Financial Services Firms: Address FFIEC’s Stringent API Security Regulations with Noname Security

Financial services companies are a favorite target for threat actors. Most of us are familiar with the Equifax and Capital One breaches that exposed hundreds of millions of customer records. But there are other attacks that don’t make the headlines. Over the years, the Carnegie Endowment’s FinCyber project has documented hundreds of separate cyber incidents impacting financial institutions around the world.

Cyberattacks can damage a firm’s reputation, disrupt business, and result in costly regulatory fines and legal settlements. (Equifax agreed to a $575 million settlement.) According to a 2022 IBM Security report, the average cost of financial services data breach is now $5.97 million, the highest of any industry other than healthcare.

Inadequately Secured APIs are Easy Prey for Cybercriminals

Threat actors are continuously honing their skills, looking for new ways to penetrate financial services networks, exfiltrate data, and commit crimes. Now, many are setting their sights on APIs (Application Programming Interfaces)—an attack vector often overlooked by corporate information security, compliance, and risk management organizations. According to a 2022 Akamai State of the Internet report, financial services web application and API attacks increased by 257% last year, the highest increase of any major industry.

Threat actors can exploit API vulnerabilities to steal customer data, take over accounts, siphon funds, or take down critical IT systems. A Coinbase API flaw demonstrates just how damaging an API attack can be. This particular vulnerability allowed an adversary to sell cryptocurrency they did not own! Coinbase was fortunate enough to fix the bug before it was exploited in the wild. Other firms may not be so lucky.

New API Security Guidelines Aim to Protect Consumers

Regulators are taking notice, instituting new rules to strengthen API security and protect consumers. In the US, for example, the Federal Financial Institutions Examination Council (FFIEC) recently revised its cybersecurity guidelines to reflect the evolving threat landscape, adding specific considerations for API security.

The latest FFIEC Information Technology Examination Handbook devotes an entire section to application programming interfaces, explaining how “…broken, exposed, or compromised APIs can be exploited by malicious actors and used in data breaches.” The handbook describes a range of security controls to help financial institutions safeguard APIs, protect confidential data, and defend against attacks.

The latest FFIEC Authentication and Access to Financial Institution Services and Systems Guidance offers additional API security recommendations and provides specific risk management guidelines such as inventorying APIs to identify potential vulnerabilities and reduce exposure.

Noname Helps Financial Services Firms Strengthen API Security and Improve Compliance

The Nomame API Security Platform is specifically designed to help organizations protect their API estate. The platform helps financial services firms improve visibility and control over their APIs and address the latest API security guidelines issued by the FFIEC and other regulatory bodies.

The Noname platform provides:

• Comprehensive API discovery capabilities that let you identify and inventory all your APIs across all data sources and environments to eliminate blind spots and close security gaps
• Extensive posture management functionality to help you uncover API vulnerabilities and configuration mishaps in your production environment and confidently assess risks
• AI/ML-powered runtime protection capabilities that let you detect and block advanced API attacks in real-time to thwart sophisticated threat actors
• Proactive security testing functionality to help you identify API flaws and vulnerabilities, during during the development process, before apps are put into production

Conclusion

The financial services industry is one of the most frequently targeted and widely regulated industries.  Banks, brokerage houses, insurers, lenders, and payment services companies are subject to a wide array of industry and government cybersecurity regulations including:

• Payment Card Industry Data Security Standard (PCI DSS)
• EU General Data Protection Regulation (GDPR)
• EU Network and Information Security Directive (NIS2)
• The Society of Worldwide Interbank Financial Telecommunication (SWIFT) Customer Security Controls Framework (CSCF)
• The Monetary Authority of Singapore (MAS) Technology Risk Management (TRM) Guidelines 

Whether you work for an upstart fintech company or a traditional financial services firm, Noname can help you strengthen API security, improve regulatory compliance, and streamline audits.

Download our Automate API Governance & Data Compliance whitepaper to learn more about the Noname platform.  Read our Rapyd case study to learn how Noname helped a global fintech company improve visibility and control over its API estate. Visit our API Security for Financial Services page for more information.