The UK’s biggest banks are making good progress rebuilding balances shattered during the economic shock of 2008, but might the next crisis be digital rather than financial?
According to KPMG’s half-year Road to Recovery? What the Future Holds for UK Banks report, the country’s biggest firms have dragged their economic model back into the black despite having to cope with unprecedented regulatory pressure.
That said, banks will probably never return to the sort of pre-2008 returns, and have to put up with returns of half or less than the gargantuan profits made during the good times. But to borrow a phrase from the report, is worrying about future the size or reserves and future profitability a case of banks fighting the wrong war?
“Traditionally, banks have been leaders in IT security, at the cutting edge of innovation, but their ability to combat future security threats is increasingly debatable. After years of improvement, UK banks suffered a 12 percent increase in online account fraud last year,” said KPMG.
“Furthermore, the motivation for cyber assaults is shifting, from financial crime to political and ideological attacks, with the number of state-sponsored hacking and ‘hacktivist’ revenge incidents growing.”
The authors sketch over which form of cyber-incident might constitute a serious shock for banks – a huge data breach or mega-DDoS? - but noted growing worries about the potential trouble that might lie ahead. It was only a small pull-out box in a much larger report but a number of commentators seized on it.
“KPMG is right to highlight the imminent cyber threat that is currently hanging over UK banks. This has been building over the past year and if financial institutions haven’t already made security their top priority, they should do so immediately,” said McAfee EMEA CTO, Raj Samani.
“Where Europe has been the primary target for financial fraud rings – such as Operation High Roller – in the past, McAfee’s research has found thefts are spreading outside Europe, including the United States and South America.”
Others have argued that by working on the assumption that an attack was bound to succeed eventually, banks might be less likely to experience it as a mortal shock.
“By accepting that it is a case of when, not if, a breach will occur, financial organisations can focus on protecting data at its core, rather than on layers of perimeter security which are no longer up to the job of offering adequate defence,” said SafeNet vice president EMEA, Gary Clark.
At the very least, the growing threats from cyber-risk were likely to raise costs for the industry at a time of relative weakness, said Marc Lee of risk management firm, Courion.
“This regulatory burden can be eased by improving governance of access and identity risk. It is not enough for organisations to just develop external defences to protect against cyber-attacks – serious breaches have arisen in the past thanks to weak internal access management systems,” he said.
In June, the International Organization of Securities Commissions (IOSCO) published a report that worried about the potential of DDoS-led cyberattacks to ‘down’ a major securities exchange such as a stockmarket.
Perhaps the most concerning incident was the widely-ignored but still extraordinary heist last December in which a large number of cybercriminals co-ordinated at least $45 million of thefts from ATM machines in 27 countries. Although a small event in financial terms, the warning is clear. The criminals are now extremely organised, know which bits of the system to attack, and will almost certainly come back for a much large sum the next time.
The best defence? In the case of detecting an ATM attack of large enough scale, temporarily shutting down bank system across the world. In other words, pulling the plug.