SECURING FINANCIAL SERVICES
5th July, 2023 • London, UK
With so much stress in the financial system, where is the material cyber-risk in banking?
Keeping on top of material risks
Just before the latest round of bank instability, a Bank of England systemic risk survey recently polled 65 executives in the UK financial sector, and shows that 74% of respondents deemed a cyberattack to be the highest risk to the financial sector in both the short and long term, followed closely by inflation or a geo-political incident.
However, while attacks are potentially very damaging if they do happen, banks remain confident they can repel them. According to the survey, cyberattacks are less likely to materialise (37%) than geopolitical pressures (54%) and the risk of soaring inflation (63%).
The number of respondents who believe their company is at high risk of attack grew rapidly this year, from 31% in the first half of the year to 62% in the second. Those considering the threat to be low has decreased by 20%, to just 3%. What’s more, 83% believe that cyber risk in the financial sector has increased in the past year.
These are interesting findings because they reveal that while financial institutions do not under-estimate the potential for harm posed by cyberattacks, they do not believe that the actual, realised damage will be as significant as that incurred from other, bigger picture, business-related threats. To an extent, this assessment is borne out by recent events. Banks are failing not because of cyberattacks but because of rate rises, poor credit and investment decisions and deeper cultural failings.
So, what type of cyber incident does pose the most significant threat to financial institutions and the banking system?
Central banks worry less about attacks on single institutions and more about attacks on the data that institutions in general rely on; they worry about attacks that could cause bank runs across multiple banks; they worry about single points of failure in the third-party Cloud ecosystem.
Ultimately though, the system is only as good as its weakest link. A compromised firm will be connected through an almost infinite web to the rest of the system and so represent a threat to the whole.
So how should banks be strengthening their cyber defences at a time to make sure that a firm-wide event doesn’t become a system-wide event?