Cybercriminals are striking more and more frequently, using more inventive methods and sometimes even posing as whistleblowers: These are the observations made by Thomas Schumacher, Head of IT Security at the consulting firm Accenture in Germany, Austria and Switzerland. "The cyber threat has tended to increase for banks," he says talking to Börsen-Zeitung. He is experiencing professionalisation and industrialisation. Cybercriminals are outsourcing processes and using a division of labour right down to the hotline service.

Although regulation has led to banks having to meet higher cyber security standards than companies in other sectors, and banks are basically well positioned, this is not enough. "It is only a deceptive sense of security because there is no such thing as 100 percent security."

The perpetrators are becoming increasingly bold. Schumacher refers to an exceptional criminal case in the USA that took place in November. After a hacker gang called AlphV broke into the computer system of Californian financial services provider Meridian Link and stole data, they threatened to publish it if the company did not pay money.

While such blackmail is commonplace, the group's following actions were unusual. Meridian Link refused to pay and was summarily denounced by the hackers to the regulator for allegedly failing to fulfil its cyber incident reporting obligations. The perpetrators filed their complaint about their victim with the whistleblower office of the Securities and Exchange Commission (SEC), according to the New York commercial law firm Debevoise & Plimpton. It remains to be seen how the SEC will deal with this and whether the method will catch on.

According to Debevoise & Plimpton, cybercriminals are becoming increasingly aggressive, which is also due to the fact that fewer hacked companies in the US have been willing to pay ransom.

In order to increase the pressure, perpetrators have, therefore, repeatedly threatened to alert supervisory authorities in the past or have turned to the public via social media. "The threat actor is trying to use SEC regulation to their advantage by increasing the cost to their target if they refuse to pay a ransom," writes Debevoise & Plimpton about AlphV's approach.

The criminals capitalised on the fear of the expense associated with regulatory investigations into a cyber incident. Such proceedings can be extremely costly, time-consuming and damaging to a company's reputation and business, the lawyers point out.

"Criminals are putting a lot of pressure on banks that have been attacked," says Schumacher. "I have your data, if you want to get it back, pay a ransom. If that doesn't help, I'll report you to the regulator because you didn't report the incident." Those who are blackmailed are faced with tough decisions, he says. In his experience, around half of the companies and banks under pressure end up paying a ransom in the hope of averting worse reputational damage.

Schumacher recognises a race against the attackers and against time. In his opinion, ransomware attackers in particular, who capture or encrypt data and demand a ransom in return, have learnt a lot. In the past, they would have sent an unspecific email to as many recipients as possible and attacked as soon as someone fell for it.

In the meantime, however, the intruders would wait undetected in the network for a while in order to switch off or disable protective mechanisms such as backup systems and consider when and where to strike. "Ransomware attacks are easy to carry out and often successful," summarises the Accenture IT expert. "We will continue to see such attacks in the next two to five years, and they will become better, more targeted and more frequent."

According to Schumacher, it is common practice for perpetrators to post stolen customer data on the darknet, as in the Majorel case. The Luxembourg-based account switching service provider, to which the German Kontowechsel24 belongs, was the victim of a hacker attack last year in which 144,000 data records, including customer names and account numbers, were stolen and later surfaced on the darknet. According to the Handelsblatt, a good 60,000 data records related to Postbank, more than 17,000 to ING Germany and 13,000 to Deutsche Bank. Over 5,000 of its subsidiary Norisbank were also affected.

"Cyber criminals often brag about their deeds on the darknet," Schumacher observed. For example, they publish screenshots that show data being compromised. "They then demand a ransom from the attacked bank and threaten to publish the stolen data if they don't pay."

As banks have opened up to third-party providers in recent years, and these have had to gain access to customer accounts via application programming interfaces (APIs), defending their own IT systems has also become more complex, says Schumacher. "The days when banks were fortresses are over." Attacks on third-party providers such as Majorel as part of their own value chain pose additional security problems for financial institutions.

"If banks involve suppliers, they must ensure that the supplier's route to the bank is just as secure as their own defence," the Accenture expert explains. The new regulation on IT security in the financial sector – the Digital Operational Resilience Act (DORA) – also requires banks to secure their own value chain. It is to apply to banks from 17 January 2025. Schumacher says that he particularly appreciates the fact that banks need to take a strategic approach to cyber resilience.