7 cyber security questions to ask your bank & financial institutions

Published Jul 27, 2022 by Xiph

Banks rely heavily on the internet (think online and mobile banking) and hold tons of sensitive financial information from millions of customers (including you). This makes them a prime target for hackers in search of corporate information, transactional data or funds (or all combined), and bad actors continue to become more sophisticated in their quest for that digital gold. That’s why understanding cyber security risks and how your bank mitigates those is important. To that end, here are seven key security questions to ask your bank and other financial institutions.

cyber security questions for banks

Do you have a multi-layered cyber security strategy?

Securing the doors is not enough – each bank should have a multi-layered cyber security strategy with pre-emptive, detective, and reactive (or corrective) levels of defence against potential bad actors and cyber attacks. This will typically involve basic cyber security components like firewalls, access control systems, intrusion detection systems, throttling, risk-based authentication, data encryption, and network segmentation, as well as more sophisticated controls to protect customers at any point of their transactions and their stored data.

Some non-negotiable security measures banks should have implemented, known as the ‘essential eight’, include:

  • Vulnerability scanning and penetration testing
  • Automatic patching on all management systems, including automatic identification and installation (preferably immediate and without downtime for end-users) of any new patch on libraries/software being used
  • Applications control
  • Using two-factor authentication for transactions on different devices and employee access to systems
  • Restricting administrative privileges
  • End-point security and resilience controls
  • Regular data backups

How often do you conduct vulnerability scanning?

Cyber threats are ever-evolving, so it’s a regulatory requirement for authorised deposit-taking institutions (ADIs) like banks and financial institutions to use automated vulnerability scanning (in real-time) to hacker-proof the funds and sensitive data they process per second. Vulnerability scanning can catch any major security holes that need to be assessed and provide a detailed overview of potential security risks and vulnerabilities an organisation faces. This helps better protect information technology (IT) structures and sensitive data from cyber threats.

Penetration testing goes one step further. It involves professional ethical hackers performing authorised simulated attacks to evaluate the security of computer systems. This is often combined with automated scans to reveal vulnerabilities that may not be identified by vulnerability scanning alone.

It’s worth noting that Australia doesn’t have a unified regulatory framework for managing cyber risks or cyber security incidents in the banking industry, although remember that your bank is always liable for funds lost due to hacking or fraud.

Do you use MFA for banking systems & online transactions?

Banks should use two-factor authentication (2FA) or multi-factor authentication (MFA) for both remote and internal administrative access to the broader banking network to ensure only authorised personnel can get access to internal systems like emails, operating software, and customers’ and your banks’ data. MFA should be required for all employees when accessing email through a website or cloud-based service and for all remote access to the network by employees, contractors, and third-party service providers.

In addition to customer identification procedures like Know Your Customer (KYC) verification, it’s also a mandatory requirement for banking apps and internet banking to use 2FA or MFA to confirm the identity of the person initiating the transaction. This helps to protect your online account(s) from being hacked or accessed by unauthorised users. These security measures provide an extra layer of password protection by requiring you to enter additional information to confirm your identity to access your account(s). This may include:

  • Something you know (i.e. password or PIN)
  • Something you have (i.e. your smartphone)
  • Something you are (i.e. facial recognition)

Is my data encrypted (both in transit and at rest)?

Financial institutions must encrypt all data that pass over the internet (in transit) as well as structured and unstructured data at rest. Data at rest refers to data stored in computer systems or cloud storage and is the organisation’s most sensitive information, including financial documents, past transactions, bank accounts, and credit card numbers. That’s why data at rest is a go-to target for hackers, also because it’s stored in a logical structure unlike individual in-motion packets moving through a network.

Most financial institutions use standard bank-level encryption 256-bit AES, which is the largest AES key length size, as well as the most mathematically complex. In layman’s terms, it’s one of the most advanced forms of encryption available. Encryption scrambles data into ciphertext (think of it as turning it into a secret code) and can only return the data to human-readable plaintext with a decryption key.

How is my data being stored & backed up?

How banks store and back up data will depend on their different classifications, the financial products they offer, and the size of the organisation. As a general rule, banking information is stored in a complex database or set of databases with redundant systems stored in a cloud environment. These databases contain your customer data, and transaction history information and automatically calculate balances and statements based on interest rates and transaction information in real-time. This is how you can see your account balance in real-time using internet banking. Storing banking information requires a very high degree of security, including 2FA or MFA and connecting through a firewall. Banks also store their data in recovery centres, where a mirror image of data is created so that it can always be recovered.

How do you mitigate web-based attacks?

Ask your bank how it mitigates cyber threats and risks. Risk mitigation typically involves anticipating threats before they occur, blocking attacks using multiple cyber defences, and reducing the severity or consequences of an attack. Ideally, fortification (as opposed to defence) is the best protection against cyber threats. In conjunction with behavioural firewalls, banks use web application firewalls (WAFs) to block sophisticated cyber attacks targeting web applications and application programming interfaces (APIs). WAFs can access all layers and protocols, which makes them highly effective gatekeepers when it comes to shielding resources from attack. Another way to thwart hackers is to build encryption directly into web applications. This will prevent bad actors from accessing clear text data on application servers. Web application attacks in the financial services industry increased by 38% in the first half of 2021, according to Imperva.

What security breach reporting thresholds have been set?

All private and public companies (including banks) with a turnover of over $3 million must report any cyber breach to the Office of the Australian Information Commissioner (OAIC) and notify customers and stakeholders of the said breach in a reasonable time. Reportable incidents include suspected unauthorised access or leak of customer data, such as personal details, credit card information, credit and transaction history, tax file numbers, etc. This mandatory reporting ensures that any breach likely to cause serious harm to a person’s right to privacy or their held assets will be reportable. Most banks should have a framework in place for reporting cyber security breaches.

A final word

New cyber threats are constantly emerging, which is why a multi-layered cyber security strategy is the most effective defence for financial institutions and banks. For advice or more information on cyber security audits, contact us via email: [email protected]


Posted in: Security