Why cyber-risk should take centre stage in financial services

It feels as though cyber-risk has crept up on us without warning and with great intensity.

We have come a long way from the days when our Palm Pilots had to be hot-synced through a docking station and the occasional hazard was from viruses transmitted as email attachments. Over the years, we have embraced extreme connectivity combined with extreme automation in a never-ending drive towards convenience and cost-efficiency.

However, even as banks continue to nudge, cajole (and perhaps occasionally threaten) their customers towards impersonal e-channels, we learn about record amounts of losses from online fraud and theft. Furthermore, all of us – not just the specialists – are asked to act as conscription soldiers in the fight against this threat.

According to a report by Accenture, almost eight out of 10 business leaders believe that they are adopting new technologies faster than they can address related security issues. It also estimates that nearly $350 billion of value could be lost by the banking sector to cybercrime in the next five years.

Publicly-known examples across various sectors include the NotPetya cyberattack on the shipping group Maersk, the WannaCry attack on the UK’s National Health Service (NHS), the theft of reserves from Bangladesh central bank via the SWIFT network, and the hacking of confidential data from Sony Film Studios.

With more of our devices integrated through the Internet of Things (IoT) and more of our services provided by an assemblage of outsourced specialists, there are simply more points of entry for potential attacks or lapses. With a wide diversity of digital maturity, capability and ‘cyber hygiene’ habits amongs us, system resilience could be compromised by the weakest link.

At the same time, the backdrop for international cooperation amongst authorities appears particularly bleak. Back in April 2009, at the height of the global financial crisis, the G20 governments came together with a robust, comprehensive and effective plan of action. By contrast, with alleged state involvement in certain attacks, countries operate as “frenemies” with a guarded stance on cyber-related issues.

There is a conflict between the need for the seamless sharing of threat-intelligence on the one hand, and the desire to localize data within national borders on the other. There may also be cultural differences in attitudes towards citizens’ privacy vis-à-vis the state. Finally, cyberthreats appear to be highly dynamic as attackers harness digital tools with great agility. It is possible, for example, for quantum computing to make it easier to break current encryption methods.

This landscape of a rough neighbourhood coupled with a seemingly underdeveloped security apparatus at the international level poses new challenges of risk management for the financial services sector. A cyber event could trigger a loss of confidence, possibly through compromising the integrity of data on which the flow of finance relies. It could in turn trigger bank runs, liquidity freezes or jumps in market prices. Whether this develops into a system-wide crisis or not would depend on the prudential response of regulators, as argued by Jon Danielsson and others.

In the words of Catherine Bessant, chief operation and technology officer at Bank of America: “The threat is huge, and what makes it difficult for boardrooms is that it’s hard to model; it’s a risk where past is not prologue.”

Unlike credit risk or market risk, operational risk (of which cyber-risk is a subset) can be more nebulous in its framing. The exposure is quantified with reference to the probability distribution of the frequency of losses and, separately, the severity of losses.

Every step of the process requires data (internal and external), assumptions and subjective estimates made by a risk committee. That is why the qualitative aspects of the approach and framework are so important. As is the need to perform table-top war games.

Regulators expect institutions to build systems that are “secure by design”, with an emphasis on resilience against threats rather than compliance to a standard checklist. The roles and responsibilities of members of the board, senior management and other key posts must be articulated explicitly and without ambiguity. Staff in cyber-related functions must have the required capabilities. Some jurisdictions have implemented specific cyber-certifications.

There is ample spotlight on the contractual framework and governance of outsourcing activities, seeking to ensure that nothing falls through the cracks. Regulators are also keen to calibrate the regulatory burden to the size and significance of the service provider so as not to discourage innovation by fintech start-ups.

For large traditional banks, the organizational design and cultural slant towards cyber-risk is still a work in progress. Should compliance officers sit with operations or the legal department? Is there sufficient separation, communication and challenge amongst the ‘three lines of defence’? Does the chief information security officer (CISO) have the required seniority or stature within the organizational chart? Does she come from a technology, legal or crime-enforcement background? Do the board and senior management appreciate that new products, markets or cost-reduction measures must be road-tested against their impact on cyber-risk, or is that an afterthought?

What are the norms of information sharing within banks, between banks, and between banks and regulators? Incident reporting from banks to regulators is mandatory in most places. This may include the requirement to submit a root-cause analysis and a post-mortem of lessons learnt. However, there are gaps in the other lines of communication: between regulators across jurisdictions, from regulators to banks, and amongst banks (possibly due to perceived stigma). According to a 2018 BIS report on cyber resilience, “full adoption of all types of information-sharing arrangements within a jurisdiction is still exceptional”.

Finally, banks need to continue to refine their taxonomy of controls, risk classification, indicators and a book of tangible items that can serve as metrics for their cyber-risk control environment. That dashboard could include items such as cyber-incident response playbooks, recovery plans, vulnerability scans to password and encryption policy to training statistics, near-miss events etc.

Unfortunately, cyber-risk is here to stay. The sooner we can adopt a shared language, a convergent framework and an elevated awareness of this risk, the better prepared we will be to strengthen our defence against and resilience to this risk.