Swapnil Bhartiya: You may think that financial services are prepared for cyber threats because they are heavily regulated and they are also heavily defended. But the attackers are moving faster, using AI, shifting tactics by region and finding pressure points that traditional defenses either miss or fail to protect. That’s exactly why Akamai’s latest State of the Internet report matters a lot. And today we have with us once again, Steve Winterfeld advises his to unpack what surprised him most in this report, what is changing in finance and what a cyber leader should do next. First of all, Steve, it’s great to have you back on the show.

Steve Winterfeld: Always enjoy these. Thank you.

Swapnil Bhartiya: We have been talking about this report for a while now and of course you have been digging into Akamai, these reports. Let’s talk about this year’s report, especially from some of the most sensitive industries such as financial services. What surprised you the most in this year’s finding either which you may have assumed that, hey, these kind of threats will go away, or you are not expecting them to appear at all, certainly.

Steve Winterfeld: So, you know, Akamai defends a number of banks, you know, the, the top US Banks, the top European banks. And, and so across these global banks, we see a lot of different types of attack. And we wanted to take a moment and you know, unlike the last report was global across attacks against APIs and denial of service attacks and, and attacks against generative AI and, and ransomware and all these kind of things that, you know, these are where we defend and as we defend against them, we collect data. And we wanted to share this data. And so the last one was kind of a global report. This one is more of an industry report. And so as we dive in, you know, some of the things that are what’s old is new again. And so we always end up talking about denial of service attacks. And so again, we saw a 750, 38% increase in the duration of attacks. And so as you see these new peaks, and we’ve seen a lot of this lately, you talk about the Turbo Mirai Kim Wolf and these other kind of attacks, they’ve really increased the volume, the scale of which we attack. And so when we talk about DDoS again, a quick refresher for those who don’t think about it every day you can attack the bandwidth and bits per second. You can overwhelm the CPU with pack per second. You can take out Web Infrastructure Layer 7 applications with requests per second. You can take out the no main name service DNS, which is a phone book or GPS of the Internet through queries per second, so there are different types of DDoS attacks. And so this first one we’re talking against banks is that layer three, four bandwidth against infrastructure. And so if, if you’re trying to go in and use some capability, it’s simply your availability is not there. And what used to be these short, minute long attacks is now becoming our attacks or longer depending on the capabilities are willing to use. And so these new capabilities are increasing the duration of an impact. And so it’s really something as a CISO that I need to go and say, does this change my risk profile? Do I need to go look at, you know, increasing my capability? And there’s a couple of things driving this. One is the GEO conflicts. Some of this is coming out of the war in the Ukraine against Europe, against, you know, the, the Middle east war in that region and beyond for, for companies or countries that support one side or another. And we see a lot of this is done by Hackivist or you know, people that are cybercriminals during the day and then state sponsored, you know, hackivist at night. So it’s kind of a complex issue, but at the end of the day we really see that volume changing and the speed and you knew I was going to talk about AI eventually and this is where I talk about it, is it’s being driven through AI capabilities. So just as we’re using them as a CISO to do, do natural language queries, inside my security operations center, they’re using AI to do the speed and complexity of these attacks. The second half I want to talk about of these key findings is really around APIs. So APIs are those abilities for machines to talk to machines. So if you’re on an app, on your phone and you’re connecting to your bank, that’s going through an API. If you’re going shopping and you’re inside an AI and you tell that AI to go buy something for you, that is also going through an API that’s a zero click. So now the people that you’re buying from never see you, they just see that AI, they’re losing touch. That’s all happening in the banks. We’re losing touch with our customers a little bit through those zero clicks. But this AI is having a big impact in here and it’s going through those APIs. And so 60% of that tax within the financial industry, that’s banking, wealth management, insurance, all these different types, most of it is going against actual banks. And so it is, is going after people’s accounts, trying to get into, to steal Money straight from them. We also put out within this a separate study that Akamai sponsored, the API Security Impact Study, and that showed that 96% of the companies out there have had an API incident. Now, what’s an incident? It could be something small. It’s not a data breach, but it is showing active attacks. And again, as a ciso, this is where I want visibility and discoverability. I want to make sure I know where all my APIs are and who’s attacking them, what’s going on. So those are kind of the two big things that jumped out at me on this one. For as far as data points.

