Binary code displayed on a laptop screen and Guy Fawkes mask are seen in this illustration photo taken in Krakow, Poland on March 1, 2022. Global hacker group Anonymous declared ‘cyber war’ against Russia. (Photo by Jakub Porzycki/NurPhoto via Getty Images)
NurPhoto via Getty Images
Biometrics, once the holy grail of banking cybersecurity, faces critical vulnerabilities in the wake of generative AI. But it’s not the only security issue facing banks and insurers. Technological revolutions often see rogue actors adapting faster than institutions. Thanks to coding agents, hacking is on steroids. “Incumbent” fintech companies are as exposed as incumbent banks. It turns out, it is the increasing technical complexity of financial institution architecture, and not their access to tech talent, putting them most at risk.
Based on consumers’ demand for a banking experience that mirrors their experience with the consumer internet, tech spending by banks has ballooned to allow for integration with multiple third-party and white labeled applications. McKinsey reports that, since the advent of cloud computing,“the average number of applications used in banking IT increased from 133 per billion dollars in revenue in 2013 to 224 in 2022, a jump of more than 68 percent,” and that, during the same period, there was a 60% increase in the number of applications vendors used.
Even as banks work to bring this enormous infrastructure in-house, significant gaps remain. According to McKinsey, although “cloud adoption and consolidation has reduced the number of infrastructure vendors a bank uses, the same cannot be said for the application side.” McKinsey highlights the increasing “breadth and complexity of applications” driven by “pressure to launch new services across channels, mak[ing]
consolidation more difficult.”
According to Elliott Frantz, CEO of Virtue Security, a security firm providing penetration testing in financial services, the result of this complex web of infrastructure designed to seamlessly serve customers results in a “high point for fragility and enormous security debt.” Although diversification of vendor relationships is essential to delivering great digital products, mass collaboration invites vulnerability. Frantz says, “Banks are like every enterprise, in nature. They are using a broad range of technology platforms.” But their systems architects and engineers are “experts in building, not experts in hacking.”
In this environment, old penetration testing models are no longer fit for purpose: traditional pen testing follows a rigid process and “adopted formulas” that don’t match the current operational environment for institutional IT. These processes look at security through the narrow lens of specific user journeys, instead of the broad risks that accumulate in complex systems.
AI is exacerbating the problem. Both banks and the third parties they work with are feeling intense pressure to derive value from generative AI, and that means using proprietary data to train models. This is essential to prepare these models for the second phase of AI utility, inference, where carefully trained models deploy their learnings in real life. Frantz explains, “one of the biggest risks is the number of parties that are (sometimes unknowingly) ingesting large amounts of data to train AI models. Data is being unexpectedly collected in lots of places.” And those pools of data represent deep vulnerability.
The solution is not to stop building customer applications or training models, but rather to accept that the security assessments of yore, designed around very predictable, standardized security experiences, won’t cut it. More sophisticated hackers, with generative coding agents at their disposal, are designing attacks targeting the multi-system environment of the modern financial institution. Traditional security assessments simply don’t take this architecture into consideration.
The common artificial intelligence trope, that it renders the mediocre unemployable, is the same in cybersecurity. Frantz told me, “People with sharp technical skills are becoming more and more valuable.” Changing our approach to thinking about technical systems starts with conceptualizing contemporary enterprise security testing protocols. Great hackers, both ethical and unethical, are systems-minded.