A recent cyber incident involving Evolve Bank & Trust has exposed critical vulnerabilities in third-party relationships, significantly impacting fintech firms.
Background
On June 26, 2024, the notorious ransomware group LockBit leaked data allegedly stolen from the U.S. Federal Reserve, which was later confirmed to be from Arkansas-based Evolve Bank & Trust. The breach revealed customer and financial technology partner information, impacting several fintech firms. One firm disclosed that the data breach affected some of its customers, with information such as names, addresses, dates of birth and Social Security numbers potentially compromised. Another also reported that the personal information of its card users was compromised. Affirm also reported that the personal information of its card users was compromised. Evolve confirmed that the breach occurred due to an employee clicking on a malicious link, leading to the deployment of file-encrypting ransomware. While Evolve managed to restore operations using backups, the incident highlights significant risks associated with third-party relationships.
Observations and action items
- Danger of third-party relationships: The Evolve Bank incident underscores the risks fintech firms face from third-party relationships. Despite having strong internal security measures, firms can still be vulnerable if their partners are compromised. This incident shows that even well-regarded partners like Evolve can fall victim to sophisticated attacks, impacting their clients' data security.
- Exposure to traditional risks: WTW's cyber claim data reveals that fintech firms are more likely to suffer platform attacks aiming to disrupt operations, while traditional firms are often targeted for data theft. In this case, fintech firms faced significant data breaches, demonstrating their exposure to various cyber threats.
- The human element: This breach resulted from an Evolve employee clicking on a malicious link, a reminder that human error remains a significant vulnerability. Despite investments in security technology and training, phishing attacks continue to be a common and effective method for cybercriminals to gain access to sensitive systems. This highlights the ongoing need for comprehensive employee training and robust phishing defenses.
- Ransomware and resiliency: Evolve's decision not to pay the ransom and their ability to minimize business disruption through backups is commendable. However, the reputational and breach-related damage serves as a reminder that cyber incidents have multifaceted impacts beyond immediate operational disruptions.
- Reputational risk: Even though these fintech firms were not directly at fault, their association with the breach could lead to reputational damage. Notably, Evolve kelp one firm's data even though they were no longer working together. This highlights the importance for firms to track who has their data and to ensure that when relationships are terminated, former partners either dispose of or appropriately protect any retained data. In the current economic environment, trust and reliability are paramount, and any perceived security lapses can lead to customer and partner backlash.
- Responsibility follows the data: Despite the data being held by Evolve, these fintech firms may still face liability under privacy laws. Firms in similar situations should consider using their own cyber insurance policies on a primary basis for breach response, rather than relying solely on third-party partners.
Conclusion
The Evolve Bank cyber incident serves as a stark reminder of the vulnerabilities fintech firms face through their third-party relationships. It is crucial for fintech firms to not only bolster their internal security measures but also to rigorously vet and continuously monitor their partners' security practices. Proactive risk management, comprehensive cyber insurance, and robust incident response plans are essential to mitigate the multifaceted risks of cyber incidents.
Disclaimer
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).
