API Security Trends: Financial Services Sector
The API Security Disconnect API Security Trends in…
The financial services industry has embraced the wave of digital transformation, allowing their customers to make informed decisions and instant transactions with the click of a button. One of the unsung heroes providing that level of customization and access are a collection of microservices and application programming interfaces (APIs).
Such structures present limitless possibilities to attract and serve customers, but also create vulnerabilities in efficiency and security that the sector is only beginning to grapple with. The reality is, preventing cybercriminals from attacking financial institutions and their clients creates a high stakes situation. And the more APIs an organization uses, the greater opportunity for risk they face in both performance and security.
To help businesses in financial services thrive in this complex environment, we’ve just released our 2023 API Security Trends report. Similar to last year’s research, we’ve surveyed over 600 CIOs, CISOs, CTOs, and senior security professionals from UK and US-based organizations across six industries. 100 of these respondents were from financial institutions. With that said, this blog post will highlight some of the key areas of concern for the financial services industry based on our research findings.
Successful cybercriminals know a good target when they see one. As the financial services industry has wisely embraced consumer demand for digital engagement, threat actors have followed the money and personal information to their front door.
When comparing the research findings over the last two years, no industry could match financial services’ reported volume of API security incidents, with 80% of respondents experiencing relevant incidents – a year-over-year increase of five percent.
Respondents to the survey painted a picture of a cat-and-mouse game with criminal enterprises. In 2022, authorization vulnerabilities were noted as the most prominent actor vector within the financial services industry (21%). In 2023, this area was not even among the top two trouble spots. The most recent study vaulted web application firewalls to being the most oft-targeted vector (26%), with API gateways landing in second place (18%).
Washington has taken notice of the market’s shift toward open banking standards, real-time payments, and the vast expanse of FinTech services. As regulators focus on consumer protection, financial services organizations are now living in a rapidly changing world of government oversight.
78% of survey respondents indicated receiving support from security platform partners to maintain compliance with these shifting demands. The Payment Card Industry Data Security Standard (PCI DSS) has emerged as a critical consideration in the structures and operations of financial services entities.
The end game of the customer service industry – no matter what sector a business belongs to – is leaving the consumer satisfied with their experience. If that wasn’t enough motivation to compel financial services organizations to get API security right, consumers have begun switching institutions based on risk.
FinServ customers have made their feelings on the topic clear – either a company will provide secure APIs that meet their financial management needs, or they will take their business elsewhere. In the most recent survey, 53% of respondents reported that API security incidents have led to the loss of customer goodwill and churned accounts.
Declining revenue isn’t the only risk to institutions struggling with API security. The survey found that 47% of respondents suffered from lost productivity due to attacks and related incidents. Monetary penalties have taken shape in the form of fees paid for solutions to problems as well as fines from regulators in response to shortcomings according to 44% of survey participants.
Surprisingly, 99% of respondents reported confidence in their current API security tools. This is a massive leap from the 67% rate of confidence in DAST and SAST tool capabilities conveyed in 2022. Such conviction does not mesh with the sharp spike in security incidents throughout the sector, which leaves the door open for threat actors to target companies without the diligence or acumen to recognize their own vulnerabilities.
We’ve established the breadth of risks for financial services companies, high stakes involved with protecting their businesses and customers, and regulatory challenges that cloud the picture. These factors beg for a focused response with tangible solutions across the industry. The good news is that awareness is on the rise, fostering innovative approaches to blocking attacks and preserving consumer trust.
Despite a disconnect between industry leadership’s perception of the risk at hand and their ability to mitigate such challenges, advocates for API security are getting their message across. Eighty two percent of survey participants stated that API security is a higher priority now within their organization than such concerns were 12 months ago. Half of those sharing insight deemed API security as a necessary requirement for the field, while 48% recognize it as a business enabler.
Increased awareness can only take the financial services sector so far in the fight against cybercriminals. What organizations do in response to this deepened understanding will chart the course forward. It was encouraging to learn that participants reporting a lack of visibility to APIs reporting sensitive data dropped from 71% in 2022 to 55% in 2023. This year, 45% of financial services respondents claimed to possess a full inventory of such APIs involved with their companies.
The increase in API security incidents, and measurable impact on companies’ bottom lines, makes this issue too stark to ignore. As tends to be the case in many industries, the financial services sector has diagnosed the problem and is working in real-time to build and implement scalable solutions. However, a year-over-year review of survey data shows that this is not a static issue, but one the financial services industry must be vigilant and nimble to address as it evolves in future years.
Click here to download the full report – 2023 API Security Trends for Financial Services.