Swapnil Bhartiya: Thank you. I was at Cisco Live and I was talking to Emmy Chang and she also sent that because of AI, we are looking at new kinds of threats. Because what happens is that most time, most folks, they scan an image, they upload an image for ocr, they upload a PDF and they’re like, now what is happening is that threat? I mean, of course, bad actors, they’re embedding some codes in the image itself that humans cannot see. But when you upload them. So a lot of things are happening where even websites, you will not see human readable text, but there’s text that the AI can read and now that can pass on instructions that AI can do on your behalf. And since agents are now acting autonomously, so that is also becoming a new threat. So I want to talk about AI now. When we talk about AI here in this context, I will talk about API also. Because AI and API are related, not everybody is running local LLMs. Most of us use it through API. So it’s going to be connected. It comes to AI, how is AI changing different aspects of security? First of all, of course it can speed up the process. Also it can make attacks more sophisticated. And I, as I give examples that there are certain things that are not even visible to humans when it comes to financial sector, which people are more more sensitive. But sometime it scan checks and do from financial sector’s perspective, from both defenders and attackers perspective, how AI is changing

Steve Winterfeld: security there certainly, and that’s a huge question to unpack. So I’m going to start a little bit up front with defining when we say AI. So the first thing you mentioned was the traditional large language models, and even older than that is machine learning. But but for more of the generative AI, it’s large language models and a lot of those are a little bit closer to, you know, what machine learning words. The CVE is a traditional malware. And then as we get beyond the gen AI and there’s more. There’s some malware, there’s a lot of logic attacks. So you’re going against how it’s processing data, not actual malware. And then you get from gen A you get into agentic AI and the danger here is it’s not answering questions, it’s making decisions. So if the bank is using an agent to make a decision on a loan, then you can see where there’s a lot more danger here. And so across all of this, what we’re seeing is, you know, a surge in advanced BoT activities. So 147% surge in BoT activities. So again, I’m going to step back for a second because not everybody lives in the bot world. So I want to take a second and describe these. So the first are these training bots or fetcher bots. It’s the AI going out to learn something, going out to buy those shoes. I have to say shoes because I was CSO for Nordstrom bank. So we always talk about buying shoes up front. You know, next was scraper bots just going and harvesting data. It could be your competitors harvesting data. It could be cyber criminals harvesting, you know, proprietary information or customer information. You have account takeover bots that are, are using a number of, of attacks, from credential stuffing to brute forcing to a number of different, more advanced attacks to come in and take over your account. It could be your bank account. Or again, going back to before I worked with Akamai back in, in the Nordstrom days in commerce, going after all your reward points because those are easy to monetize. And so taking over different kinds of attacks or different kinds of attacks we just mentioned, it can be running DDoS attacks. It can be doing the speed and scope and duration and, and innovation. Whereas, you know, if I’m attacking and you block a country, then I shift my bots to the country you’re in and you can’t geo block. And then finally hoarding or scraper bots, where again, the new tennis shoe comes out. A sporting team just released tickets, a, a music concert. All of these, you know, you have bots going in to buy all those tickets. So across all those we see this. And in fact, in one case, 90% of all the site traffic was a scraper bot and that’s a use case. But I just want to point out that, you know, that traffic costs money and if now 98% of the traffic I’m getting is just trying to steal from me, you know, or, or gather intelligence against me, that Has a huge business impact.

Swapnil Bhartiya: Once again, thank you. Now let’s talk about the API. How, I mean, we have been talking about APIs for so long, the patterns remain same or something different is happening because we kind of live in API driven world.

Steve Winterfeld: So I think APIs, one of the biggest concerns is do I know where they are. I spent a lot of time thinking about rogue APIs. Marketing just came and added a new capability for analytics. And now I have a new API in my operational environment that may or may not be under my security envelope. I have zombie APIs. Somebody set up an API, did an experiment, ran a business operation, stopped that operation, never took down the API. So now it’s not being maintained, it’s not being updated. You know, so all of these different kinds of APIs out there and just people doing their business and not using the security guardrails, not following policies. And so the proliferation of APIs is dramatic. And so the first thing I need to do is discovery. You know, again, when API goes out and works with customers, that’s often the first phase is we, when we put in our capabilities. A huge part of that is discovery. And I don’t know of any case where we went in and didn’t find things that the operation, the company didn’t know about. And so the first part is do you know what you need to protect? The second part is how do you want to protect that? So again, when I talk to the board, they want a risk appetite view of the world. They may accept more fraud for a dramatic increase in sales. They may accept more friction between the customer and the company to dramatically reduce fraud. And so I need security controls where I can adaptively meet that requirement and adapt as a fraud gets worse. I can increase controls as we have a major sale and I want to get rid of all the friction during the major sale, then I can do those kind of things. So a lot of for me is that dynamic ability to control the mitigation around the APIs and knowing where they are this year.

