AI is becoming increasingly critical for banks defending themselves against cyber attacks, a factor that is drawing interest from the regulatory community. By Justin Pugsley.
What is happening?
Maybe one of the scariest things about cyber attacks and hacking is that the people who do it can do so very cheaply — often for free — on the dark web. To make matters worse, many of the attackers do so at no personal risk if they are based in countries beyond the reach of Western law enforcement agencies.
Unlike other criminal activities, such as physically robbing a bank, cyber attacks are a very low-risk activity for criminals.
And it is a very unequal fight. Mounting an effective defence is becoming increasingly expensive for banks — it is estimated that some of the biggest institutions spend more than $1bn a year on cyber security.
To give those defences an edge, many banks are turning to artificial intelligence (AI) and machine learning (ML). These tools can analyse data and pick out potential threat patterns at incredible speeds, and are vastly more effective at detecting routine attacks than humans.
However, it is not just shareholders and customers putting pressure on banks to mount these defences, but increasingly regulators as well.
UK regulators launched a discussion paper on AI and ML on October 11 in a bid to better understand how banks use these technologies in areas such as the use of data, cyber defence and fighting money laundering. This could be a precursor to new rules around the use of these tools. Incoming rules, such as the EU’s Digital Operational Resilience Act, are also bringing the use of the technologies into focus.
Meanwhile, the Financial Stability Board is looking into more standardised ways for the industry to mitigate and report cyber incidents to drive greater awareness.
Why is it happening?
Regulators have long been concerned about cyber threats. However, they realise that the perpetrators are also gaining access to ever more sophisticated hacking tools. Furthermore, the severe deterioration in the geopolitical environment in recent years has raised the prospect of state actors with huge resources engaging in the activity. And their motives are likely to be less about extorting money, but more about crippling financial infrastructure.
Regulators therefore want to ensure that banks are best prepared for increasingly intense and sophisticated attacks.
What do the bankers say?
Naturally, this is an activity that worries bankers. It only takes one successful attack to potentially ruin a bank’s reputation, and can cost huge amounts of time and money to fix.
Bankers are also concerned about the increasingly significant investments they are having to make to stay ahead of the curve. That is particularly the case for smaller institutions.
Another concern is around cyber insurance. It used to be bundled in with building insurance as a perk, but that has since changed. It is now a separate risk and one a growing number of insurers do not want to cover, given how fluid cyber crime is and how it could potentially hit an entire industry simultaneously. Indeed, premiums have risen 100% in just two years, accompanied by an inflation of restrictive clauses. Insurers specialists believe that this trend will just continue.
Will it provide the incentives?
A key difference, say between prudential requirements and cyber defence, is that banks have a strong incentive to invest in the latter. Figuring out clever ways to reduce capital usage leads to more profits in the short term with potential problems, such as a surge in non-performing loans, sometimes looking like a distant prospect. A successful cyber attack, on the other hand, could instantly paralyse a business or cost a great deal to resolve, particularly in the case of ransomware.
However, AI and ML have their limitations. Though they can sift out most of the attacks, they can struggle to defend against sophisticated attacks carried out by organised crime or state entities. This very much requires human intervention and high levels of awareness.
So, although regulators are taking a deeper interest in the use of advanced technologies by banks, they probably do not need to lean on them that heavily to make the necessary investments. Where regulatory supervision might especially be useful is around making sure banks are carefully following best practices and are mitigating cyber risks in their supply chains.
