APAC's Digital Boom: Why Cyber Resilience is the New Security Imperative for Financial Services

The digital surge across Asia has created a double-edged sword, fostering innovation and economic growth yet vastly increasing the attack surface for cyber threat actors. AI-powered attacks are becoming more intricate and adaptable, while ransomware tactics are growing more sophisticated with “double extortion” and readily available ransomware-as-a-service (RaaS) kits that make it easy for cybercriminals with minimal technical skills to launch an attack. Social engineering attacks are also becoming increasingly advanced, wielding AI translation, image generation, and deepfakes to bypass even the most vigilant users. 

These trends are set to continue, particularly close to home in the Asia Pacific (APAC) region. FS-ISAC's latest annual report, Navigating Cyber 2024, shows a surge in cyberattacks across APAC, with ransomware targeting financial institutions the most. The report reveals a staggering 15% year-on-year increase, averaging 1,963 attacks per week, with more complex tactics by threat actors and a growing vulnerability in the financial services supply chain. This underscores the ever-increasing importance of cyber resilience for financial institutions (FIs) and Asian businesses alike. 

To mitigate these omnipresent cyber risks and threats, FIs must prioritise a holistic approach to cyber resilience and continuously adapt their defences to counter ever-evolving cyberattacks.

Building Resilience for Trust in the Digital Age

Cyber resilience requires firms to take a proactive approach, building robust digital systems and processes to withstand unexpected events in order to maintain public trust in the stability of the financial system. To this end, FIs should adopt a multi-faceted strategy incorporating these key elements: 

1. Engaging in cyber exercises to enhance response readiness and bolster resilience to attacks: FIs can hone their cyber resilience through regular cyber exercises. These simulated attacks expose weaknesses and help build the muscle memory needed to respond quickly and adapt to real-world threats. By regularly participating in these exercises, FIs enhance their response readiness and ensure they're prepared to handle whatever may come their way, benefitting from a continuous cycle of improvement.

Through after-action reports, participants glean crucial lessons and best practices from each exercise. This knowledge exchange strengthens the preparedness of not only participating institutions but also the broader industry for cyber threats. Participating in industry-led cyber exercises alongside trusted communities also offers a valuable opportunity for organisations to test defences and refine incident response plans in a safe, controlled environment.

In 2023, FS-ISAC led the financial sector's participation in Locked Shields, an annual exercise by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), which involved more than 3,000 participants from 38 countries across various critical infrastructure sectors. FS-ISAC designed a specific scenario for the 2023 exercise that simulated a central bank payment system outage and the resulting cascading effects on the financial system.

As part of its commitment to reducing risk and advancing the collective resilience of the financial sector, FS-ISAC also holds regular cyber exercises tailored to the industry, ranging from workshops to tabletop simulations. Upcoming events include an FS-ISAC member-exclusive tabletop exercise focusing on how AI could impact markets and public confidence. These exercises help member firms identify vulnerabilities in their systems, refine their incident response plans, and benchmark their security measures against industry peers.
 

2. Information Sharing in a Digitalised World: No single institution can anticipate all cyber threats all the time. Sharing threat intelligence—on new attack techniques, tools, and best defence practices—is crucial for the collective protection of the financial sector as a whole. The cross-border nature of cyberattacks means that information exchange needs to occur on a global scale to prevent and counter threats across different geographies and jurisdictions.

Furthermore, information sharing through a trusted platform such as FS-ISAC enables well-resourced security organisations to share expertise with less mature ones, empowering them with intelligence and best practices that may not otherwise be available to them. This collaborative approach is essential because even attacks on smaller institutions can erode public trust in the entire financial system.
 

3. Zero Trust as a Pathway to Secure Access: As APAC undergoes rapid digitisation, institutions are increasingly dependent on a sophisticated network of third- and fourth-party suppliers that can inadvertently become vectors for insidious cyber threats. This calls for a zero-trust approach, with no exceptions. Zero-trust security models deny access by default and require continuous verification through multi-factor authentication to help bolster security and also streamline vendor management by reducing reliance on inherent trust assumptions. Fortunately, we’re seeing that organisations in APAC are responding to the evolving threat landscape with a surge in zero-trust adoption, with a whopping 71% of business and technology professionals reporting that their organisations are either adopting zero-trust models within the next year or have plans to do so. 

In today's rapidly evolving cyber threat landscape, FIs face immense challenges in maintaining customer trust. While cybersecurity remains a critical first line of defence, cyber resilience allows firms to adapt and remain operational even during adverse events. A comprehensive approach that includes regular cyber exercises to hone incident response, critical information sharing across the industry to strengthen defences, and implementing zero-trust models to minimise attack surfaces can equip FIs with the agility and resilience needed to navigate the ever-evolving cyber threat landscape.