Salt Security has recently released a comprehensive report on API security within the financial services and insurance industries. The report, titled ‘State of API Security for Financial Services and Insurance’, delves deep into the significant vulnerabilities and attacker activity that these industries face.
The report combines data from Salt customers, two separate surveys, and vulnerability research from Salt Labs to provide a detailed analysis of the impact of API security threats and vulnerabilities. This compilation of data gives valuable insights into the current state of API security within these sectors.
One of the key findings of the report is the increasing activity of API attackers targeting financial services and insurance APIs. The number of unique attackers has risen by a staggering 244% between the first and second halves of last year. This significant increase highlights the growing threat that these industries face.
Furthermore, the report reveals that 92% of financial services and insurance respondents have experienced a significant security issue with their production APIs in the past year. Nearly one out of five respondents have also suffered from an API security breach. These statistics emphasize the urgent need for enhanced API security measures.
Several key findings from the report include the following:
– 69% of financial services and insurance respondents have experienced rollout delays due to API security issues, which is 11% higher than the overall response average.
– 84% of attacks against these sectors came from “authenticated” users who appeared legitimate but turned out to be attackers.
– 71% of financial services and insurance respondents believe that their existing tools are not effective in preventing API attacks.
– More than 25% of respondents have no current API strategy.
– 17% of respondents have experienced an API-related security breach.
Roey Eliyahu, the CEO and co-founder of Salt Security, emphasizes the importance of APIs for the digital services provided by financial and insurance organizations. However, he also acknowledges that these APIs transport sensitive customer and financial information, making them a prime target for cybercriminals. The increasing number of attackers and security issues faced by these industries makes them vulnerable to API-related incidents.
API security breaches can have severe consequences for businesses, including fines, loss of customer trust, and reputational damage. Additionally, delays in application rollouts or rollbacks of new applications can be costly. As a result, API security has become a critical issue for financial services and insurance companies.
According to the report, 56% of financial services and insurance respondents consider API security to be a C-level issue, which is 8% higher than the overall response average. Furthermore, 79% of CISOs in these industries believe that API security is a higher priority today than two years ago. The majority of organizations have planned to prioritize API security over the next two years, with 13% considering it a critical priority.
Jeff Farinich, SVP Technology and CISO at New American Funding, believes that while API security has gained more attention recently, it is surprising that it hasn’t been a mainstream concern for many years. He lays part of the blame on slow-evolving security frameworks and regulations. However, he sees hope for change, citing the Federal Financial Institutions Examination Council (FFIEC) explicitly recognizing APIs as a separate attack surface and requiring financial institutions to inventory, remediate, and secure API connections.
The report also reveals that financial services and insurance respondents are not adequately prepared to protect their APIs from threats. Around 28% of respondents with APIs running in production have no current API strategy. Only 13% consider their API security programs advanced, and 25% believe that their current API security strategy doesn’t allocate enough time to documenting APIs. Additionally, 42% of respondents have little confidence in understanding which APIs expose personally identifiable information (PII).
Outdated or “zombie” APIs are the top concern for financial services and insurance respondents, cited by 48% of participants. This concern outweighs the second-highest API security concern, which is account takeover (ATO), by nearly 35%.
In conclusion, API security is a pressing issue for the financial services and insurance industries. The significant increase in API attackers and the high number of security issues and breaches indicate the need for enhanced security measures. Organizations should prioritize API security and develop comprehensive strategies to protect themselves from potential threats. The full report can be found on Salt Security’s website for those interested in a more detailed analysis.