

The following financial institutions are among those that have fallen victim to cyberattacks so far this year: 

• The $2.5 trillion Bank of America reported in May that its cloud provider, Infosys McCamish Solutions, suffered a data breach in which the $2.5 trillion bank lost sensitive information of 57,000 customers. 

• American Express filed a notice with Office of Consumer Affairs and Business Regulations in Massachusetts on March 5 to report a data breach with an unnamed third-party vendor that allowed fraudsters to access 50,000 customers’ account information. 

• The $1.9 trillion Santander Bank filed a notice with the Attorney General’s offices of Maine and Vermont on June 18 to inform regulators that it suffered a data breach in April that resulted in 12,786 customers losing sensitive information to hackers. 

• The $1.6 billion Evolve Bank and Trust reported that it suffered a data breach in late May from cyber-criminal organization Lockbit, which downloaded sensitive customer information, according to an Aug. 6 release. 

AI-driven cyberattacks

Cybersecurity is a main concern for all financial institutions, Russell Barrett, senior executive vice president and chief operations officer at $62 billion Valley Bank, told BAN. 

“I think AI is super critical in fighting cybercrime,” Barrett said. “I think you’ll see most of it for procedures like denial of unauthorized service, stopping a ransomware [attack], especially when you start getting into non-human penetration.” 

AI can help fight automated, machine-generated attacks and reduce manual labor to fend off such threats, Barrett said.  

“We also need to be aware that the bad guys are going to leverage AI with a lot less discipline,” Barrett said. The way in which bad actors work is more “exploratory” than how banks defend themselves, making AI an essential component of future cybersecurity, he added.  

While FIs look to AI to fight crime, fraudsters are tapping the tech for phishing and bot attacks, Google Cloud’s Cade said.  

“Phishing is a traditional threat, but it has been fortified by AI. AI gives muscle that enables the attackers to operate at more speed and at a bigger scale.” 

— Alicja Cade, director of financial services in the office of chief information security officer, Google Cloud

Bad actors can mimic authentic look-alike emails in a phishing attack more convincingly with AI, which increases the chance of a consumer clicking a harmful link and sharing private information, Cade said. 

While AI can aid in countering cyberattacks, FIs must also invest in their infrastructure to ensure that other types of security measures are also in place, Cade said. 

Zero-trust framework

FIs are investing in structural changes to their operations as one way to button up security, Paul Martini, chief executive of cloud cybersecurity company iboss, told BAN. 

FIs are implementing a zero-trust framework already implemented by many governments, including the U.S., Australia and the U.K., he said. 

A zero-trust framework requires that all user identification be validated, authorized and authenticated, according to CrowdStrike. 

“The idea of zero trust is that it is founded on access control. It doesn’t necessarily mean just checking the person’s identity and then allowing them to do whatever they want, but rather checking every single interaction, every single exchange of data between a user and an application and deciding whether that transaction should occur.”

— iboss Chief Executive Paul Martini

Think of zero trust like airport security, Martini said. A person might have to go through multiple checkpoints before boarding a flight; similarly, a user might have to go through many checkpoints before accessing data. 

“The No. 1 mistake I would say the banks make is they rely solely on identity [verification],” Martini said. “Once you check the ID, you can’t just allow the person to have free interactions with applications, you  still have to go through a checkpoint and continuously scan the data so that if there’s a massive amount of data being hijacked the system can see that.” 

Martini’s company screens more than 150 billion transactions daily through its zero-trust framework to reduce fraudulent transactions, he said. 

As organizations try to build more robust cybersecurity frameworks, building infrastructure for data that resides in the cloud is also essential, Martini said. 

Securing the cloud

Cyberattacks on cloud providers increased by 75% year over year in 2023, according to the CrowdStrike report. 

“But you can’t avoid going to the cloud, not just from efficiency but also from the ability to service customers,” Martini said. Banks managing all their software on cloud servers might be open to potential threats if the software safeguarding them is not updated regularly. 

While cloud security can be penetrable, many financial institutions are still making the move to the cloud, arguing that it can provide better security than personal servers, Martini said.  

“We feel that the cloud itself is really not necessarily diluting in any way our cybersecurity posture,” Valley Bank’s Barrett said. “If anything, we believe it will strengthen as we start to move away from our own data center operations.” 

The cloud takes operations “from a highly fragmented data environment into something that is a far more federated and controlled environment,” he said. 

The following FIs are among those migrating their operations to the cloud: 

• The $1.7 trillion Wells Fargo uses a multi-cloud strategy tapping Microsoft and Google. 

• The $222 billion Citizens Bank also deployed a multi-cloud strategy and aims to have 70% of its applications in the cloud by the end of 2024. 

• The $3.5 trillion JPMorgan aims to move 70% of its operations to the cloud by the yearend. 

• Deutsche Bank similarly is working with Microsoft, Google and IBM to deploy a multi cloud strategy. 

• Valley Bank expects to move all its operations to the cloud by the end of 2025. 

FIs prioritize cybersecurity

Financial institutions that suffer a data breach or a cyberattack not only bear tangible business losses, but also see their goodwill affected, David Cottingham, president of cybersecurity company rf IDEAS, told BAN. 

A CrowdStrike outage last month halted global economies for more than 10 hours, which led to Delta Airlines suffering a $380 million loss primarily driven by refunds via cash and SkyMiles, according to an August filing with the Securities and Exchange Commission. 

JPMorgan, $1.7 trillion TD Bank and Bank of America were also affected by the CrowdStrike outage. 

“Reputational risks and damages are difficult to quantify,” Cottingham said, adding that many financial institutions are paying close attention to improving cybersecurity and business continuity strategies. 

The $1.9 trillion Lloyds Bank is looking to invest in companies related to cybersecurity in 2024, head of fintech investment Robin Scher said at FinovateEurope in February. 

TD Bank is also gearing up investments in the cybersecurity space and aims to use AI to fight potential threats and create value for customers, head of U.S. credit cards and unsecured lending Christopher Fred told BAN. 

Business continuity

What happens when security systems fail? 

With consumers increasingly looking to digital solutions, it is essential for FIs to safeguard their data and also have an emergency plan in place in case of a data breach, Bob Wambach, vice president of product strategy at AI-driven software company Dynatrace, told BAN. 

FIs can implement the following steps when it comes to responding to a data breach: 

• Isolate the problem;  

• Communicate the issue to clients; and  

• Remediate and restore services. 

“When something goes wrong … the smart move is to always be transparent about what happened, why it happened, what you’re doing about it,” Wambach said. 

Early-bird registration is now available for the inaugural Bank Automation Summit Europe in Frankfurt, Germany, on Oct. 7-8! Discover the latest advancements in AI and automation in banking. Register here and apply to speak here.