Counting the cost of cyber-attacks

Text size

This is a sponsored article from Jupiter Asset Management.

The cost of trying to prevent cyber-attacks may seem daunting to banks. But the price of suffering a serious attack can be far greater.

Some things in banking never change. Asked almost 70 years ago why he robbed banks, legendary bandit Willie Sutton reportedly replied: “Because that’s where the money is.”

Fast forward to 2019 and Paul Taylor, UK head of cyber security at consultancy KPMG, offered a similarly pithy explanation for why criminals insist on hacking into financial institutions, saying: “They like to go where there’s lots of money.”1

The only real change is that, since Willie Sutton’s day, hacking tools and computer viruses have replaced pickaxes and dynamite as a way of parting banks and their shareholders from money and client information.

No matter how deeply and securely vaults are buried in bank headquarters, they cannot always stop cybercriminals – often in faraway locations and operating with the tacit compliance of hostile governments – from draining bank accounts and accessing millions of usernames, passwords, and credit card details in a matter of minutes.

And the risks have grown exponentially over the past decade to the point where cyber security is now seen by banks as the greatest threat they face, far ahead of credit risk and staying on the right side of the regulators.


Source: Bank chief risk officers’ priorities for the next 12 months from the EY 2018 survey of chief risk officers.

What is a cyber-attack?
Cyber-attacks come in all shapes and sizes. The three most common types seen today are:
• Malware (infecting computers with harmful code)
• Phishing (sending apparently genuine emails to clients to obtain their personal data)
• Web-based attacks (introducing malicious software within PC browsers)

One or more of these attacks were experienced by at least 75% of worldwide financial institutions in 20182.

To make things worse, banks also suffer collateral damage in attacks on other types of businesses that take online payments.

Hacks into companies in the travel sector, including British Airways and the Marriott hotel group, saw the names, addresses, and payment card details of millions of customers stolen.

In other words, even if banks put their own houses in order, they still remain as vulnerable to cyber-attacks as their least secure clients.

Counting the cost
The financial damage to banks and other financial institutions can be immense and falls into three broad areas.

Direct impact
This covers categories such as business disruption and information loss.

If building computer networks become infected with malware, the immediate response is to shut the site down, send people home, and try to isolate the attack before it spreads to other parts of the business. Routine business processes simply grind to a halt for as long as it takes to fix the problem.

Fines and sanctions
The second cost comes from the increasingly close scrutiny being paid by regulators around the world to data security breaches, whether by banks or other businesses.

The European Union’s new General Data Protection Regulation (GDPR) is probably the world’s toughest governance of its kind and allows for massive fines to be levied on infringing companies, as British Airways and Marriott have already discovered to their cost.

Loss of reputation
Finally, there are the intangible reputational costs that come with data breaches. A centuries-old tradition of probity and security in looking after people’s hard-earned money can be dismantled in the blink of an eye by a major data breach.

Social media can spread news of the cyber-attack – not always accurately or fairly – to exacerbate an already bad situation.

A non-malicious IT meltdown at Britain’s TSB Bank in 2018 quickly attracted phishing attacks from criminals pretending to help worried clients and led to an estimated 80,000 account holders moving their money elsewhere.

How can banks fight back?
Cyber-attacks will remain a constant threat. However, there are three key steps banks can take to minimise, if not eliminate, the potential havoc they wreak on their businesses.

Knowledge in the boardroom
The first strategy must be to get technologically-savvy talent involved in running banks at the highest level. Traditionally, bank board members rise to the executive suite through their abilities to expand retail and commercial business and improve investment balance sheets.

A startling 2016 report from Accenture3 found only 3% of CEOs and 6% of board members at the world’s 109 largest banks had any professional technology experience. Nearly half of the banks had boardrooms whose members were entirely devoid of any technological know-how.

The message seems to be getting through, however, with more banks now running regular cyber-attack simulations for board members to show them the potential consequences of an assault before it happens.

Own the IT
The second worthwhile line of defence is to take full ownership of the IT security infrastructure. A long-standing trend in many banks to save money by outsourcing IT security is now increasingly being seen as a false economy.

However competent the facilities company is, its employees will never hold the same commitment to the reputation of a bank as an internal team.

Take care of your people
Arguably, the banks that will be most successful in fighting cybercrime will be the ones that recognise technology always begins with people. That could mean training staff to follow strict protocols in areas as simple as changing passwords regularly to make external breaches less likely.

It also means making sure employees within the bank do not sabotage the IT network for financial again or personal spite. No form of cyber-attack is closer to home than the malicious insider assault – but as the Accenture report highlighted, it is also the most damaging and expensive type of offensive to recover from.

Read more: https://bit.ly/2Ql3a3a

1 Financial Times 25 March 2019: How to protect your institution from cyber attack
2 Accenture 15 July 2019: What will cybercrime cost your financial firm?
3 Accenture 2016: Bridging the technology gap in financial services boardrooms

For Hong Kong retail investors: This document is issued by Jupiter Asset Management (Hong Kong) Limited and has not been reviewed by the Securities and Futures Commission. You are advised to exercise caution. If you are in any doubt about any of the contents of this document, you should obtain independent professional advice. This document is for information only and is not an offer to sell or an invitation to buy. In particular, it does not constitute an offer or solicitation in any jurisdiction where it is unlawful or where the person making the offer or solicitation is not qualified to do so or the recipient may not lawfully receive any such offer or solicitation. It is the responsibility of any person in possession of this document to inform themselves, and to observe, all applicable laws and regulations of relevant jurisdictions. The information and any opinions contained herein have been obtained from or are based on sources which are believed to be reliable, but the accuracy cannot be guaranteed. No responsibility can be accepted for any consequential loss from this information.

For Singapore institutional investors: No information in this document should be interpreted as investment advice. Every effort is made to ensure the accuracy of the information but no assurance or warranties are given. If you are unsure of the suitability of this investment please contact your Financial Adviser. It is not an invitation to subscribe for shares of Jupiter managed funds.

This is a sponsored article from Jupiter Asset Management.

Related Tags

Company