Why Financial Services can’t Ignore Cyber Security Risk

Cybersecurity is the Biggest Concern & Threat

Cyber Security risk has made it to the Number #1 biggest operational risk for organisations (large and small) across different sectors of the financial services industry, according to an annual study that Risk.net carries out by surveying operational practioners across the globe. Their study found that data loss through cyber-attack, and the awareness that current defenses are vulnerable, made operational risk managers, and no doubt their company bosses, very nervous.  The current General Data Protection Requirements (GDPR) heightens their concern and this is what propelled cyber security risk to number one position. Number #2 biggest risk is also related to cyber security and is the risk of IT disruption.  The threat of cyber criminals infecting an organisation’s systems to cause outages, and therefore significant business disruption.  Their motive can have many different dimensions, for example:

1. Ransom – to extort hefty ransom to bring the systems back live again;
2. Espionage – hackers could be employed by unscrupulous competitors to put strain on a firm and hence make it less competitive or even put it out of business; and
3. Nuisance – hackers bring systems down, just because they have the skills to do it or to get noticed among a network of underground hackers.

  Financial services seem to be increasingly under threat from cyber criminals.  Some high-profile examples of cyber-attacks include:

• Zaif, Japanese Cryptocurrency Exchange was reportedly hacked, and cyber criminals managed to steal $59 million (6.7 billion Yen) worth of cryptocurrencies belonging to the firm and its customers.
• Equifax, the credit referencing agency, reported that up to 400,000 British and 143 million US accounts were compromised in a data breach perpetrated by cyber hackers.  Apart from personal information, hackers also stole credit card numbers of more than 209,000 customers.
• JP Morgan, global bank, reported a data breach in 2014 affecting 7 million businesses and 76 million householders and exposing contact details and the bank’s system details, which could make them vulnerable to future attacks.

  Cyber security risk is now the biggest concern for operational risk managers and executives of banks, insurance firms, wealth managers, Fintech players and other types of financial services providers.  Apart from disrupting the business and causing financial and reputational damage, when not managed appropriately, organisations can expect to, rightly, face a heavy-handed approach from their regulators.  

Regulators Crack Down on Firms who don’t take Cyber Security Risk Seriously

From 2017 to 2018, there was a 480% increase in the number of data breaches reported to the regulator, the Financial Conduct Authority (FCA) according to the law firm RPC.   Retail banks were the biggest culprits, experiencing the highest increase, from 1 reported in 2017 to 25 reported in 2018.  General insurance and protection firms however had the highest number of reported breaches, totaling 33 incidents. Tesco bank was fined a staggering £16.4 million by the FCA in 2018, for failing to exercise due skill, care and diligence in November 2016, in protecting its personal current account holders against a cyber-attack.   Cyber attackers exploited weaknesses in defenses and netted £2.26 million from current account holders of the bank.  In a statement, the FCA said that it “has no tolerance for banks that fail to protect customers from foreseeable risks”. This was FCA’s first fine in respect of a weak defense against cyber-attacks.  No doubt, more fines will follow as the number of data breach reports increase. In April 2018, FT found that UK retail banks, including Santander, Royal Bank of Scotland, Barclays and Tesco Bank, had to limit or shut down their systems after sustained cyber-attacks that cost them hundreds of thousands of pounds to remedy. Other notable regulatory fines for cyber security weaknesses include Anthem, US health insurer, fined $16 million by US Department of Health and Human Services, Office for Civil Rights, for a breach in 2015 impacting 79 million of its customers.  To top the fine, Anthem had to pay a further $115 million in a class action brought by the people whose information was compromised.  

Digital Transformation & Fintech Exacerbate Cyber Security Risk in Financial Services

Financial services are undergoing a digital revolution.  Fintech (financial technology) based newcomers disrupted the once unshakable financial services market, bringing better, cheaper and faster products and services to consumers. Banks and other incumbents responded to this competitive threat by themselves embarking on largescale digital transformation programmes.  Technological innovation also helped these incumbents come up with new ways of saving costs.  For example, replacing branches with online applications where customers can carry out all their banking financial transactions. Digital transformation at incumbents and Fintech, brings significant opportunities for creating new disruptive markets, delivering operational efficiency and significantly improving customer experience. However, it also brings the biggest threat of the same digital channels being attacked by cyber criminals, disrupting operations and more importantly, the relationship of trust that financial services firms build up with their customers. For a Fintech firm, cyber security poses even a bigger challenge.  These smaller newcomers don’t have the financial muscle to buy their way out of the after effects following a cyber-attack (for example, remediating systems, paying regulatory fines and lawsuit claims).  Customer trust is also fragile in Fintech firms, and it takes only a small data breach or fraud for customers to lose trust en masse, and defect back to the safety of incumbents. Knowing what is at stake, cyber hackers seem to be increasingly targeting financial services firms, as is evident from the number of reported data breaches (of course, this increase can also be explained by more firms now coming forward, compared to the past). After all, if someone wanted to steal money, where would they go and commit a crime?  Naturally, where the money is.  This could explain the increase in cyber-attacks on financial services, as hackers awaken to the opportunity this sector offers.  These institutions also hold an inordinate amount of intimate personal information which could be very valuable, and hence sold by cyber criminals to the highest bidders. According to a recent study by Generali and Identity Theft Resource Center, financial services firms are reportedly hit by security incidents a staggering 300 times more frequently than businesses in other industries.  

