Cybersecurity is an increasingly critical threat to global financial institutions and the broader financial system, yet it is not well understood. Large firms are prime targets for activists, organized crime, and cyber terrorists. An attack on an institution resulting in the loss of vital data can have a devastating effect on the firm's reputation, costing significant amounts of time and money to repair. Moreover, the interconnectedness of financial institutions leaves them vulnerable to disruption, threatening national security and the stability of the international financial system.
According to one bank executive, the cybersecurity threat facing the financial services industry "gets bigger by the day, month, and year because of the sophistication of the attackers and the fact that the attacks in the heartland have increased exponentially."
While financial institution boards and senior management are increasingly aware of the issue, a much broader and deeper understanding of the nature of the threat and the potential responses is needed in banks and their supervisory organizations. Improved collaboration and information sharing between the public and private sectors are required. