Financial Services’ Shift to APIs Creates Expanded Threat Surface

by Karl Mattson, Field CISO, Noname Security

Financial services firms deploy an increasingly complicated mix of technologies, systems, applications, and processes to serve customers and partners and solve organisational challenges. Focused heavily on consumer hyper-personalisation, banks are evolving more and more digital assets and services to meet and exceed growing customer experience expectations.

The modern banking environment is heavily reliant on APIs to the point that they are now indispensable. APIs allow financial institutions to connect with their ecosystem, while inspiring innovation, the creation of new products, improving existing services, and enabling financial institutions to work more efficiently.

This, however, leaves them highly vulnerable to exploitation by bad actors targeting API vulnerabilities, and successful cybercriminals know a good target when they see one. As the financial services industry has wisely embraced consumer demand for digital engagement, threat actors have followed the money and personal information to their front door.

Karl Mattson

Financial Services Bearing the Brunt of API attacks

According to Noname Security’s annual API Disconnect survey, 80% of respondents in the financial services sector suffered an API security incident in the last 12 months. This represented a 5% increase, year-on-year, and is the highest of any sector surveyed, amongst other industries rich with personable identifiable information (PII) such as retail, healthcare, and government and public sector.

Competition in this sector is strong, with fintech, neobanks, and traditional banks all competing for a slice of the pie. Open banking programs continue to drive API-centric services for payments, account services, and other customer-centric activities with third-party providers.

With that in mind, API security should be a high priority for financial services organisations. On the surface, it appears to be, with 82% of respondents saying API security is more of a priority than it was 12 months ago.

More Testing and Visibility is Crucial

However, there is a huge disconnect between increasing API security incidents and the level of confidence placed in tools to test APIs for vulnerabilities.

Almost all (99%) financial services respondents are confident in application testing tools to test APIs for vulnerabilities. This is despite less than half of financial services respondents having a full inventory of APIs, and know which return sensitive data, while just 55% admitted to only having a partial view of their inventory, or a full inventory but no idea which APIs return sensitive data.

Whilst this compares favourably to the 71% of respondents who reported a lack of inventory visibility and didn’t know which APIs return sensitive data in 2022, this gap is concerning to say the least, and doesn’t help companies prioritise the protection of those APIs that return precious PII from attack. This year, financial services organisations cited web application firewalls and API gateways as the primary attack vectors.

With APIs being a weak point in the integrity of financial services systems, regular testing is paramount to API security. Despite this, just under a quarter said that they undertook testing in real-time, with under 40% testing once per day. This is an improvement from 12 months ago, but with API security incidents increasing and less than half of sector respondents viewing API security as a necessary requirement, financial services organisations need to get ahead of the game.

The Stakes are High in the Current Regulatory Landscape

Should a financial services organisation suffer an API security incident, the repercussions can be severe. Just under half (47%) suffered from a loss of productivity while 44% cited incurred fees to help fix the problem.

Over half (53%) of sector respondents cited a loss of customer goodwill and churned accounts, following an API security incident. Trust is a valuable commodity in financial services that cannot be easily recovered; this should focus the minds of those at the coalface of getting API security right, putting it near the top of their organisation’s overall proactive cybersecurity strategy.

Open banking standards, real-time payments, crypto wallets and a range of fintech services continue to push the industry towards API-first and cloud-friendly technologies, albeit in a highly regulated manner. This is reflected in our research, with 44% of respondents saying that regulatory fines, stemming from an API security incident, have had a negative impact on their business.

With a multitude of rules and regulations governing financial services across different jurisdictions, the high level of innovation and transformation creates new risks and vulnerabilities for the financial services sector. This has resulted in regulation becoming increasingly complex to navigate.

This is why 78% of respondents said that their API security testing tools help them to adhere to the Payment Card Industry Data Security Standard (PCI DSS) regulation. With a highly fragmented regulatory framework, organisations are now looking beyond API security testing capabilities from their partners; they need guidance on how to continue to innovate, and how to remain compliant.

Guarding Against a Lack of Complacency

APIs have become the default connectivity and data exchange method within modern financial services environments and will continue to be so in the future. Looking ahead, securing APIs from both a pre-production and post-production perspective is paramount to securely operating in a digital-first banking world.

It is imperative that financial institutions work with an API security provider who can ensure a high degree of stability for their platform, make sure they are compliant with regulations, as well as protecting precious customer data. In this evolving financial services landscape, this will enable organisations to implement a robust API strategy across discovery, posture management, runtime protection, and API security testing.

About the author

Leave a Reply

Your email address will not be published. Required fields are marked *