Cybersecurity is a growing risk area for all businesses at the moment. In particular, over the past year it has become glaringly obvious that there are a number of gaps in cybersecurity protection and infrastructure when it comes to the banking sector. 2016 saw an increased number of cybersecurity attacks in the banking industry, and they have not shown any signs of abating. The risks are prevalent across all areas of the sector—with banks both large and small suffering losses from cybersecurity breaches. An increasing amount of banking takes place online. Banks can offer increased access and convenience to customers because of this digitization; however, this has also opened the door to increased online security risks—from numerous types of attackers that can include insiders, various levels of thieves, people with political agendas and other third parties. Customers and stakeholders are left wondering, how will banks address the gaps in cybersecurity?
Understandably, at numerous banks and financial institutions, chief risk officers have identified cyber-threats as their top priority for 2017. This issue has been moved to the forefront of bank-board meeting agendas, and senior managers must act fast to mitigate these growing threats to banks. Technological skill and access to resources for attackers have been growing at a faster pace than the defence-mechanism efforts have been enacted by banks. This needs to be tackled head-on in 2017 in order to get ahead of the problem.
Cyber-attacks can take on many forms—most commonly the attackers are seeking to acquire capital as well as confidential data and sensitive information. Based on the number of recent attacks, it is fair to estimate that many banks are unprepared to deal with major cybersecurity attacks and need to address their financial-crime security efforts across the board. 2017 will first and foremost be a year for assessing the extent of the gaps in cybersecurity. Before being able to devise a strategy or solution to close these gaps, banks need to tackle the challenge of identifying the gaps themselves—they must apply an intelligence-based approach in order to devise a comprehensive strategy. This in itself will be a significant task that will require the application of cybersecurity-skilled specialists.
This leads into the second major step most banks are likely to take in 2017 when it comes to cybersecurity preparedness—using external teams of cybersecurity experts and even developing internal cybersecurity departments in their own right. The number of cybersecurity businesses has been growing at an increasing pace to meet accelerating demand in this high-priority area—seeking to meet the needs not just of those in the banking sector but in every area of personal and business life as it is increasingly based online.
2017 will also be about accepting the importance of making the necessary security changes and will involve the allocation of significantly larger resources to IT (information technology) departments and initiatives—both in terms of capital and manpower. Cyber-threats have the power to wipe out huge swathes of business value in a matter of moments, and banks need to address the gap in IT budgets in tackling this growing risk. Radical change needs to be made. One way of incorporating cost-effective solutions will be by enlisting the help of specialised external cybersecurity teams. The traditional approach to IT solutions and tools is not going to be enough to tackle this problem, which changes shape every moment. Skilled expert knowledge will be required to effectively tackle the fast-paced dynamics of cybersecurity threats—and even then because of the speed of technological development, it will be hard to keep up. The best shot will come from applying the attention and skill of the best expertise.
Although the chief risk officers of many banks have identified cyber-threats as a primary concern for 2017, it will be down to the chief information officers—and in some cases, chief security officers—in these institutions to oversee the changes required being put into place most effectively. These three senior roles, although far up the hierarchy, will need to be more comprehensively trained in cyber-risks and the relevant technology so that they can lead from the top when enacting change to fend off attacks. They will also need to be more knowledgeable in the area of banking security. These changes will be another vital step in addressing cybersecurity gaps that are risks at all levels and in all departments of a bank’s infrastructure. Another crucial factor that senior banking executives need to take on board is understanding that cybersecurity risks stem from a wide range of external sources. It is a common misconception for banking executives to believe there are a limited number of threat sources—which is leading to unidentified sources of risk. For example, geopolitical risk is a growing cybersecurity threat that few banks factor into risk processes to a significant enough extent.
A further step banks will need to take to address gaps in cybersecurity is that of improving responsiveness to cyber-attacks. In addition the responsiveness of dealing with the period of time after a cyber-attack needs to be enhanced—as banks can lose a lot of money and customers during down time incurred following a cyber-attack. Banks need to apply processes to maintain a normal course of business more effectively—identifying and isolating cyber-threats more smoothly.
An effective cybersecurity strategy will involve devising a combination of defence, assurance and resilience. Although outsourcing cybersecurity can be of huge benefit, there needs to be a radical change of mind-set across the banking operational infrastructure in tackling cyber-threats comprehensively. Cybersecurity should be applied as a reported metric—with an expectation of a certain standard on all levels, departments and projects. It is not as simple as signing a contract with a cybersecurity firm or buying their suite of tools. A standardised, systematic approach should be set in place so that each attack is not treated with an ad hoc procedure but with a pre-determined action plan that has pre-allocated roles and responsibilities in the event of cyber-attacks.
Banks have invested significant amounts of cybersecurity spending over the past few years. However, the risk exposure has been growing at a faster pace than this investment. In other words, the gap between the investments in technology, labour and processes designed to mitigate cybersecurity vulnerabilities and relevant threats is widening. In 2017, banking executives are preparing to invest in improved system protection, enhanced hardened encryption and devices, and greater intelligence gathering when it comes to addressing the gaps in cybersecurity. Going forward we can already identify one new area of cyber-threats from the increased adoption of the “Internet of things”—which will connect data, devices, people and organisations online far more than ever before.
Banks will need to make cybersecurity a high priority for 2017 in order to keep up with competitors and fight for business and investment. Customers and investors want assurance and confidence that they are dealing with a secure bank and will divert their funds accordingly. In addition, banks need to be able to continue normal business operations with fewer breakages and system failures. When banks take these market factors fully on board, they can better understand the true value of investing proper amounts of time and money into cybersecurity efforts. This will lead to overall enhanced profitability and stability for the individual bank as well as for the banking industry.
FFB is a not-for-profit platform that engages different types of financial institutions of the country; assist them in their journey to reach next level