Board members and Chief Risk Officers (CROs) of banks and other financial institutions have identified cybersecurity as their top short-term (12 months) risk priority. This was revealed in the Tenth Annual Global Risk Management Survey conducted by EY (Ernst & Young) and the Institute of International Finance. Survey participants comprised 94 firms in 43 countries with 23% based in Asia. Cybersecurity emerged at the top spot for the third straight year, considering that it only surfaced as a risk concern in 2015. We see this as a result of rapid technology development and the onslaught of banks embarking on digital transformation journeys in the last five years.
The refreshed survey also affirmed cybersecurity as one of the major risks to anticipate in the next decade. Some of the key issues identified were concerns on industry-wide cybersecurity attacks, third-party security, cloud transition, and cybersecurity capabilities.
INDUSTRY-WIDE CYBERSECURITY ATTACKS
In the next five years, 80% of respondents foresee an industry-wide attack. This concern is attributed to three key factors: (1) constant cybersecurity attacks on banks and other significantly important financial institutions; (2) nation states that have exhibited destructive behavior using cybersecurity attacks; and (3) critical third parties that are regularly attacked, such as telecommunications and cloud provider companies. These issues resulted in recent government and private organization initiatives that utilize cross-industry cybersecurity attack drills rather than isolated tests.
The survey also showed that 53% of respondents worried about their ability to recover operations after a cybersecurity attack. At the same time, 33% were concerned that customers would not be able to access vital bank services immediately after a cybersecurity attack.
These issues relate to another major risk identified as resiliency: the ability to deliver services to customers, clients and markets without disruption. An overwhelming 94% of respondents mentioned that cybersecurity risk is their top resiliency concern, marking a significant increase from 80% in the previous year. This, in turn, led to the rising trend of integrating resiliency into frameworks or functions such as cybersecurity and technology incident responses, disaster recovery, and business continuity planning across business units. Integration is also seen in functions such as crisis management, crisis communication, recovery and resolution planning activities, and testing that includes simulation and table top exercises.
Banks have long depended on third parties to provide core and support services, a trend that is expected to still grow in the future. However, third-party risk is also noted as a major risk in the next decade and described as the risk of operating in an ever-expanding ecosystem.
Cybersecurity is identified as the top third-party risk, with 56% of the banks surveyed echoing this sentiment. Since banks are fortifying their cyber defenses, we should note that third parties handling or processing the banks’ information will likely become bigger targets for cybersecurity attacks. Third parties are expected to be at par or to have better cybersecurity controls than banks. It is also interesting to note that banks are transitioning in defining critical third parties. Previously, third parties were evaluated based only on spending and financial impact, but now, banks are also considering business continuity and resilience (66%), types of data and systems accessed (61%), and sensitivity of data used (54%).
This more holistic approach has led to some challenges for banks in handling the sheer volume of third parties that need to be assessed and monitored for their cybersecurity control effectiveness.
TRANSITIONING TO THE CLOUD
It is evident that cloud transition is the most effective means for banks to tighten cybersecurity, given the service’s promise of efficiency, reliability, and scalability. However, the security of customer information and the banks’ data contained in the cloud remains a big concern for most CROs (92% of respondents). This also poses a major risk in the next decade despite the many cybersecurity controls and capabilities already established by cloud service providers.
Banks are also moderately confident in their capabilities to operate in a cloud environment. We see that banks are keen to first establish their cloud security and risk frameworks prior to transition. There is also recognition of differences between the operation of on-premise systems and cloud environments, highlighting the need for additional controls and capabilities.
The survey further showed that while the banks’ cybersecurity capabilities are mostly rated as “Managed,” (i.e., ad hoc, repeatable, defined, managed, efficient), there is still the challenge to elevate cybersecurity to the next level.
Respondents were wary of cybersecurity capabilities such as data restoration (32%), cybersecurity incident response (30%), identity access management (28%), and patch management (27%). They consider these as key areas where banks need to improve. The capabilities must include employing a skilled and knowledgeable cybersecurity workforce. Capability issues are exacerbated due to the inadequate number of qualified cybersecurity professionals on a global scale. While there is an active inter-organization movement among cybersecurity professionals, there are simply not enough new capable talents who can help bridge the gap.
SECURITY IS ONLY AS STRONG AS THE WEAKEST LINK
Cybersecurity remains a formidable risk for banks to grapple with both in the short and long-term. The challenge to improve the banks’ cybersecurity capabilities includes recognizing that security is only as strong as the weakest link. With the cybersecurity threat landscape rapidly and continually evolving, banks need to increase their vigilance and be more comprehensive in addressing cybersecurity risks.
This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co.
Philip B. Casanova is an Advisory Partner of SGV & Co.