AI abuse and misinformation campaigns threaten financial institutions

Though generative AI offers financial firms remarkable business and cybersecurity utility, cyberthreats relating to GenAI in financial services are a consistent concern, according to FS-ISAC.

Cybercriminals exploit AI for data exfiltration

The cybersecurity community’s current consensus is that adversarial usage primarily relates to the creation of convincing phishing lures at scale. That said, threat actors can use generative AI to write malware and more skilled cybercriminals could exfiltrate information from or inject contaminated data into the large language models (LLMs) that train GenAI. The use of corrupted GenAI outputs can expose financial institutions to severe legal, reputational, or operational consequences.

Not all AI risks are malicious. The LLMs that train GenAI typically use enormous datasets leveraging publicly available sources, which can contain privileged information (such as credit card numbers), or biased data. Using such outputs irresponsibly – or unethically – can cost financial firms the trust of regulators, consumers, and investors.

“Each year, a new set of threats comes to light, requiring the financial services sector’s mitigation strategies to advance at an equal if not faster pace than threat actors’ tactics,” said Steven Silberstein, CEO of FS-ISAC. “As we look ahead to a critical year marked by emerging technology and heightened geopolitical tensions, the best way to maintain the integrity, security, and trust of the sector is through global information sharing.”

Threat actors are expected to launch misinformation campaigns and DDoS attacks against critical infrastructure, capitalizing on ongoing geopolitical conflicts and a “super election” year, as five national elections take place across the globe. DDoS attacks are continuing to increase in size, scope, and sophistication, with 35% of all DDoS attacks targeting the financial services sector in 2023.

Threat actors will weaponize legislation in ransomware campaigns

Threat actors have noted the implementation of key legislation in 2023 and are monitoring pending global regulations in 2024 and 2025, adjusting their tactics accordingly. Cybercriminals may weaponize new disclosure requirements, pushing companies to fulfill extortion demands ahead of the required reporting deadline.

Recent quantum computing and AI advancements are expected to challenge established cryptographic algorithms. In response, the financial services sector must have an increased focus on developing new encryption methods that can be rapidly adopted without altering the bottom-line system infrastructure.

Zero-day vulnerabilities in the supply chain continue to leave the sector unprotected, as attacks on providers disrupt various systems across the sector, such as those of clearing, trading, payments, and back-office service operations.

In response, the sector should work closely with suppliers to establish communication channels for incident response and bolster suppliers’ greater cybersecurity posture.

“Threat actors will exploit vulnerabilities in critical infrastructure and will leverage any tool available to destroy trust in the security of our systems,” said Teresa Walsh, Chief Intelligence Officer and Managing Director, EMEA, of FS-ISAC. “In order to maintain trust in the sector, companies must prioritize proactive cyber hygiene to ensure operational resilience in the face of an attack.”