Where do Financial Institutions Look for Directives on Cybersecurity Sturdiness?

In an era where cyber threats are on the rise, the need for technology that can prevent scam communications from reaching consumers is more critical than ever. This is similar to how spam filters block phishing emails, but with a focus on social engineering, a challenge due to its manipulative nature and lack of strong technological solutions.

The Organisation for Cybersecurity and Technology (OCCULT) has identified a potential cyber risk in the AI platform DeepSeek, due to its large-language-model-driven chain-of-thought reasoning. Recognising the importance of addressing social engineering, OCCULT focuses on this perspective.

Tracy Goldberg, Director of Fraud and Security at Javelin Strategy & Research, suggests that the use of MITRE ATT&CK could be an important step toward enforcing cyber resiliency in an age of lax compliance regulations. MITRE and its cyber defense matrix can help financial institutions (FIs) map out a strategy, moving beyond checkbox compliance to strategic investments based on actual necessity.

MITRE ATT&CK lets banks visualize where their systems are vulnerable to being breached or exposed to a network compromise. This framework, initially released in 2024, also includes a specific version for mobile devices (MITRE ATT&CK for Mobile).

Without regulatory oversight, financial institutions are forced to seek guidelines elsewhere for budgeting and decision-making in cybersecurity. The Federal Financial Institution Council (FFIEC) has lost some of its efficacy in providing guidance, leaving financial institutions to self-govern. In the absence of domestic regulation, U.S. financial institutions should ensure compliance with international standards like the European Union's Digital Operational Resilience Act (DORA).

DORA is considered the most far-reaching cyber regulation in the financial industry. Financial institutions conduct transactions internationally, making DORA a potential guide for strategic decisions.

Education plays a significant role in addressing social engineering, but technology is needed to prevent its exploitation. OCCULT, a new framework published by MITRE in February, aims to standardize the testing of artificial intelligence used in cyberattacks.

The absence of regulatory oversight leaves financial institutions vulnerable to exposing personally identifiable information (PII) and proprietary information. Frameworks like MITRE ATT&CK can help financial institutions detect their own cybersecurity gaps as regulatory guidance wanes.

In summary, as regulatory oversight wanes, financial institutions are turning to frameworks like MITRE ATT&CK and OCCULT to enhance their cyber resilience. These tools can help identify vulnerabilities, prevent scams, and ensure compliance with international standards like DORA. Education remains crucial in addressing social engineering, but technology will play an increasingly important role in preventing its exploitation.

Where do Financial Institutions Look for Directives on Cybersecurity Sturdiness?