Traceable AI uncovers growing API security issues in finance

Traceable AI has released a comprehensive report highlighting the significant concerns around API security within the financial services industry. The study surveyed over 150 cybersecurity professionals based in the United States, revealing numerous vulnerabilities and issues currently facing the sector in relation to API security.

The report emphasises that the increasing use of APIs across the financial services sector has expanded the attack surface, making traditional security measures insufficient. As APIs integrate more deeply into critical operations, their security challenges have become increasingly apparent.

The report found that regulatory pressures are a significant driver of API security priorities. A notable 82% of financial institutions expressed a medium to high level of concern about compliance with federal financial regulations such as those mandated by the Federal Financial Institutions Examination Council (FFIEC), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB). In addition, 76% of respondents were concerned about PCI-DSS compliance in the context of their API security practices.

Another key finding indicated that 64% of respondents admitted to a lack of visibility and context between API activities, user actions, data flow, and code execution. This lack of integration makes it challenging for these institutions to efficiently detect and respond to API-based threats.

The report also highlights that APIs commonly manage sensitive data within financial organisations. Specifically, APIs handle personally identifiable information (60%), account authentication data (60%), payment card details (56%), and device and location data (55%), making them highly attractive targets for potential attackers.

The primary API security challenges identified by respondents include detecting and preventing unauthorised access to accounts (35%), sensitive data exfiltration (33%), and identifying API vulnerabilities (30%). Furthermore, 42% of those who experienced an API-related data breach attributed the attacks to fraud, abuse, and misuse, with only 15% expressing extreme confidence in their ability to prevent such issues.

The repercussions of API-related breaches in the financial sector are extensive. Data loss and brand reputation damage were both cited by 41% of respondents as the most significant impacts, followed by financial loss (36%) and customer attrition (35%).

Richard Bird, Chief Security Officer at Traceable, commented on the findings, stating, "The findings of this report serve as a reality check for our industry. While financial organisations understand the importance of API security, many are still struggling with basic challenges." Bird, who is also a former Chief Information Security Officer (CISO) in the financial services industry, went on to stress the importance of addressing these ongoing issues, saying, "As security leaders, we can't afford to be caught off guard by the growing threats of fraud and malicious bots that are constantly looking for ways to exploit API vulnerabilities."

The report calls for financial institutions to prioritise and implement more effective security measures. Bird concluded, "This report is a call to action for all of us to take a hard look at what we're doing now and work together to secure our API ecosystems."