Supply chain, Endpoint/Device Security

US financial industry ‘uniquely susceptible’ to supply chain threats

Products such as ATMS, card readers and financial software is susceptible to supply chain threats, said one expert Pictured: Trucks haul shipping containers at the Port of Los Angeles on Nov. 24, 2021, in San Pedro, Calif. (Photo by Mario Tama/Getty Images)

Over the past several months, delays in the global supply chain have wreacked havoc on all manner of businesses in the U.S. and abroad. These issues have also impacted financial IT security.

Indeed, there has been a jump in cyberattacks across various sectors during the supply chain crisis, according to a recent report from cybersecurity firm Kaspersky, especially since so many businesses have “deprioritized cybersecurity over the past year amid the pandemic.” In the United Kingdom, there has been a 30% rise in the number of cyberattacks in the wake of the supply chain issues, according to Kaspersky.

Steve Povonly, principal engineer and head of advanced threat research at Trellix, pointed out that supply chain issues are “further compounded when examined with a focus on cybersecurity issues. As we learned from SolarWinds, nation-state threat actors are highly motivated by the attack surface the end-to-end supply chain presents.”

“Cyber criminals can leverage unique opportunities to inject anything from malicious hardware to fully functional firmware backdoors to achieve a remote attack,” Povonly said, “and often persistence on the device, with very little likelihood of being discovered.”

Povonly said this is because most security audits happen long before or long after the time at which a bad actor is present in the system.

Almost three-quarters (72%) of companies surveyed stated cybersecurity threats are their No. 1 concern, but only a third (33%) of respondents said their companies provide necessary internal resources and knowledge to respond, according to Kaspersky. And only about one-third (35%) are “certain” that they have taken every possible step to mitigate third-party risks in their organization, per the Kaspersky report, "Supply Chain CyberSecurity – Potential Threats and Rising to the Challenge."

“We are constantly assessing the risk profile of the global supply chain and alerting the industry to our concerns,” said Mike Yarwood, Kaspersky managing director for loss prevention, in the report. “One should not underestimate cyber criminals. They are agile, focused and highly sophisticated, presenting a significant threat to businesses in the global supply chain.”

As financial firms and their customers emerge from the pandemic, Yarwood recommended that they “re-evaluate their cyber risk policies and urge operators to satisfy themselves that sufficient resources are allocated to addressing this threat.” Supply chain attacks are particularly difficult to suss out as they might begin with bad actors infiltrating virtually any step (or provider) within the supply chain.

Since most U.S. financial institutions can depend on dozens, or even hundreds, of third-party providers, the slowdowns in the global supply chain and the potential weaknesses in this system could have huge ramifications on the financial industry.

“The financial industry is hardly different than any other products and services industry subject to supply chain woes,” said Povonly.

“Card readers, ATMs, crypto chips, and financial software are all staple industry products, and each is uniquely susceptible to supply chain threats,” he added. “This is one of the more enticing areas for exploitation as, by its nature, these systems are responsible for direct financial transactions and provide a shortcut to monetizing supply chain threats.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds