Almost Every Company in the Financial Sector Affected by Cyber Attacks

The study reveals the extent to which financial institutions have been the target of cyber attacks in recent months, which methods hackers have used so far and which are expected in the coming months.

Just around seven percent of the study respondents stated that they had not fallen victim to a cyber attack in the last twelve months. At 76 percent, the majority of respondents recorded between one and 20 successful attacks. Almost every tenth financial institution had to deal with 21 to 50 attacks, around four percent even with more than 50. Large companies with more than ten billion euros in turnover are particularly affected, of which almost every second (46 percent) has already been the victim of at least ten attacks.

Hackers specifically look for logical errors

However, hackers can hardly achieve success with simple, old-fashioned tactics. Therefore, they increasingly use complex scenarios, such as attacks via business logic (business process compromise). Here, hackers specifically look for loopholes in corporate processes in the sense of logic errors that they can exploit for their own purposes. 51 percent of respondents report credential theft, especially through social engineering attacks such as phishing. In third place among the most frequent attack scenarios is ransomware with almost 39 percent, followed by insider threats with 38 percent and attacks on databases (for example via brute force attacks) with 37 percent.

More digitisation, more security gaps

Just under 54 percent of respondents said that Business Process Compromise had increased or increased sharply in the last two years. “One reason for this increase is certainly that the development of applications is mostly based on modern frameworks, which are more secure and contain fewer technical vulnerabilities – apart from exceptions, of course, such as the Log4Shell vulnerability. In turn, business processes are becoming more complex and digitisation is increasing, which leads to security vulnerabilities that are particularly lucrative for hackers,” says Phil Leatham, Senior Account Executive at YesWeHack Germany. Every second respondent (51 per cent) expects ransomware to increase or increase strongly in the coming twelve months. A similar development is predicted for attacks on web applications (48 percent) as well as on databases (46 percent).

99 per cent meet banking supervisory requirement

The complexity of attacks is increasing, but banks, insurance companies and financial service providers are prepared for them: Only about one percent of the institutions do not yet meet the latest “Supervisory Requirements for IT in Financial Institutions” – BAIT for short. These dictate regular vulnerability scans, penetration tests and the simulation of attacks. 71 percent check their IT systems and applications with the help of one-off penetration tests by independent service providers, 60 percent with the help of one-off tests by the company’s own auditors. 39 per cent rely on regular checks as part of bug bounty programmes by external service providers. In many companies, several testing scenarios are implemented.

For the study, 208 experts from banks, insurance companies and financial service providers from Germany, Austria and Switzerland were surveyed in February and March 2022.