According to the 2021 Verizon Data Breach Investigations Report, the financial services industry suffered 721 cybersecurity incidents in 2020, 467 with confirmed data disclosure. The pace of attacks isn’t slowing down. So how is the financial services industry keeping up? Based on the stats below, they aren’t doing well. Let’s dig into five of the most alarming headlines to discover what caused them and how the financial sector can prevent them in the future.

Defend your financial services company with ReliaQuest. Learn how >

1. In 2021, the largest ransomware payout was made by an insurance company at $40 million, setting a world record.

When CNA Financial, one of the nation’s largest insurance brokers, found it couldn’t access its company data, $40 million was something they were willing to pay to get back online. The alternative may have been to sacrifice the ability to perform at the same level of business, but a third option would have been to prevent the situation in the first place.

Possible cause:

Companies face an unprecedented amount of security events, and most can’t keep up with traditional tools with understaffed teams. Businesses (even the big ones) are struggling to find available cyber talent. This means stretched security teams are drowning in alerts, lack proficiencies to continuously optimize detections, among other things, and inevitably some slip through.

2. LokiBot has targeted over 100 financial institutions, getting away with more than $2 million in revenue.

LokiBot is a successful spear phishing campaign that took advantage of the Covid-19 crisis. Posing as the World Health Organization (even ripping off the official logo), it would entice readers to open to debunk misinformation about the virus – while spreading a virus onto their computers when they clicked.

Possible cause:

Increasingly sophisticated methods to fake users employed by hackers, lack of training and unprotected endpoints are equally responsible. In many cases, not having the right level of threat intelligence and detection capabilities can erode the ability to effectively identify these threats and put in the appropriate security controls.

3. 44% of financial services breaches were caused by internal actors.

The DBIR reports that “44% of the breaches in this vertical were caused by internal actors.” A lot of this is unintended error, but in some cases it’s nefarious. Those familiar with your systems are ones best suited to exploiting it. If you don’t maintain constant monitoring and threat scanning, a lot can go on, unrecognized.

Possible cause:

Many companies lack full visibility into their environment and with the influx of cloud and shadow IT, the attack surface continues to expand. The threat landscape is constantly getting more sophisticated– many security teams lack the ability to optimize their tools with detection content and investigation expertise to do the same.

4. Financial services are 300X as likely to be hit by a cyberattack.

86% of all breaches were financially motivated in 2020 (DBIR), so it’s no surprise that bad actors disproportionately target financial services organizations. In fact, “the two most common cybercrime terms found on criminal forums are bank account and credit card related” (DBIR). Attackers follow the money, and financial services organizations represent a big payout.

Possible cause:

One of the ways criminals access your bank account and other financial information is through credential stuffing attacks. They use lists of stolen credentials to brute-force access, gaining entry because the password was reused. Without the right level of visibility, it becomes difficult for finite security teams to monitor ever increasing network activity (due to more remote workers, connected devices and online services). Consequently, anomalous behavior like bot-driven credential stuffing attempts gets missed.

5. Financial services organizations rely on external parties for breach discovery.

Lack of visibility is a particularly painful problem for cybersecurity teams in this industry. The DBIR reports: “This industry continues to be heavily reliant upon external parties for breach discovery. Typically, via bad actors making themselves known (38% of the incidents) or notification from monitoring services (36% of incidents).” When you’re only discovering 38% of incidents because the attackers themselves let you know about it, you know you have a problem.

Possible cause:

In many cases, institutions lack best practices in detection, investigation, and response. This prevents security teams from employing the right detections and a consistent way to investigate and respond to alerts. The more sophisticated the methods used by threat actors, the harder it is for them identify them.

How to prevent becoming a statistic

To counter the tactics of today’s sophisticated cybercriminals, security programs need the right blend of security expertise and technology. The right foundation should provide:


You cannot protect what you cannot see. A dynamic IT ecosystem that is growing beyond the traditional perimeter is expanding the attack surface which means it is more critical than ever to ensure there are no blind spots. Lack of visibility has been cited as one of the top challenges security teams face when it comes to incident response. Teams should ensure they can ingest telemetry from solutions that span across on-prem and cloud-based systems. At the same time, they should be able to visualize how well they are covered against the risk scenarios that concern them.

Detection expertise

Security teams today lack detection expertise to keep up with today’s adversaries and their methods. While the technologies, like EDR and SIEM, can offer the capabilities, to keep up with threats, proficiency in continuously developing and deploying detection content is critical.


Many times, after a threat is detected, security teams lack consistency of analysis through contextual enrichment including the right threat intelligence and information from other sources. They end up tool hopping to collect the required information which can be time consuming and introduce errors, and many times leading to a false positive. The right investigative approach should have codified best practices augmented with automation to drive fast time-to-insights, consistency and lessen noise.


The increasing amount of data to process, scarce resources, and the need for fast response, means security teams need to look to automation capabilities. Automation is the future of security operations and should be built in across the security lifecycle—not just response.

Learn more about how ReliaQuest can help financial services companies defend against cyberattacks. Download the solution brief >