Swapnil Bhartiya: Were there any threat groups, attack patterns or regional trends? As you also mentioned, geopolitical conflict crisis going on in this report that really stood out to you as an outlier.

Steve Winterfeld: I think we’ve been talking the last three years really around a lot of the stuff going on in Europe. You know, a lot of the shift in DDoS attacks is due to that in Europe. But this year what we saw was really a shift to the Middle East. And so we saw, you know, pro Iran hackivist, both isolated and coordinated DDoS attacks. Dramatically increased going after banking payment systems. Again, focus as you just talked about on APIs. So we’ve really seen a dramatic increase in the second half of that. You have the kinetic war where there’s physical stuff happening and then you have that cyber war where these digital conflicts happening. And that’s the biggest increase in threat that I think I would call out in this report for finance. The second is for region. So Europe, Middle east, really it was layer three, four DDoS attacks, that infrastructure, Pacific, Asia. There we saw a lot more layer seven. We saw, you know, a 52% increase in layer seven against application for DDoS. And then North America, you know, it was at API web page or web attacks, we saw a 44% increase in that layer seven attack. Not against CDUs but traditional traffic. So those would be the things that are worth it. There’s a lot more detail in the report itself, a lot of great graphics. I encourage people to go to Akamai Soti Soti and as soon as you get to our threat page, you’ll see all our State of the Internet reports. And finance is the one you’re looking for.

Swapnil Bhartiya: Were there any special topics in this edition of the report that kind of deserve more attention from security leaders? The topics that either we have been seeing or topic we just emerged.

Steve Winterfeld: So the one is we had a guest columnist, the CSO from fsisac so Financial Services Information Sharing association, they’re one of the most well put together, strongest ISACs out there. And so we had a guest column from him, well worth reading. We talked a little bit about this move towards, you know, where we’re building all these large language models, these agent decay models and how to think about that. Some of it’s around, you know, how, how responsive do I need to be if it’s me talking to pick a model. Perplexity chatgpt Pick a model. Just having a discussion, asking about, you know, where to get the best disc golf game in. Because that’s my hobby. I love to play Frisbee golf or disc golf. You know, that kind of conversation. It doesn’t need to be fast, but if it’s agentic AI making a decision or a large language model that that needs to be really responsive, then that requires different infrastructure. In Akamai, we call that the inference cloud, where you’re focused on speed. So we talk a little bit about how to think about where you’re buying your cloud infrastructure and what kind of a security stack you want to associate with that. And so the second thing we talked about was Again, you know, we like to, we talk about things like oas. This one we talked a little bit more about mitre. If you don’t know, MITRE just came out with version 19. They split the defensive evasion tactics into two different ones, stealth and defense impairment. So it’s worth kind of thinking through when you talk to your society. How is the best industry model, in my opinion, on threat modeling? How are we thinking about that? How should we update our SOC defenses and our analytics based on this? Is it something we want to pay attention to? There’s now we, we’ve talked before about the ATTCK framework, which is, you know, against enterprises. They now have the ATLAS framework, which is against AI inferences. And as always, MITRE has a great section on threat groups where you can tie a specific threat group, you know, apt, you know, pick your number and what methodologies they use, which is great to use with your red teams.

Swapnil Bhartiya: When it comes to financial services, they’re already one of the most heavily regulated industries. What is emerging on the regulatory front and how is it shaping security strategy? Of course, we can talk about a lot of activities that are going on Europe, CRA is coming up, a lot of other acts are also coming up here. But in general, what are you seeing when it comes to financial industry, AI, API and improve the security strategy there in this specific sector?

Steve Winterfeld: Well, you know, I live in Colorado. Colorado is one of the first states come up with an AI law. Like most AI laws, the laws are trying to again, focus in on what kind of an impact the AI is having. Again, me talking to AI about what kind of a disk I want to buy is not something that needs to be regulated. But if I were going in to get a bank loan, then that kind of impact is where they want to make sure there’s not discrimination. They want to make sure that, that it’s done correctly. And so within the United States, we don’t have a federal law for privacy or really much around, you know, those kind of things. So within this, we see the New York has one of the better sets of financial laws. Their cybersecurity regulation is moving into the enforcement phase. And so we’re going to start to see what kind of cases and penalties are brought there. Europe a lot more mature in the financial sector. You’ve got Dora for privacy, Nistu for banking, I’m sorry, GDPR for privacy. And so GDPR alone we’ve had fines exceeding 6.7 billion euros as of 2025. Andorra is, is against resiliency, not privacy. And so we’re seeing those implemented on the AI side. We see the EU AI act is out there now. It has an August 2, 2026 deadline for Iris systems. Again, credit scoring, behavior profiling, those things where they’re interacting and making decisions around customers. So continued effort around that. We don’t see as many regulations aimed at APIs right now. There’s some embedded within other regulations, but no standalone API regulations really.