Impact of Cyber Attacks

As the above cases demonstrate, an actual attack can have large scale ramifications for financial services institutions.  Many smaller players may never be able to recover, and large incumbents could significantly lose revenue, profit and market share.  Cyber security incidents are now very likely in financial firms, and when this risk materialises, there is an array of impact scenarios, including:

1. Financial loss resulting from regulatory fines, lawsuit claims, remediation and reimbursement to customers can amount to a significant proportion of revenue.    IBM sponsored a study by Ponemon Institute which highlighted a global average cost of a data breach is around $3.86 million per firm per incident.
2. Reputational damage could see customers fleeing to competitors, having a significant negative impact on revenue.  Reputational damage also erodes the market’s confidence in the firm, wiping out a large chunk of stock market value for listed firms and market value for unlisted firms.
3. Curtails growth as management is engrossed in dealing with the cyber-attack after the fact (“closing the door when the horse has bolted”), instead of focusing on growth strategies.  For smaller financial services firms, they may face many obstacles in raising funding, as investors don’t like backing a firm that is vulnerable to such a big threat.
4. Harm customers by exposing their private information to cyber hackers.  Armed with this information, criminals can embezzle funds out of customer accounts, blackmail corporate customers by acquiring sensitive information, and expose businesses to competitive threats if they sell trade secrets to rivals in the same industry.
5. Result in job losses because the attacked firm is forced to spend money to try and recover from the attack.  The extra expense is funded by cost cutting in other areas of the business.  Job cuts is the first strategy in any cost reduction exercise.

It is evident that a cyber-attack, if sufficiently material, not only impacts the firm who is victim to it but has a wider negative impact on the entire economy.  

However, Being Able to Manage Cyber Threats Becomes a Competitive Advantage

There is an increasing threat of cyber risk.  The problem is just going to get worse, as cyber criminals themselves use digital innovation to perpetrate large attacks.  It is evident from the evidence presented above, that financial services firms are one of the prime targets. For those financial services and Fintech firms that manage to proactively win the war on cyber-crime, there are many benefits to be had. Firstly, customers will trust firms that are better able to protect their customers from hackers.  Leading firms may manage to win over customers every time their rivals are hit by a cyber-attack (flight to quality).  Senior executives in leading firms can focus their efforts on devising strategies for growth rather than get bogged down in regulatory scrutiny, law suits and remediation following an attack. Shareholders will back those firms that demonstrate that they are better able to manage cyber threats.  Relative to weaker competitors, profitability should increase as leading firms don’t have to spend an inordinate amount on remediation and compensatory expenses.  

How can Financial Services Firms Proactively Address the Growing Cyber Security Risk?

The right governance arrangements, a cyber aware organisational culture, process controls, and better staff training are all strategies that are advocated by many experts on how best to manage the threat of cyber risk. All great advice, however, let’s face it, cyber criminals develop new threats at the speed of light.  How long would it take a bank to get governance right, or embed the right cyber aware organisational culture, or train staff, etc.  For incumbents, it’s like moving a tanker and can take months if not years to get the right results. I’m not saying that these components are not important.  Absolutely, they should be part of a medium to long term strategy in the defense against cyber security risk.  As the saying goes “Prevention is Better than Cure” The best way to defend against a cyber-attack is by preventing it in the first case.  Given its digital nature, human intervention is less effective in detecting such threats.  The very technologies that exposed the financial services sector to the risk of cybercrime, must now be deployed to proactively defend against it. Artificial Intelligence is a much bandied about term in the world of Fintech and Digital Transformation in the financial services sector.  It is a technology that can be used to get computers to identify a threat before it even has a chance to get close to your IT systems?  Bear in mind that this is just one tool in a growing arsenal of tools available to organisation to fight this number one risk. Much like the immune system, artificial intelligence-based algorithms embedded in your IT systems could detect a threat and neutralise it or at least alert key personnel, before the threat has the chance to materialise.  Such a technology could effectively create an invisible shield around your organisation and silently keep out any threats. Naturally, false positives are going to be picked up, and it is in this context that human intervention is needed to teach the system over time, what is an actual threat and what is a false report.  In this case, it is crucial to work on governance, training and culture in parallel to the automated defense system. The IBM study mentioned above, reported that on how quickly an organisation can identify and contain data breach incidents and limit their financial consequences.

• The mean time to identify was 197 days
• The mean time to contain was 69 days
• Companies that contained a breach in less than 30 days saved over $1 million vs those that took more than 30 days to resolve.

This study also found that the average cost of a data breach reduced by $1.55 million (from $4.43 million to $2.88 million) for organisations that fully deployed security automation.  Imagine the financial savings if the threat could be identified and resolved within days or minutes! Vedanvi partners with some of the world’s best cyber security solution providers and in partnership, we can help you tackle the growing cyber security problem using digital technologies, in parallel to making sure the organisation is geared up operationally and from a people perspective to holistically and proactively prevent attacks. Get in touch to discuss how we can jointly help your organisation in defending against this number one risk. Call +44 203 102 6759 or email info@vedanvi.com