ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
ADVERTISEMENT
Home Compliance and Risk

Basel ICT Risk Guidance: Securing Websites and Web Applications Is Now Paramount

January 14, 2022
Reading Time: 5 mins read
Basel ICT Risk Guidance: Securing Websites and Web Applications Is Now Paramount

By Uriel Maimon

On June 30, the Basel Committee on Banking Supervision issued two crucial new papers on operational risk: “Principles for the Sound Management of Operational Risk” and “Operational Risk – Supervisory Guidelines for the Advanced Measurement Approaches.” These papers are broad documents but were focused specifically to cover cybersecurity, information and communications technology, or ICT, risk and strategies for resilience and more secure operations. The papers recommend pushing responsibility for application of these principles all the way up to the board level at banks.

Most importantly, the documents set forth a significantly higher standard for ongoing cybersecurity and resilience in the face of what are now persistent attacks. While it’s not binding when issued, Basel Committee guidance is crucial to banks because it informs audit procedures and best practices and eventually makes its way in some form into the regulations of the national financial authorities who make up the Basel Committee.

rightwards arrow
View more
risk and compliance articles

The Basel ICT risk guidance provides a good opportunity to reflect on the current status of cybercrime and fraud risk. The guidance builds on top of a framework of existing regulations to establish international best practices. In the United States, financial services organizations are already obligated by directives and regulation such as PCI DSS, FFIEC, UCC 4(a) and other regulations from the Office of the Comptroller of the Currency, the Securities and Exchange Commission and the Financial Crimes Enforcement Network. Even as more and more regulations have come into place, the volume and severity of attacks on banks continues to increase. One of the reasons for this is that front-end web applications have been sometimes neglected in terms of security controls; more focus is applied to controls around money movement. This has made the front end the soft underbelly of many banks.

This is a major oversight: In the wake of the COVID-19 pandemic, web applications and online access have become the dominant medium of interaction between banks and their customers. According to research by BAI, 52 percent of people have increased their use of digital banking services during the pandemic. That rate jumps to 70 percent for millennials. Banks that want to maintain the confidence of customers and maintain more legally defensible risk postures need to think about how they must change their security operations and solutions to better adhere to the new guidelines from the Basel Committee. This will mean enforcing more stringent security measures and embracing technologies that proactively identify and mitigate automated fraud and supply chain attacks against web applications and websites.

Increasing cyber risk forcing stricter standards

These moves by the Basel Committee were likely in response to the growing volume and sophistication of cyber attacks against applications and websites of major banks and financial institutions. Accenture and the Ponemon Institute pegged annual damages and costs suffered by each bank from cyberattacks at $18.3 million in the report “Unlocking the Value of Improved Cybersecurity Protection.” In research by security company VMWare Carbon Black, CISOs at leading financial institutions report that “… 80 percent of surveyed financial institutions reported an increase in cyberattacks over the past 12 months, a 13 percent increase over 2019.” According to the report, 33 percent of banks were targeted with supply chain attacks where partners or technology suppliers were compromised as a means to access the banks’ systems under the guise of trusted intermediaries.

One of the largest threats banks and financial institutions face is account takeover through credential stuffing. According to the “State of Secure Identity” by identity management provider Auth0, roughly 16 percent of all login attempts during a three-month period in 2020 were credential-stuffing attempts. This includes a number of severe attacks against major financial institutions. The severity and frequency of the credential-stuffing attacks caused both the FBI and the SEC to issue stark warnings about this common form of account takeovers. According to the FBI bulletin, credential stuffing attacks represent 41 percent of all attacks against banks between 2017 and 2019, affecting over 50,000 accounts in the U.S. alone. Many of these attacks were against bank application programming interfaces, where multi-factor authentication is not required to access sensitive account information, the FBI noted.

As web application usage soared, attacks followed

The data cited by the FBI is likely a vast understatement. The past year has seen an unprecedented increase in usage of online and mobile banking. According to research by the industry group BAI, more than half of consumers started using digital services more during the pandemic and 87 percent plan to continue this higher volume of usage. Naturally, attackers have followed the traffic and the money. The CarbonBlack report found a 238 percent increase in attacks against financial institutions during the first three months of the COVID pandemic.

API abuse for account takeovers is a growing problem

To work effectively with third-party services and to make their own applications more efficient, all banks increasingly rely on APIs to connect, share data and enhance functionality. In its warning, the FBI cited API attacks on banks as a growing concern, recognizing that the attackers have gotten smarter and have recognized that APIs tend to be lightly defended. Attacks on APIs are also harder to filter and distinguish than attacks on actual websites where actions such as navigating pages can often provide telltale clues that a visitor is actually a malicious bot. Putting multi-factor authentication in place to protect APIs is impossible because API communications are machine-to-machine and have no mechanism for out-of-band challenges like sending an authentication code via SMS or requesting a code from an authenticator app.

