Digital security company Imperva has released research that shows cyberattacks targeting the financial services and insurance (FSI) industry to have grown over the course of 2022. As detailed in the press release, this increase was driven by digital transformation and regulation, such as Open Banking, with Imperva Threat Research having found that over a quarter of all cyberattacks (28%) affected FSI businesses, double that of the next most targeted sector, the business sector.

Three of the biggest cybersecurity challenges for the industry were found to be: Application Programming Interface (API) abuse, DDoS attacks, and bad bots. Report findings on cyberattacks towards FSI companies The increasing risk associated with security threats related to APIs are thought to be particularly concerning for the financial services industry, as APIs are the invisible connections that enable applications to share data and ‘talk’ to each other. As per the announcement, Imperva Threat Research found that 30% of all API traffic within the industry goes through shadow APIs, which represent a considerable risk for businesses.

Either unsupervised or outside of the visibility of the security team, shadow APIs connect directly to backend databases where sensitive data is stored. The research highlights that in recent years, hackers have been increasingly targeting APIs as a pathway to the underlying infrastructure so that they could exfiltrate sensitive information, with one in every 13  cyber incidents having been estimated to be related to API insecurity. Starting with 2018, Open Banking has had the requirement for banks and other financial businesses to enable third-party providers’ access to customers’ banking data by leveraging APIs, which has exponentially increased the amount of sensitive data that they exchange.

Additionally, Open Banking and digital transformation have significantly contributed towards the increase in the number of APIs in use within the financial services industry, with approximately half of businesses having between 50-500 deployed, whereas a multitude of large enterprises already have more than a thousand active APIs. Furthermore, the research highlights that the scale of unmonitored API traffic is substantially high when compared to other industries, which is believed to suggest that the implementation of Open Banking standards by FSI may have created a serious, industry-wide security threat. Imperva representatives stated in the press release that the scale of the shadow API threat should be a concern to every business, advising that the idea of a third of all traffic going unmonitored highlights that organisations should address their API protection strategies.

As APIs connect directly to the data layer, businesses should see API security as an extension of their data security strategy, with officials stating that every organisation has a need for complete visibility over API in their environment and see what data is flowing through each one and who is accessing it. A separate, considerable threat that FSI businesses face is made up of bad bots, which are automated software applications that have been created with malicious intent. As advised in the press release, bad both made up over a quarter (27%) of all traffic to FSI businesses in 2022, in line with the average across industries.

Account takeover (ATO), a common bot attack, has been heavily targeting the FSI industry, with approximately 40% of all ATO hitting a financial site. .