Banks are getting a grip on cyber risk

Banking cyber risk: woman viewing graphs on computer screens in high-rise office

This article originally appeared on Workflow.

Technology risk is unavoidable for banks. Financial institutions around the world are navigating a rapidly evolving cyber-threat landscape where they must battle ever more sophisticated cyberattacks and technology that seemingly changes overnight.

A breakdown of a bank’s IT infrastructure, systems or applications can be disastrous, and the stakes are high: The average cost of a data breach in the financial services industry stands at $5.9 million, according to IBM's Cost of a Data Breach Report 2023. That leaves top executives, and especially chief information security officers (CISOs), more exposed than ever.

Banks are on high alert. Two-thirds of CISOs in the sector say cyber risks have increased significantly over the past few years, according to a recent ThoughtLab and ServiceNow survey of 750 global executives at retail, private, commercial and full-service banks. Even more rank tech risk overall as the greatest threat to their businesses. Here are five stats from the report that stand out.

70% of CISOs said attacks on IT infrastructure are their main concern

While bank executives overall rank the pace of innovation and adoption of new technologies as the biggest reasons to beef up their tech risk management efforts, bank CISOs—the best suited to judge—say the escalation of cyberattacks is at the top of their list, according to the survey.

Seventy percent of CISOs indicated that attacks on IT infrastructure are their main concern. When they're not worrying about ransomware and denial-of-service attacks, the prevalence of fraud and other financial crimes keeps many of them up at night.

Perhaps unsurprisingly, the threat of cyberattacks is an area where leaders in high-tech risk management and laggards diverge most dramatically. While the latter feel most exposed to attacks, leaders in cybersecurity have clearly spent time hardening their defences and feel more confident for having done so.

52% of CISOs ranked cross-team collaboration as their top step

When it comes to technology risk, bringing teams from across the business together to address and manage it is the biggest priority for CISOs at global banks.

Fifty-two percent of them say that ensuring IT, risk and cybersecurity functions work together is the most important step they’re taking now. That could rise to 60% in two years.

Leaders recognise that building an effective organisation and culture that bolsters resilience starts at the top. "We made technology and cybersecurity risk management and resilience a part of our board and senior management duties, which has aided us in the early detection and correction of issues", a CRO at a private U.S. bank said.

36% of banks are using historical data to predict cybersecurity risks

More than a third of banks surveyed are already using historical insights to forecast cybersecurity risks. What's more, that share is expected to jump to almost half by 2025 as more banks leverage real-time insights to counter cyberattacks.

Those efforts should allow banks to defend against evolving attack strategies, predict future attacker behaviour, and guide responses to high-profile incidents like ransomware attacks and data breaches. "Predictive analytics will assist us in proactively managing risks and making educated resource allocation decisions", said the head of operational resilience at an Australian commercial bank.

Over the next two years, executives plan to invest in advanced technologies, such as security information and event management systems, which make it easier to spot patterns in security data and quantum cryptography, to take encryption to the next level.

54% of banks have recently boosted their AI investment

While discussion of AI's impact dominates boardrooms and legislatures, many banks are ahead of the curve: More than half upped spending on AI and other advanced technologies over the past two years.

Others are planning to follow suit. "In response to an increase in cyberattacks, we will strengthen our cybersecurity measures by adopting more cutting-edge security technologies, such as artificial intelligence and machine learning", said a German retail bank CISO.

Still, it's important to remember that human error is often the easiest point of entry for cybercriminals. Automating manual security processes based on email and spreadsheets is always a good idea. Similarly, AI-powered intelligence can be a crucial tool to quickly and accurately diagnose what needs to be done during a breach and who should do it.

68% of CISOs expect greater change in their technology risk over next two years

Banking executives are bracing for unprecedented innovation in the next few years, which could fundamentally remake the financial industry. AI, blockchain, and decentralised finance, as well as the metaverse and other aspects of Web 3.0 or Web3, will only make dealing with cyber risks more difficult and complicated.

To survive, financial institutions need to take a more proactive approach to cybersecurity, with a clear plan to guide resilience and investment across the entire value chain.

The winners will have to balance the benefits of digital innovation with the greater exposure to cyber risk it brings. They will also need to empower everyone in the bank, from the CEO to account managers, to become risk officers.

Find out how to stay ahead of ever-changing cybersecurity risks in banking in our ebook.