Unlike other risks, such as credit or liquidity, cyber crime can hit a bank hard from many different angles and is continuously evolving, making it difficult to model and to cope with. It is therefore unsurprising that bankers view it as the number one risk to their organisations. By Justin Pugsley.

What is happening?

Housing crashes, liquidity freezes and recessions can all be prepared for and modelled. The key defences include adequate capital buffers, sufficient liquidity, sensible lending policies and good risk management.

Reg Rage - Reg Rage

However, digitisation has introduced another much more insidious risk that can be every bit as damaging. But unlike traditional risks it is fast evolving, pitting banks in an arms race against well-equipped secretive criminal gangs and allegedly even state actors.

Cyber risk tends to come in three main flavours: cyber frauds, data breaches and business disruption. And according to bankers, these attacks are becoming more frequent, determined and bigger in scale, and financial losses from these criminal activities are rising.

Regulators tasked with promoting financial stability have grasped the seriousness of the situation, including the Basel Committee on Banking Supervision and the Financial Stability Board. They are steadily putting out more guidance on best practices and have so far not resorted to creating new regulatory frameworks to manage cyber risk. And they probably won’t either.

Why is it happening?

When the famous US bank robber Willie Sutton was asked by a reporter why he robbed banks, he allegedly replied: “That’s where the money is.” Though Mr Sutton later denied saying such a thing, that remark aptly explains why financial firms are the favourite target for hackers and cyber fraudsters.

Indeed, thanks to digitisation, robbing banks has moved on from the dangerous business of holding up armoured cars and breaking into vaults. A criminal based many miles away with an internet connection can steal even larger sums of money electronically from the safety of a ‘friendly’ jurisdiction.

Other types of hackers, often ideological ones, simply want to destroy the financial system and are less interested in money and aim to cause maximum disruption instead.

What do the bankers say?

Bankers are very worried. They are spending ever-larger sums of money to defend their institutions. Meanwhile, regulators are getting more interested in knowing what bankers are doing to shore up their defences. They are also willing to dish out harsher penalties to banks that fall victim to cyber attacks. For example, in 2018 the UK’s Financial Conduct Authority fined Tesco Bank £16.4m ($20.5m) for “failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack”. It was considerably more than the £2.26m the cyber criminals made off with.

Also, regulator attitudes are shifting. They used to be about expecting banks to stop these attacks from being successful. Now, the focus is on resilience and fast recovery. In other words, regulators now expect some cyber attacks to get through, and their main concern is for retail customers.

Will it provide the incentives?

Usually the theft of funds or customer data is not the biggest cost for banks – it is what comes after: the fines, reputational damage, loss of business and ensuing investment in new systems, staff and procedures.

Other than providing some guidance and threatening harsh penalties for failure, regulators are so far leaving it to banks to devise their own approaches to tackling cyber risk. That is largely because it is a fast-moving and often difficult to define operational risk and regulators are likely to be always dangerously behind the curve. It is also an area where having many different approaches might be better than one standardised approach potentially leading to failure on a very large scale if found to be faulty.

However, cyber risk is likely to increasingly feature in either stress tests or in separate exercises. For example, the Bank of England is shortly to hold a pilot test on the ability of banks to get their payment networks back up and running following a 'severe but plausible' theoretical cyber attack. The central bank has indicated that future tests will look at how banks would cope with corrupted data.

The potential existential nature of a successful cyber attack is probably enough incentive for bankers to stay on top of the threat, and the big institutions are investing billions of dollars in building their cyber resilience.

But what is truly frightening is that if a big bank’s operational capabilities were crippled by a successful cyber attack, cutting off customers from their funds, there is probably not much regulators and central banks could do about it. This problem goes well beyond a recapitalisation or an injection of liquidity – though that could be needed as well. That is largely going to come down to technology and well-rehearsed recovery plans.

PLEASE ENTER YOUR DETAILS TO WATCH THIS VIDEO

All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker



For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Join our community

The Banker on Twitter