PricewaterhouseCooper’s (PwC) ‘Banking Banana Skins 2014’ report lists perceived risk factors within the banking industry. One of these – ‘Technology risk’ – has risen from 18th in the 2012 ratings to 4th in 2014, reflecting growing concerns about the vulnerability of the banks’ outdated systems to cybercrime and outages, and the low priority assigned to this risk by management.
In view of the banking industry’s apparent inertia at implementing fully effective authentication measures, it’s worth taking a closer look at this report.
To start with, different people perceive the threat from ‘Technology risk’ differently. It’s notable that bankers themselves give this a far lower rating (7th) than do outside observers, like analysts (who place it 4th in importance), and risk managers, including regulators (who place it 5th). It’s also notable that this latter grouping gives ‘Criminality’ a high rating, at 3rd, in contrast with outside observers, who place it at 10th, and bankers, who don’t even include in their top ten. Overall, ‘Criminality’ rose as a risk factor from 24th in the 2012 report, to 9th in the 2014 report.
Does the perception of these threats differ from one geographic region to another? You bet. ‘Technology risk’ and ‘Criminality’ is rated at 2nd and 5th respectively in North America. ‘Technology risk’ also comes in at 3rd in the Asia Pacific, but just 9th in Europe.
Looking at these responses in detail is also illuminating. Two themes were common. The first was the perception that there has been a huge escalation in the frequency and sophistication of cyber-attacks (which also drove the rise in ‘Criminality’ mentioned above). As one chief risk officer put it, “The fastest increasing risk revolves around a range of threats categorized as cybercrime coupled with the broadcasting of the event through social media”.
The second was a growing reliance on old and overly complicated IT systems, which are susceptible to security breaches and unpredictable outages that can cause widespread disruption. One respondent was especially scathing, observing that this was, “Only going to get worse. Ancient systems stuck together with sticky tape. Long lead time to replace them. Too expensive to replace them. Management have head in the sand about the scale of the problem.”
It was felt that the banks were already playing catch-up in a technology environment, which continues to evolve rapidly. One director declared that, “Legacy systems will still be a major problem for financial institutions. Updating these systems whilst trying to adopt a more fleet of foot, customer centric approach through mobile technology will present a massive risk to these organisations.”
Disruption was regarded as almost inevitable. As one payment services director put it, “It is a near-certainty that institutions will suffer outages in the next few years; the critical issue is how they recover.”
The focus of comments on the risk of ‘Criminality’ was very much on the growing threat of cybercrime, such as hacking, identity theft and phishing. One respondent noted, “I think the risk of cyber-attack is very much underestimated. As consumers trend onto mobile phone payment systems, this risk will only increase.” Another said “The growth of cybercrime is the only reason other forms of crime are falling in the UK. Banks remain the number one target.”
Is this position likely to change in the near future? When respondents were asked to rate how well they thought the banks were prepared to meet these challenges, on a scale where 5 equaled ‘Well Prepared’ and 1 was ‘Poorly Prepared’, the average score was a middling 3.04. As you might expect, bankers and risk managers had a higher opinion of their own state of readiness (3.19 and 3.16 respectively) than outside observers, who only scored them 2.78.
Ever wondered why your bank still relies on Username, Password, Memorable Information, Hard Token or Card Reader, rather than the far more robust combination of Two-Factor Authentication and Telco Data? Maybe it is time to say something.