Usman Choudhary, Chief Product & Technology Officer, VIPRE Security Group
From SolarWinds to Situs AMC, supply chain attacks have unsettled key financial players worldwide. AI, a disruptor of similar proportions, has the potential to make them even more unsettling.
Supply chain attacks are evolving rapidly with AI augmentation, and business leaders in major financial institutions need to be aware of what they can do, how hard they can hit, and how to prevent them.
What Supply Chain Attacks Do to Financial Services
Attackers are wise to the fact that global financial institutions have the resources to double-defend their assets. Rather than trying to break through a brick wall of enterprise-grade security machinery, they target weak links in the chain.
The MOVEit breach that impacted heavy hitters like Deutsche Bank, ING Bank, and Discovery exploited a flaw in the managed file transfer tool used, ironically, to send files without incident. SolarWinds was an issue of poisoned IT management software used by the likes of VISA and the Federal Reserve.
And just last quarter, real estate lending and investment provider SitusAMC was targeted in a cyberattack that impacted clients such as Citi, Morgan Stanley, and JPMorgan Chase.
AI Meets Supply Chain Vulnerabilities – Meets Finance
When we factor AI into the equation, its impact on making, disseminating, and accomplishing supply chain attacks is unprecedented.
For the past three years, publicly available AI has been a game-changer. It has exponentially improved attackers’ ability to find and exploit vulnerabilities. The average time it takes for a vulnerability to be actively exploited by adversaries is now a mere two hours after it is disclosed.
As AI crawlers hunt for exploitable vulnerabilities within FinServ supply chains, they do so at a speed and scale previously unimaginable. This same force-multiplying power is being leveraged at all stages of an attack, as multiple financial institutions felt the impact of the first ‘AI-orchestrated cyber espionage campaign.’ AI models are being used to create exploits, spin up deepfakes for social engineering, craft perfect phishing emails, and autonomously string together sophisticated multi-step campaigns.
The result is a perfect storm: billion-dollar banks with over 500 third-party integrations offer excellent statistical odds for AI-powered attacks to succeed. From mobile banking app developers to payroll and HR vendors to IT management providers (like MOVEit), modern financial institutions are nothing if not well-connected.
This has significant implications. Third parties in the shadows of larger organisations have been historically less mature where cybersecurity is concerned. Targeted AI-driven attacks will take full advantage of these weaknesses, leaving banks, insurers, and brokerages upstream to pay the cost.
The Second-Degree Burn on Financial Institutions
What does that cost look like? For most financial institutions, the bill starts with public loss of faith and ends with compliance fines and penalties.
In the case of the MOVEit breach, reputable banks like Flagstar Bank and Kearny Bank had to issue notifications to hundreds of thousands of customers, telling them their sensitive information had been compromised.
This is par for the course in these cases and is required by law, raising questions about ongoing customer trust. Nearly one in three consumers across the US, UK, and Australia stopped doing business with a company following a breach.
Regulations like DORA in the EU and the GLBA in the US require financial institutions to report data compromises within 24 to 36 hours, respectively. Civic penalties exist for non-compliance; up to USD $100,000 per violation (GLBA) or 2% of global turnover (DORA).
All this, to say nothing of the impact on customer privacy and well-being, brand reputation, operational resilience, and security measures as teams work overtime to repair the damage.
It doesn’t seem fair, but it’s true: the fallout from a supply chain breach can be equal to or greater than the results of a data breach in your own organisation.
Building AI-Resistant Defense
Several of the biggest cyberattacks to hit the financial services sector in the past few years have been attributed to adversaries sneaking in where least expected. This is where there are no security defenses in place, or not enough to stop in-progress attacks.
AI is only going to add to that number, as agentic crawlers scan vulnerable, low-hanging fruit and heighten the chance of success within lengthy FinServ supply chains.
To win, financial leaders must adopt a comprehensive approach to security: one that will account for the possibility of third-party attacks as much as institutionally targeted ones.