Why Cybersecurity needs to be considered a competitive advantage rather than just damage control.
The Center for Strategic and International Studies (CSIS), a nonprofit policy research organization, last year together with McAfee published a report that put the annual cost of cybercrime at approximately $600 billion, or 0.8% of global GDP. An absolutely mind blowing figure that is not likely to decrease any time soon but to cross the trillion dollar mark soon. Why? Because never before has cybercrime hit an almost industrial scale and be so easy to profit from. According to the report, “monetization of stolen data, which has always been a problem for cybercriminals, seems to have become less difficult because of improvements in cybercrime black markets and the use of digital currencies. Stolen credit card numbers and personally identifiable information (PII) are offered for sale in quantity on the dark web using a complex set of transactions involving brokers and other intermediaries in black markets. Financial theft is transferred to the criminals’ own bank accounts through a series of transfers intended to disguise and confuse. Intellectual property is either used by the acquirers or sold. Digital currency makes ransomware payments easier and less traceable.”
And because cybercrime is so profitable and has become so easy to monetize, it has also become such an attractive career and reached such numbers: One major internet service provider reported that it sees 80 billion malicious scans a day as a result of automated efforts by cybercriminals to identify vulnerable targets.
As a consequence, cyber risks now top the lists of business risks for financial institutions. Some banks report more than 1,000 cyber attacks per week and more. John Chambers, the long-time CEO of Cisco is credited with having said that there are only two types of companies: those that have been hacked, and those who don’t know they have been hacked.
At the same time, businesses always try keep IT costs as low as possible but get as much out of it as possible. And with IT costs at all time highs, there is always the question of possible benefit and return on interest for these investments, but a proper allocation of costs, benefits and rewards is close to impossible if we bear in mind that there isn’t just an abstract cost of a cyber breach if one occurs but also according to the size of the breach and the time it takes to identify and rectify the problem. In most cases weeks pass between the time of intrusion and detection of a cyber attack – often even months as the average time taken by firms to detect breaches in 2017 was 175 days. And sometimes, a breach still waits to be discovered – to quote John Chambers.
Despite the growing awareness of this threat, the amount of hacks that make the news increases rather than decreases – in October, the UK’s FCA fined Tesco Bank £16.4 million for failures in a 2016 cyber attack that occurred over 48 hours and which netted the cyber attackers £2.26 million.
But cybersecurity should not only be about damage control. The cost of a breach is the easiest and most concrete way to put a number on cyber risk. It disregards though that cybersecurity goes beyond risk control – it also concerns customer satisfaction and business generation. With the growing number of cyberattacks in mind, customers trust financial institutions not only to handle their data and ultimately their money with care, but also to protect it from unauthorized access by third parties. The proper management of and the resources employed for cybersecurity contribute significantly to this trust. In times of increasing hacks, customers are more likely to vote with their feet when it comes to the value and security of their data.
For a financial institution this means that it has to face the challenge of adequately ensuring the operational, technical, financial and reputational aspects of cyber risks in its risk management framework. Comprehensive organizational measures have to be implemented and significant investments are required in order to continuously develop the information security systems and processes. It also concerns not only the IT department of a bank but the entire organisation as it is often the negligence of staff, for example, in phishing attacks that leads to a breach in the first place.
While dedicated regulation has been put in place or is proposed by regulators around the globe to improve security standards, other regulatory initiatives like the PSD2 actually contributes to the growing risk of cyber crime. Since PSD2 will lead to more access to accounts by third parties (account information services or payment initiation services) and it could well increase the number of attacks and fraud attempts through targeted phishing and social engineering attacks, too.
Though the prospect of significant fines and reputational damage alone should put the pressure on financial institutions, customer satisfaction could well be the decisive element in the FinTech race and cybersecurity should be an important factor in this equation. Maybe that’s the necessary nudge.