We have many stages for technology in the corporate world , where there have been movements within technology stacks and frameworks to grant more access to data . Years ago , these were things like SSH keys – which allow internal systems to talk to each other and exchange keys and information . However , they were easily breached and exploited . In response , companies realised they needed an inventory and a library of known identified assets to understand what they had . If we think about an API as simply one more asset , then it becomes very easy for banks to replicate their previous programmes around data classification and asset inventories and apply those principles to APIs .

FFIEC serves as a ‘ regulatory clearing house ’ for banks – primarily large ones in the US , however , it has sway over many global institutions that do business within the country .

Additionally , the FFIEC , over decades , publishes expectations for banks , regarding performance around cybersecurity and control domains . However , the body moves much slower than the landscape of threat and risk . For example , in August 2021 , the FFIEC issued an update for the first time in 10 years to its identity authentication and access requirements – which all banks now are responsible for meeting – and within that update , there was a very specific set of statements about APIs being an issue and risk .

Subsequently , in October 2022 , the FFIEC published a ‘ resource guide ’ with underlying documentation and directions associated with what was stated in August 2021 .

There are two things the FFIEC addressed in these resource guides . First , was the

significant rise in ransomware and the second was API security . As a result , banks in the United States – and by extension international institutions – were being held responsible by the FFIEC for the first time . Second , they had to inventory of all known and active APIs within their environment , which caused banks to scramble . If we look at the growth and development of APIs , they ’ ve been done without security oversight and framework for over a decade . This is a problem as APIs exploded in growth , so they need to be monitored more closely .

How can organisations integrate APIs into their inventory of risk assessments and information systems and what are the benefits realised from this ?

The first thing banks need to do is recognise this is a familiar pattern . People get excited about APIs because they seem different and new , but they are not .

Banks need to be doing this quickly . I work extensively with Zero Trust and it has a small margin for unknowns within your environments . Banks , in particular , have to be aggressive to address the reality that they can have no unknown APIs circulating within their environments ; whether they be their own or third-parties – none of them can be ‘ unknown ’ to the organisation .

So , it starts with a commitment to that principle . Once that is in place , only then can we take the next steps – risk ranking and assessing APIs and putting security in place around the ones that pose the greatest threat to data privacy , regulatory and compliance demands .

How has Traceable been working with large financial institutions to access their APIs ?

The biggest thing banks , financial services institutions and FinTechs bring to us is the need for visibility . In today ’ s banking environments – especially large enterprises – API creation has been highly fragmented across the organisation , so there ’ s a lack of centralisation . This leads to our biggest ask : ‘ Can you help me see what I cannot ?’ At Traceable , we can do this . We can discover everything .

Due to APIs being developed without standards and having no centralisation , there are many different ways we can detect them . However , due to the fragmentation , it takes a tremendous amount of effort to collect and aggregate of the data about them . As a company , we www . intelligentfin . tech

49