Regulation continues to recede from the realm of cybersecurity, leaving organizations to fill these gaps on their own, using their own knowledge bases. The onus now falls on the financial services industry to self-govern and for cybersecurity leaders to come up with their own standards to ensure best practices.
In 2024, the nonprofit organization MITRE released ATT&CK for mobile, which maps out where a financial institution might be vulnerable to an attack. According to Tracy Goldberg, Director of Fraud and Security at Javelin Strategy & Research, this could be an important step toward enforcing cyber resiliency in an age of lax compliance regulations. Her new report, Leverage MITRE Frameworks for Effective Cyber Investment, examines how financial institutions can use this and other new tools to preserve their cyber resiliency.
Looking for New Guidelines
As we see less regulatory oversight of financial institutions, particularly in the United States, cybersecurity teams must look to their own resources to make decisions on budgeting. Typically, financial institutions set their budgets for cybersecurity based on their need to comply with regulations or to meet certain standards. Without compliance regulations in place, they are forced to seek guidelines elsewhere.
For many years, organizations looked to the Federal Financial Institution Council, or FFIEC, for standards to follow. But the recent downsizing of the Consumer Financial Protection Bureau underscores the fact that the FFIEC has lost some of its efficacy in providing guidance for financial institutions.
This has put institutions in the position of not having much oversight or regulatory scrutiny, which is not necessarily a positive thing.
“There’s a void of regulatory oversight to ensure that they don’t risk exposing PII [personally identifiable information] from their consumers, or that they may be opening themselves up to some kind of breach that would expose proprietary information,” Goldberg said. “They’re going to have to self-govern. So what could they turn to that could serve as a guideline?”
MITRE Has an Answer
MITRE ATT&CK is emerging as an important answer. It is basically a framework that lets banks look at the techniques cybercriminals are using. The FIs can then map out where their systems are vulnerable to being breached or being exposed to a network compromise. By mapping out in a visual way where banks need to address risk, ATT&CK lets them see where they need to make their moves.
Frameworks like these have been around for a long time. But as regulatory guidance wanes, cyber teams could turn to some of these frameworks to potentially detect their own cybersecurity gaps.
That’s what MITRE and its cyber defense matrix can help with: mapping out a strategy so the institution is not just performing checkbox compliance. It can help FIs choose vendors and solutions that help them evolve along with the cyber threats.
“It’s a really dicey environment right now,” Goldberg said. “Cybersecurity and even fraud prevention is a cost center. Compliance is expensive, and a lot of times, financial institutions make investments in technology that they know is going to check a box for regulators. We’re not in that kind of environment now, so I think we’ll see more strategic investments made that are based less on checkbox compliance and more on actual necessity.”
Adhering to International Standards
U.S. financial institutions will have to rely on vendors and self-governance to determine their cyber investment strategic planning in the short term. They also should not shy away from the fact that they will be held to high cyber standards by international regulators, especially where the European Union’s recently released Digital Operational Resilience Act (DORA) is concerned.
DORA is extremely comprehensive, deemed by many to be the most far-reaching cyber regulation the financial industry has seen. In the absence of domestic regulation that that touches on consumer privacy and cybersecurity, U.S. financial institutions would do well to ensure compliance with what’s being put out internationally.
“This is especially true since we know that financial services knows no borders,” Goldberg said. “Financial institutions inevitably conduct transactions internationally, so they could turn to DORA when they’re looking to decide in which direction they should be led.”
Heading into the Future with OCCULT
In February, MITRE published its latest framework, OCCULT, also known as Operational Evaluation Framework for Cyber Security Risks in AI. The new framework’s methodology aims to standardize the testing of artificial intelligence used to execute cyberattacks. One interesting early finding is that OCCULT determined that the controversial AI platform DeepSeek poses a particular cyber risk because of the way its large-language-model-driven chain-of-thought reasoning can be exploited.
Although the MITRE ATT&CK framework is more about the techniques and tactics that bad actors use, OCCULT looks more at the social engineering perspective.
“Social engineering is a challenge because it doesn’t really have a strong technology solution,” Goldberg said. “Social engineering is where you’re doing something to manipulate a consumer into doing something. There obviously are cyber risks there, but we can’t really address them in the traditional way that we always have.”
Education plays a significant role, but it can go only so far. What MITRE is working toward through OCCULT is to help come up with some kind of technology that addresses social engineering.
“Scams are based on the same technique that we’ve seen with phishing attacks,” Goldberg said. “A phishing email tries to convince a consumer or an employee to click on a malicious link. A scam is doing the same thing: convincing a consumer or an employee to do something that they normally wouldn’t do, or that they shouldn’t do. But they are using those same types of emotional techniques—urgency, or feigning to be the boss, who’s saying, ‘I need you to schedule this wire immediately.’
“Spam filters prevent those phishing emails from getting to the employees. Could we do something similar with technology to prevent those scam communications from ever reaching the consumer? That is the direction that we’ll have to move in.”