Swapnil Bhartiya: Last time. We of course talk about the whole post quantum readiness when it comes to AI. API, as you said, not yet. What kind of discussions are going on when it comes to the whole regulatory or policymaking sector where they are looking at these potential threats, where they want to build frameworks to protect from. It could be AI, it could be API or other emerging threats.

Steve Winterfeld: I think most of these regulatory bodies are trying to focus in on where there are true impacts against the population, where we’re, we’re, our finances are at risk, our privacy is at risk, our safety is at risk within healthcare. And so you’re seeing, you know, the regulations aimed at hipaa, aimed at healthcare, you’re seeing a standard like credit card protection in PCI aimed at, you know, commerce, you’re seeing a number aimed at finance. So I think what we’re trying to do is focus on those industries we consider critical. In the United states there are 16 verticals that are considered critical, you know, everything from energy to those I just mentioned. And so that’s really where I think the regulators are trying to ensure that they’re doing the right thing to protect the populations.

Swapnil Bhartiya: Now these reports, they play a very critical role in informing, educating users. When cyber leaders look at a report like this, how should they actually use the data in a practical way so they turn insights into actions.

Steve Winterfeld: So for me, the first things I like to do is where I see, you know, a dramatic increase in, and take the example of DDOs or APIs, a dramatic increase in bot activity, dramatic increase in the length of an attack, the duration of a DDoS attack. Then I want to go look at my security capabilities and make sure that my current capabilities are able to defend against the latest, you know, turbo Mirai scope and duration of attack. And if not, then I’ve got to make a decision, do I put more budget into that or do I go and communicate to the board that risk and make sure the board wants to accept that risk. And so those are the first things I kind of do is say is do I need to readjust my portfolio of risk? The second is a lot of this is around Understanding what the criminals are doing. So as I look at some of the more technical aspects of the report, then I want to go in and say, okay, how many incidences of API security have we had? And if we’ve had zero API incidents, and I know the industry standard is 96%, then I’m worried about is my reporting accurate, is my visibility accurate? You know, and so that’s kind of a validation check. API, again, looking at the API stats in here, and if mine don’t kind of correlate, and again, this is a finance report. We did a global report. But at the end of the day, you know, if, even if I’m not in finance, it’s important for me to go look, you know, and say, what is here? Finance is usually in the top three for most kind of attacks. Commerce is usually in there. Different industries fall at different levels. But it’s a good look. The generative AI stuff, I think what we want to look at here is, you know, where am I in my strategy development? I’ve got to protect my employees use of AI. I have to protect my buying capabilities that have AI embedded in it. And I need to protect where I’m offering AI as a capability to my customers or clients or patients. And as I look at all this, this is a great report to help me kind of understand what kind of aspects I need to bring into that strategy. And the last is, you know, DNS is easy to overlook. We really did a great report. The guys on the team that dug into this around DNS, there’s some stats on the most common errors, and there’s a great checklist to use to make sure you’re not leaving a gap in your DNS program.

Swapnil Bhartiya: If you were advising a CISO or security teams based on this report what should be their top priority right now.

Steve Winterfeld: So I think it is ultimately making sure you’re closely tied into your business transformation. You know, I’ve got some partners we work with that are really into transforming, but it’s still mostly APIs. I have others, the smaller banks that really aren’t doing a lot of transformation. And then I have some banks that are all in on AI. And so as you look at where your business is going, that’s where I would focus. Because if they’re headed into APIs or you’re in APIs and continuing to expand, then absolutely that’s where you need to focus. Because as people move fast in transformation, you know, we don’t have mature security guardrails are. My security staff may not be experts in how to protect against agentic AI. So I need to do a lot of training to make sure I have the right skills, and I need to make the right tools. You know, agentic AI needs a different set of tools in large language. APIs need a different set of tools in large language. Traditional web pages need a different set of tools and APIs. So my advice is closely link up with where transformation is and embed yourself in that transition so that security is moving at the same speed.

Swapnil Bhartiya: Steve, once again, thank you for joining us and for sharing these insights on the latest cyber attack trends shaping the financial services sector. And, of course, as usual, I will encourage viewers to go check out this report and also pay attention to what Steve is suggesting here. Thanks for watching, and I’ll see you in the next video. Thank you.

Steve Winterfeld: Thanks. Stay vigilant.