Cyber risk has evolved as a major threat to the financial industry in recent years. While the internal risks associated with process and system failures have traditionally been dominant, external threats in the form of ransomware attacks, data breaches, and business disruptions are more significant and widespread today than ever before.
With the growing popularity of internet banking and card payment systems, cybersecurity is a profound concern for banks on the road to digitalization. Vulnerabilities in banks’ cyber infrastructure have been repeatedly exposed, particularly over the past decade or so. From prominent central banks to small commercial banks around the world, victims of cybercrime have lost millions of dollars and crucial data to hackers.
Banks have been a top target of cyber criminals owing to their huge stores of cash and possession of sensitive consumer data. A recent survey by a US-based IT security firm has found that websites of banking and financial institutions are more vulnerable to getting hacked than those of any other industry. While the majority of such attacks are successfully fended off by banks’ cybersecurity apparatus, successful intrusions into the bank’s systems can put critical data at stake. This can have serious repercussions, not just in terms of financial losses and regulatory sanctions, but also reputational losses, as banks rely heavily on the trust of their customers.
Over the past decade, data breaches and fraud have been the most common forms of cyber attacks on banks, although, business disruption is also prevalent. In 2014, it emerged that 20 million bank accounts had been hacked in South Korea over the course of several years. An American credit company, Equifax, revealed in 2017 that it had suffered a cyber attack over the course of several months, which had resulted in the breach of 200,000 credit cards’ data, in addition to the personal information of 143 million customers across three countries.
In 2014, phishing emails were circulated indicating that FIB, Bulgaria’s largest domestic bank, was experiencing a liquidity shortage. This unusual form of cyber attack caused a bank run at FIB, and 10 percent of the bank’s total deposits were withdrawn in a single day. In 2012, the websites of Bank of America, PNC, JPMorgan, US Bancorp, and Wells Fargo were simultaneously targeted, while seven major financial institutions of Norway suffered a cyber attack on a single day during 2014. According to Financial Times, cyber attacks on fintech firms have led to losses worth USD 1,450 million due to fraud since 2013.
Read about the explosive world population growth in the last 50 years
In response to the persistent cyber threat, many banks in recent times have enhanced their spending on cybersecurity. According to a Deloitte survey, the largest global banks spent up to USD 3,000 per employee on cybersecurity in 2018, while Kaspersky Lab estimates the cybersecurity cost per employee at over USD 1,400 for the financial services industry in general. Banks are increasingly collaborating with startups that are investing in data security and threat intelligence, while strengthening their monitoring of third-party networks and shared banking systems.
As a cyber risk mitigation technique, experts have called for raising the cybersecurity profile beyond IT, with particular emphasis on the involvement of the board of directors and top executives of the bank. The security guidelines issued by central banks often call for the formation of separate board and management committees to oversee all cyber-related matters of the bank. Cybersecurity must also be more closely aligned with the business strategy of the bank. As the bank introduces new products, services, and applications, and moves into new geographical regions, the cybersecurity considerations for such expansions should properly be catered for.
Improving the cybersecurity hygiene could at times prove more fruitful than spending big on new equipment, particularly for smaller banks with relatively small cybersecurity budgets. For instance, practices such as patch management of devices and applications, better password management, penetration testing, and vulnerability assessments should be effectively implemented.
Banks must also be proactive in dealing with the human dimension of cyber risk. Awareness campaigns and trainings can go a long way in averting various types of cybersecurity issues. In countries where financial literacy is low, customer awareness about key cybersecurity threats is crucial. Various communication channels, including emails and SMS, must be employed by banks to warn customers against sharing their passwords and other confidential data with anyone, including bank employees.
With the recent advancements in fintech, the financial industry will inevitably experience faster rates of digitalization in the years ahead. Central banks are increasingly exploring the domain of digital currencies while commercial banks are starting to think of themselves as “an IT company with a banking license”. The journey ahead requires banks to adopt a robust cyber strategy, and ensure its implementation at all levels, to be able to smoothly embrace the transformation to digital banking.