Page 25 - gs250901
P. 25
CoverStory
person networks like PayPal, Venmo and Zelle. Interbank
Getting a handle on cyber threats transactions initiated through those systems clear through
EPN or RTP.)
It is commonly accepted that one of the most perni-
cious threats facing payment systems, and a leading "We are fortunate in this country to have two high-value
cause of networks going down, is the threat of cyber [payment] systems," Richard Dzina, senior vice president
attacks. While there is no central data collection source for core services at TCH, told me in an interview. But here's
of every incident targeting payment systems, several the catch: CHIPS, the large dollar wire transfer system,
sources provide insights. relies on Fedwire for funding, Dzina explained.
The Kasperski financial threat report for 2024 revealed While CHIPS has just 42 participating banks, these are
that banks were the most popular lure in 2024, account- the largest banks in the world. The Fed serves thousands
ing for 42.58 percent of financial phishing attempts, of FIs of varying sizes, with services that include ACH,
while 19.3 percent of financial phishing attempts tar- wire transfers (via Fedwire) and real-time payments via
geted payment systems. FedNow.
The International Monetary Fund reported in 2024 that The 2021 episode "put a spotlight on this vulnerability,"
cyberattacks had more than doubled since the pan- Dzina said. It also spawned new-found appreciation for
demic. having a private sector alternative to the Fed and drove
home the need for contingency planning. "We're focused
And the IMF report said the risk of "extreme losses" on industry resiliency when confronted with cyber threats
from cyberattacks is increasing. "Such losses could po- and market disruptions," Dzina added.
tentially cause funding problems for companies and
even jeopardize their solvency," the IMF stated. "The Testing resiliency
size of these extreme losses has more than quadrupled
since 2017 to $2.5 billion." TCH has positioned itself as a private sector competitor
to the Fed. But as the 2021 incident revealed, the two
Indirect losses can be substantially more costly. These are mutually reliant on one another. Further evidencing
might include reputational damage or the cost of secu- this fact, they are planning a September test, simulating
rity upgrades. a failure of Fedwire that requires flipping Fedwire's
workload to CHIPS. The test will be run with the help of
KnowBe4, a cybersecurity platform company special- the Analysis and Resilience Center for Systemic Risk (ARC
izing in human risk management, in an August 2025 for short).
research paper, revealed that almost all (97percent) of
major U.S. banks experienced third-party breaches in ARC is a coalition of financial services firms that work
2024, while targeted intrusions against financial insti- together on strategies and solutions to identify, prioritize
tutions (FIs) increased 109 percent year-over-year. and mitigate systemic risk to the nation's financial services
infrastructure.
Citing Federal Reserve Bank of New York staff reports,
the KnowBe4 report stated that even a single day's dis- Members include the Fed, the nation's largest banks, and
ruption in payments by major banks could affect 38 numerous financial services companies and organizations,
percent of network banks globally. Additional findings including the Depository Trust and Clearing Corporation
reported by KnowBe4 include: (DTCC), Fiserv, Freddie Mac, Jack Henry, Mastercard,
• The U.S. accounts for 60 percent of all ransom- Nasdaq, Prudential Insurance, SWIFT (the international
ware attacks against FIs. network that facilitates international fund transfers
through message exchanges, not money itself), and TCH.
• Nearly 45 percent of large FIs are prone to phish-
ing attacks. "We do not expect it to be perfect," Dzina said, pointing
• Analysis of over 3 million dark web posts deter- out that the goal of the test is to get a sense of market
mined stolen credentials far outpace credit card readiness. "I would expect something like this to be a
thefts. yearly exercise," he noted, the idea being that the Fed, TCH
and the banks will identify ways to refine processes and
"Adversaries are gaining an advantage against the protocols that could be put to use in the event of a future
financial sector," said James McQuiggan, security failure.
awareness advocate at KnowBe4. "Traditional defenses
are no longer sufficient and threat actors discovered Patti Murphy is senior editor at The Green Sheet, president of ProScribes
stealing valid credentials is more effective than ran- Ink (www.proscribes.net) and self-described payments maven of the
somware because it allows them to move undetected. fourth estate. Her Today in Payments reports are a regular feature of the
The battle comes down to the human level. Financial Merchant Sales Podcast.
institutions must prioritize human risk management
to close this critical security gap."
25
