Skip to main content

Looking for Valuant? You are in the right place!

Valuant is now Abrigo, giving you a single source to Manage Risk and Drive Growth

Make yourself at home – we hope you enjoy your new web experience.

Looking for DiCOM? You are in the right place!

DiCOM Software is now part of Abrigo, giving you a single source to Manage Risk and Drive Growth. Make yourself at home – we hope you enjoy your new web experience.

Cybersecurity advice for banks & credit unions amid Russia-Ukraine situation

Mary Ellen Biery
March 4, 2022
Read Time: 0 min

How financial institutions can get their "cyberguard up" 

Experts say banks and credit unions should be proactive and adopt a heightened cybersecurity posture given the tensions tied to the Ukraine situation.

You might also like this whitepaper, “New Account Fraud: A Behind-the-Scenes Look at Cyber Threat Actors”  



Global tensions

Financial institutions on high alert.

Current global tensions tied to the situation in Ukraine have financial institutions on high alert for cyberattacks. Indeed, former top U.S. intelligence officials have said that Russian President Putin is likely to lash out against the financial sector after the U.S. and other countries have increased sanctions.

“He won’t sit still for it,” James Clapper, former Director of National Intelligence under President Obama, said of the trade and financial sanctions during an interview Sunday on CNN. “The analogous thing [for Putin] to do after the sanctions would be attacks against our financial sector…or perhaps our critical infrastructure,” Clapper said. “So we need to have our cyberguard up.”

“Certainly, Russia is and has been inside of our cyber[systems], our critical infrastructure for years, and so they have quite a bit of capacity” to inflict damage, added Beth Sanner, who was Deputy Director of National Intelligence under President Trump and briefly under President Biden.

E-crime intelligence

‘Key is to be proactive.’

cybersecurity advice for banks from Mara Gibor of Q6


Cyberthreats to banks and credit unions may not be all that different from usual, but they are serious, said Mara Gibor, Director of Intelligence at Q6 Cyber, a leading provider of e-crime intelligence to financial institutions worldwide and Abrigo partner, said in an interview Tuesday.

“One ransomware group, the Conti ransomware group, has directly sided with Russia, and they’ve basically said if any threats are made to Russian targets, they’ll retaliate,” she said.

Gibor and Robert Villanueva, Q6’s EVP of Intelligence, said that while the firm hasn’t seen any direct threats to financial institutions related to the Russian-Ukraine situation yet, it has been getting a lot of calls from concerned clients this week, and it’s understandable.

“With everything going on, with the tension of the war, you’re probably going to see an increase in attacks,” Villanueva said. “We’re already seeing some increase in chatter.”

Q6 Cyber’s proprietary fraud prevention technology monitors the DarkWeb, malware networks, and other cybercrime infrastructure and private messaging platforms to prevent account takeovers and other attacks, which enhances protection provided by other BSA and fraud prevention software. “The key is to be proactive and have the intelligence before the fraud,” Gibor said. In addition, the firm’s cyber threat solution detects and quickly reports to the client any potential internal malware infection of a compromised employee or third-party risk.

Is Your AML Department Understaffed? Use this AML Staffing Calculator to find out and build your use case for more resources.


'Wild, wild west'

Many potential attackers

Gibor and Villanueva said part of the challenge for financial institutions and other potential targets in the current situation is the number of potential attackers.

Robert Villanueva provides cybersecurity advice for banks & credit unions


“You have the Russian Federation, and you have groups obviously working for them or sympathizers,” Villanueva said. “You have nationalists with the Russian Federation, and you have these criminal groups operating independently. You have Russian cybercriminals sympathizing with the Ukrainian cause, and you have Ukrainian cybercriminals as well. It’s the wild, wild west out there, pretty much.”

In addition to receiving Q6’s assistance, other ways banks and credit unions can help protect the financial system in the current situation include close monitoring for wire fraud involving overseas transactions and completing sound due diligence of cryptocurrency transactions tied to overseas exchanges. “Since the ruble has gone down, a lot of people are resorting to different types of cryptocurrency,” Villanueva noted.

Monitoring for ACH activity, cybercrimes

ACH activity also deserves careful monitoring, noted Abrigo Compliance and Engagement Director Terri Luttrell. “Although Russian transactions have been disallowed from using SWIFT, all Russian transactions do not come from Russia,” she said. “We need to understand that many of Putin’s cronies and oligarchs are out of the country living their lives of luxury.”

FinCEN has issued numerous advisories about cybercrimes in the past several years which financial institutions should understand and reference as they look for cybersecurity advice for banks and credit unions. These advisories cover trends, typologies, and red flag indicators of phishing, money mule scams, and other activities that could become more frequent in the current climate.

As recently as November, FinCEN reminded financial institutions of obligations to file suspicious activity reports (SARs) related to ransomware. In an advisory that includes financial red flag indicators of ransomware activity, FinCEN noted:

Financial institutions should determine if filing a SAR is required or appropriate when dealing with an incident of ransomware conducted by, at, or through the financial institution, including ransom payments made by financial institutions that are victims of ransomware.

