Observations from the Fintech Snark Tank
In his 2019 letter to shareholders, JPMorgan Chase’s CEO Jamie Dimon wrote: “The threat of cyber security may very well be the biggest threat to the U.S. financial system.”
This isn’t news to bankers. In Cornerstone Advisors’ annual ‘What’s Going On in Banking’ study, cybersecurity has been a top concern of C-level bank and credit union execs for the past few years.
And they’re putting their money where their concerns are. According to Kaspersky Lab, financial services firms spend $1,436 per employee on cybersecurity, more than double what the retail industry spends (thanks, retailers).
That doesn’t mean there’s consensus regarding their views on cybersecurity, however. There are five common beliefs (or myths) about cybersecurity that need to change.
Myth #1: “Cybersecurity is IT’s job.”
There’s a common problem in the business world today: The belief among many senior execs that appointing a C-level exec to oversee a problem or challenge will take care of it or make it go away. If you need proof, consider how many companies now have a Chief analytics, AI, brand, customer, data, digital, experience, knowledge…you don’t really want me to go on, do you…Officer.
I’m all for a Chief Information Security Officer (CISO), but many business execs think that, by having one, that person (and IT) has the cybersecurity efforts under control.
It doesn’t work that way. The CISO of a $3 billion bank told me:
“I may be responsible for the security of the bank’s information, but it’s the executive team and functional heads who must ensure that we manage and mitigate the day-to-day operational risks of cybersecurity efficiently and effectively.”
Data breaches and cyberattacks affect the entire enterprise, not just a single unit, division, or department. Decisions to mitigate these threats shouldn’t be relegated to IT.
In addition, cyberincidents require communications with the institution’s customers, employees, partners, and media. The executive team and board should help script the organization’s responses.
Myth #2: “We don’t need to worry–only the big banks are at risk of cyberattacks.”
According to a study from Nationwide, banks with less than $1 billion in assets were the victims of nearly half (47%) of all bank-related cyber-crimes between 2012 and 2017.
The study also found that financial institutions with less than $35 million in revenue accounted for 81% of hacking and malware breaches in 2016–a jump from 54% the previous year.
According to the CISO of a $750 million bank:
“We uncovered a hack into our systems and discovered that its intention was to disrupt the Fed and other banks’ payment systems.”
Myth #3: “We can gain a competitive advantage by being good at cybersecurity.”
No you can’t.
It’s scary to hear this from bankers for two reasons:
- Cybersecurity is table stakes, not a differentiator. There’s no question that security is important to consumers, but they expect it. Being “great” at cybersecurity isn’t going to attract more customers.
- Banks can’t be “great” at cybersecurity. Only the largest banks have enough resources to be on the leading edge of cybersecurity. And even they would say they’re not that good. Privately, that is.
Myth #4: “A national digital identity scheme will emerge to improve cybersecurity efforts.”
Although a number of governments around the world have launched identity initiatives, the prospects for a digital identity scheme in the US on par with other countries looks slim for the short-term.
Today’s political climate is not conducive to a national identity effort, which will be seen by many as an attempt to limit immigration and identify (and remove) immigrants illegally in the country. In addition, a government-driven identification system hardly seems to be a priority of the current administration.
Banks themselves are beginning to think that they are digital identity providers.
At a recent banking conference, in a panel discussion on digital identity, the panel moderator asked a room of roughly 60 bankers if they, as consumers, would sign up for a digital identity service from their bank. Four bankers raised their hand.
That might not bode well for the banks looking to develop digital identity services, but the arguments against a bank-offered digital ID scheme goes beyond an unscientific survey of bankers.
Myth #5: “We’re doing fine as long as we pass our annual exams.”
No you’re not.
At a recent conference, I sat on a panel with a lawyer who had worked at the CFPB. An audience member asked, “Can regulators keep up with technological change?”
I argued “no.” The lawyer argued “yes.” It was the first–and will probably be the last–time I ever win a debate with a lawyer.
I’m not alone in my argument. Look at some of these recent headlines:
“Law and ethics can’t keep pace with technology.”–MIT Technology Review
“Data protection law is in danger of lagging behind technological change.”–The Guardian
“The law can’t keep up with new tech.”–World Economic Forum
Passing annual exams means a financial institution is doing what a regulator thinks it needs to be doing. But who says the regulator is up on things? Apparently just the regulators.
One overarching theme cuts across the debunking of the five myths: Achieving cybersecurity success requires management and measurement—not just education. Educating employees and board members about cybersecurity issues is needed—but represents the bare minimum of what banks and credit unions must do.
This article was written by Ron Shevlin, and originally published by Forbes.