After working hard to adapt to changes in private banking over the last 15 years – the disappearance of banking secrecy, the regulatory big bang, the introduction of Automatic Exchange of Information rules – it finally seemed that the industry could look ahead with confidence, focusing on development and digitalisation.
However, like Sisyphus, the industry can never rest, and its latest challenge is to combat cybercrime.
In fact, the challenge is not new at all, and is not confined to banking. However, it is growing all the time. In the last few years, cybersecurity has been the main concern of financial institutions’ Chief Operating Officers. According to an industry joke, there are only two categories of banks: those that have been attacked and those that haven’t yet realised they’ve been attacked.
Cybercrime, whether its aim is to misappropriate money or ruin reputations, poses considerable risks for all types of companies. But the threat is being taken particularly seriously by banks, whose business relies entirely on trust. When Tesco Bank was attacked in 2016, 40,000 accounts were compromised and half had money stolen from them. This resulted in the UK’s Financial Conduct Authority fining the bank £16.4 million for “failing to protect customers”. Since that first large-scale attack, the list of banks affected in Europe has grown to include Santander, Royal Bank of Scotland, Barclays, UniCredit, Bank of Valletta and Metro Bank.
Justified paranoia
The banking industry has entered an era of paranoia, with some justification. Web hackers have much more time and resources than their potential victims, however determined those victims might be to protect their IT systems. On the dark web, cybercrime has become an industry in its own right, with price lists, service providers and sponsors. This can be seen in the way attacks have grown in both number and sophistication. According to Forbes, in just the first half of 2019, 3,800 security breaches were made public, in which the security of 4.1 billion records was compromised.
This is the downside of the ever-more connected world that we have created. The number of potential pitfalls is increasing as technological innovation makes everything more interconnected. In the banking industry, in particular, it should not be surprising that clients want the immediacy, simplicity and efficiency now being made possible by electronic services. Yet the e-banking apps giving them that connection have themselves become a weak link in the system. Well-designed e-banking tools provide solid protection. But hackers will take advantage of any small crack, such as a delay in installing an update, to infiltrate devices.
Banks are spending increasing amounts of money to combat this multifaceted threat. They are customers of a rapidly growing cyber-resilience industry. As well as established software makers, we have seen a proliferation of new service providers, such as cyber-rating agencies that assess a company’s cyber risk on the basis of public traffic data. The resulting ratings are updated daily, forcing companies to make ongoing efforts to maintain a good score. At the moment, these cyber ratings are only accessible to institutional investors. But there is every chance that they will eventually be available to all, and will become a key criterion, like solvency indicators, that private clients take into account when selecting a bank. In the same way as banks must now provide practical evidence of their commitment to responsible investment in order to stand out, they will in future have to show objectively that they are making constant efforts to protect their own data and those of their clients. For the best banks, their cyber ratings will become a marketing tool.
Virtual Vault
Even then, to turn cybersecurity into a positive selling point, banks will have to raise awareness on an ongoing basis, both internally and externally. They must use their relationship managers’ close links with clients to make sure they are fully informed, particularly when setting up e-banking. After all, in a previous era, clients used to ask how secure a bank’s vault was. Today, therefore, it is natural that a bank should take the time to raise clients’ awareness of cyberprotection matters. Internally, as well as the need to ensure that their staff can be relied upon in order to minimise human risks, banks must raise awareness through information sessions, make regular assessments of how employees respond to “phishing” attacks (attempts to gain access to sensitive data through work e-mails), carry out penetration tests and simulate cyberattacks.
Today’s COOs are caught up in a number of technological revolutions, and most of them would admit that they need to remain humble in their efforts to combat cybercrime: no matter how effective the defences they build, it is impossible to eradicate all risk. But they also know that they cannot let down their guard when dealing with such a major challenge.
Ian Cramb
Chief Operating Officer