Recently I was reviewing some material about cybersecurity which contained, among other things, an explanation of how thieves successfully used remote access Trojans and keystroke logging at bank ATMs around the world to steal customer information and ultimately rip off banks for tens of millions of dollars. I was familiar with the incident because we wrote about it in our 1st Quarter 2014 issue, but here’s the thing: I was about to deposit a couple of hundred dollars in checks and cash at one of my bank’s ATMs, and it made me stop and wonder if I should do that. I hadn’t been in a bank branch in a couple of years (and in fact rarely even use ATMs anymore), but I considered whether I should make the deposit in the branch instead to avoid putting myself at risk by using a machine that conceivably has been hacked.
Technology has had a transformative impact on banking over the last couple of decades—and the revolution actually seems to be accelerating with the explosive popularity of mobile access and new concepts like the cloud, and also the emergence of nonbank financial technology companies that rely almost entirely on technology for their user interface. The advance of technology in banking is exciting because of the cost and customer service benefits it promises to deliver, but this same technology has also become something of a Trojan horse (tortured metaphor intended) from a risk perspective. Cyberattacks are occurring with an increasing frequency that is alarming, and banks are hard pressed to keep up with the advanced tactics of the attackers. In fact, if we were to characterize this as an arms race between hostile parties—the banks versus the hackers—the banks are losing.
Eighty-two percent of the respondents to our 2015 Risk Practices Survey identified cybersecurity as the risk category they are most concerned about, compared to regulatory compliance at 52 percent, and credit quality at 37 percent.
Cybersecurity will have an important place on the agenda at our 2015 Bank Audit & Risk Committees Conference scheduled for June 11-12 in Chicago. Any bank board of directors that isn’t worried about its institution’s vulnerability to a cyberattack is asleep at the table. What should directors be doing to make their banks as safe as possible? The first step is to educate themselves on the nature of cyberrisk so they understand the threat well enough to ask good questions. This undertaking will be the very definition of continuing education because the threat is constantly evolving. Boards also need to make sure that they are spending enough money on cybersecurity. Fifty-two percent of the respondents to our risk survey increased their cybersecurity budget by less than 10 percent for 2015, and 21 percent saw no increase for the year—spending levels that probably aren’t enough given how quickly the threat is escalating. Cybersecurity should be a standing topic on every regularly scheduled board meeting so that directors gain an understanding of the topic while keeping themselves well briefed on the latest security developments at the bank. And the board needs to have an incident response plan in place when a cyber intrusion does occur, because it’s simply a matter of when, not if.
As I write this blog, I still haven’t decided how I will deposit those checks and cash that I have. And that points to one of the most damaging effects of cyberattacks: They have the potential over time to erode confidence in a banking system that relies increasingly on technology. I have read comments of late from people who say they’ve stopped using their debit cards for small purchases, but use cash instead because they’re afraid of having their checking accounts drained if a hacker steals their customer information. That sounds like a step backwards to me at a time when banks should be helping their customers step forward with the help of technology.