….. new payment platforms; payment rails and other entry points have presented additional challenges for banks—-
Increasing digitization and interconnectivity is driving a rising tide of inherent cyber risk that is particularly high for banks, with a total of $11.3 trillion in rated debt outstanding, according to a Moody’s Investors Service report published Thursday.
According to the report by Bank Innovation, the risk assessment is based on how reliant a sector is on technology and how much financial risk there is if it’s attacked. It doesn’t take into account cybersecurity defenses like insurance, firewalls or system backups that individual firms might employ.
The Moody’s report said both large and small financial institutions are subject to attacks that can have a material impact on financial profiles and business prospects.
“Smaller institutions with fewer resources and less developed risk-management infrastructure could be more exposed to attacks and less able to mitigate the risk,” the report said. “However, large institutions are at greater risk of sophisticated cyberattacks designed to steal or manipulate data, to create significant operational disruption, or simply to generate negative publicity.”
Approaches to cybersecurity vary widely across banking, depending on such factors as the size of the institution, its tech stack, and in-house capabilities. Meanwhile, no more than one-third of financial services executives consider their institutions to be “extremely” or “very effective” in any aspect of risk data strategy and infrastructure, advisory firm Deloitte’s recent Global Risk Management Survey found.
Hakan Nordfjell, head of digital banking at Netherlands-based security firm Gemalto, told Bank Innovation the key to security is layers of defense and access to a wide range of options. But the cost can be a barrier.
“Having quite a wide portfolio is crucial to be relevant in this space,” he said. “We have numerous competitors, but they are usually a point solution, so they are an expert in a part of authentication, or in onboarding, or on the fraud backend. But the banks need much more than that.”
Nordfjell said it’s no small task when large banks want to build their own solution.
“You might need to take on seven different types of companies and then you need to make all the glue yourself,” he said. “It’s not that they cannot do it. It’s just that it’s not where they want to spend their money. They want to spend their money on business applications, not to make the glue for integrating many, many small players.”
He said Gemalto is able to do the gluing for banks and provide an array of pre-integrated solutions.
Of the 300-400 employees in Gemalto’s digital banking unit 300-400, Nordfjell said there are close to 200 in research in development, in order to stay ahead of the curve on technologies that can be used to protect, and attack, clients.
“This industry is evolving very quickly and you really need to put your efforts to stay ahead.,” he said. “We know that fraudsters are always using the latest technology and they are also very smart guys. To keep up with them, we need to invest quite a lot.”
Software provider NICE Actimize launched an in-house financial crime consultancy, eCAP, in January, in order to help clients sort through new technologies and build roadmaps for operational compliance and cybercrime prevention.
Chad Hetherington, Global VP, Professional Services, NICE Actimize, recently told Bank Innovation that banks are looking to “future-proof” their financial crime investments. He said with data siloed throughout their organizations, banks often want technology that will reduce their spending around managing data.
“Financial crime and compliance costs within the FIs have been skyrocketing over many years and they’ve reached the breaking point,” he said. “Instead of spending on bodies and people higher up, now they’re spending on technology in order to be able to drive down all the operational costs they’ve had with regards to hiring people.”
Hetherington said when it comes to artificial intelligence and machine learning, banks can go out and try to hire data scientists, but it’s hard to find people who understand that technology and also understand banking.
“It’s not enough just to have great technology,” he said “We’ve seen situations where some of our customers and prospects hired data scientists who were experts in the technology, but they weren’t getting the results they expected, whether they were trying to reduce false positives or trying to get a high detection rate.”
Hetherington said new payment platforms; payment rails and other entry points have presented additional challenges for banks, as they are often attacked as soon as they go online.
“They’re hit really big, really fast, and the FIs struggle with that,” he said. “We see it as a recurring event and, so, one of the ways we help advice and guide our customers is just learning from what others have done, and being sure they’re not making the same mistakes. It seems very basic but at the same time, history seems to repeat itself.