Starting May 1, financial institutions will have tighter definitions for reporting cybersecurity incidents. Under a final rule approved in November, they must report significant computer-security incidents as soon as possible and no later than 36 hours after their occurrence.

Guidance from CISA

Cybersecurity advice for banks and credit unions

Emily Larkin, Chief Information Security Officer for Abrigo, said that financial institutions are closely monitoring the situation developing in Ukraine. She and other cybersecurity experts say that even if your institution is not engaged with vendors, customers, or other third parties in Ukraine or Russia, it should recognize the elevated threat of cyberattack in the finance industry. Follow guidance from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) and take additional steps to ensure the security of your environment.

For example, according to CISA’s “Shields Up” program offering advice for adopting a heightened cybersecurity posture, banks and credit unions should:

Prioritize remediation of known exploitable vulnerabilities

CISA publishes and regularly updates a Known Exploited Vulnerabilities Catalog. Security researchers have identified the vulnerabilities on this list as having widespread exploitation by opportunistic and state-sponsored threat actors. Financial institutions can prioritize their approach to patch and vulnerability management by using this resource to prioritize remediation of known risks. CISA also notes 13 vulnerabilities specifically tied to Russian threat actors that should be prioritized, which can be found in CISA Alert AA22-011A.

Determine impact to critical vendors

Reach out to critical vendors for impact statements related to the Russo-Ukrainian Crisis. Vendor impact statements should clearly indicate if the vendor has operations or business in Russia or Ukraine and if they have continuity plans in place if those operations are impacted by the current political climate.

Ready incident teams and key personnel

Be prepared to respond if an intrusion occurs. Key personnel, such as cybersecurity and IT resources, should be informed and focused on identifying and quickly assessing the environment, including monitoring and addressing unexpected or unusual network traffic and enabling log monitoring. Banks and credit unions should have a designated crisis-response team that is ready to respond.

Provide employee awareness communications

Employees should have a clear understanding of how to identify and escalate potential cybersecurity issues. While many of the same end-user awareness concepts around data handling and phishing still apply to the current threat environment, it’s still a good idea for financial institutions to proactively communicate to their employees the steps they are taking to counter Russian threat actors and advise personnel to be extra vigilant.

Practice resiliency

Test backup procedures and ensure critical data can be restored in the event of a ransomware incident. While financial institutions are often victims of data exfiltration, current threat advisories related to the Russo-Ukrainian Crisis have indicated a focus on system disruption rather than data theft. Banks and credit unions should work with their IT teams to ensure defenses are in place to thwart distributed denial of service (DDoS) attacks.


Cybersecurity advice for financial institution leaders

CISA’s “Shields Up” program also offers advice for corporate leadership, and much of that advice applies to financial institution governance. Executive leaders of banks and credit unions should:

Empower the Chief Information Security Officer (CISO)

Financial institutions should ensure their CISO or equivalent leadership has the resources necessary to prepare for increased cyber resilience. Executive leaders should include the CISO in decision-making processes and adjust budgets so that the CISO has adequate funding for the institution’s security investments.

Adjust reporting thresholds

Incident detection systems should be tuned periodically to ensure a balance between potential false positives and under-reporting of external risk events. Some cyber events that may have previously been considered “low risk” may now be cause for actionable escalation. Thresholds should be lowered so that an institution’s cyber response team has increased visibility during this period of heightened threat.

Plan for the worst

Consider the immediate actions that may be necessary if a core banking platform or other business-critical system were impacted. Institutions should work with their security and IT teams to determine where the “kill switch” would be for any given critical system. This often means determining how a financial institution’s infrastructure systems would be powered down or disconnected to prevent continued intrusion or spread of malicious software.

Exercise continuity plans

Know your plan of action should a system experience downtime due to a DDoS attack. Leadership should ensure business units within the financial institution practice tabletop exercises related to business continuity in case critical systems become unavailable. These exercises evaluate whether key personnel across the institution understand their role in responding to an incident. Execute on gaps identified from these scenarios to strengthen your recovery of operations if faced with an adverse event.

Test cyber response plans

In addition to business continuity exercises, incident response exercises should also be performed. Financial institutions should leverage security incident response tabletop exercises, such as those included as part of the CISA Tabletop Exercise Package, to formalize discussions around various types of threat. Both technical personnel and senior leadership should perform separate tabletop exercises, as the scenarios, steps, and outcomes differ depending on the audience. Results from incident response exercises help institutions assess the adequacy of their response and identify potential gaps.

(Megan Castranio, Abrigo Internal IT Controls Lead, Edward Callis, Abrigo Senior Director, IT Risk & Assurance, and Tiffany Dai, Abrigo’s Internal IT Auditor, contributed to this article.)

Get the latest on cyberthreats.
Watch the webinar, "Cybercriminals, Fraudsters, and the Dark Web: What to Watch for in 2022"

keep me informed Watch Webinar
About the Author

Mary Ellen Biery

Senior Strategist & Content Manager
Mary Ellen Biery is Senior Strategist & Content Manager at Abrigo, where she works with advisors and other experts to develop whitepapers, original research, and other resources that help financial institutions drive growth and manage risk. A former equities reporter for Dow Jones Newswires whose work has been published in

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.