Bank applications increasingly composed of third-party code

Like most online businesses today, banks are building web applications made up increasingly out of code they do not control. This “shadow code” presents a risk since oftentimes external code and scripts included in an application are not properly reviewed for security exposures or monitored sufficiently. In fact, shadow code may be among the biggest risks facing banks today because their applications teams are moving quickly to include new functionality. Typically, though, the processes for code review and securing third-party code running on the front-end of websites and inside of mobile applications is far behind those of natively written software and services that run on the bank’s web server. Vulnerable third-party code has become a favorite attack vector for Magecart and digital skimming attacks that harvest sensitive customer information to fuel more lucrative, social-engineering or automated fraud attacks—and through them, account takeovers.

To fulfill the new guidance, banks need to focus on their front end

The Basel Committee’s new guidance clearly calls for banks having documented ICT policies covering cybersecurity, including details of security architecture and design, policies and controls. The committee’s guidance recommends a number of steps including strong mandates around incident response plans, security layers and policies, and detailed accountability and monitoring of security efforts.

The guidance also calls for redoubling efforts to identify likely points of failure and shore those up with better resilience and security. All of these recommendations make good sense and formalize expectations around what banks should be doing to maintain strong cybersecurity. In reality, to fulfill Basel Committee guidance, banks will need to improve protection of their most highly targeted but also increasingly critical digital assets—the front end of applications and exposed APIs. By dedicating resources to better securing front ends and APIs, banks will go a long way toward fulfilling the new guidelines while simultaneously protecting customers, partners and the bank from some of the fastest growing and most dangerous attack types in the world today.

Uriel Maimon is senior director of emerging technologies at PerimeterX, a provider of solutions that protect modern web apps at scale.

ADVERTISEMENT
Tags: APIsDigital bankingEnterprise risk managementFinancial crimesWebsites
ShareTweetPin

Related Posts

CFPB claims ‘complex’ pricing drives up cost of financial products

CFPB to keep notification procedures for state enforcement of consumer law

Compliance and Risk
July 18, 2025

The CFPB is reversing course on its earlier decision to eliminate the procedures under which state officials must notify the bureau if those officials plan to enforce the Consumer Financial Protection Act.

ABA, associations urge lawmakers to finalize deal on debt ceiling

House passes bills on stablecoins, digital assets, CBDCs

Cybersecurity
July 17, 2025

The House voted in favor of two bills to create a regulatory framework for payment stablecoins and digital assets. House members also voted in favor of a separate bill to ban the Federal Reserve from issuing a CBDC.

The future of careers in risk and compliance

The future of careers in risk and compliance

ABA Banking Journal Podcast
July 17, 2025

What does the future hold for bank risk and compliance professionals? Krysti Cunningham discusses the technological transformation in risk and compliance at community and midsize banks and applications for AI tools and LLMs in risk and compliance.

BIS: Stablecoins fail as ‘sound money’

ABA urges lawmakers to include safeguards in stablecoin bill

Compliance and Risk
July 17, 2025

A durable regulatory framework for stablecoins must balance the potential for enhancing payments with the need to limit negative economic consequences, promote financial stability and guard against consumer protection risks, ABA President and CEO Rob Nichols said in...

ABA urges FCC to combat illegal call spoofing

ABA urges FCC to impose call authentication requirement for non-IP networks, mandate IP transition

Compliance and Risk
July 16, 2025

ABA joined six trade associations in urging the FCC to adopt a proposal to create a new call authentication requirement designed to limit criminal access to the U.S. calling network.

ABA faults banking regulators for confusing CRA rule rollout

Banking agencies propose to rescind Community Reinvestment Act rule

Community Banking
July 16, 2025

The Federal Reserve, FDIC and OCC issued a joint proposal to rescind the Community Reinvestment Act final rule adopted in 2023.

NEWSBYTES

ABA offers fixes for small-business lending data collection rule

July 18, 2025

ABA DataBank: Retail sales rebounded in June

July 18, 2025

CFPB to keep notification procedures for state enforcement of consumer law

July 18, 2025

SPONSORED CONTENT

Navigating Disruption in Ag Lending – Why Tariffs Are Just the Tip of the Iceberg

Navigating Disruption in Ag Lending – Why Tariffs Are Just the Tip of the Iceberg

July 1, 2025
AI Compliance and Regulation: What Financial Institutions Need to Know

Unlocking Deposit Growth: How Financial Institutions Can Activate Data for Precision Cross-Sell

June 1, 2025
Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

April 25, 2025
Outsourcing: Getting to Go/No-Go

Outsourcing: Getting to Go/No-Go

April 5, 2025

PODCASTS

The future of careers in risk and compliance

July 17, 2025

Breaking down the bank-related provisions in the big budget bill

July 10, 2025

Podcast: Inside ABA’s new Treasury Check Verification System API

June 25, 2025
ADVERTISEMENT

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2025 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2025 American Bankers Association. All rights reserved.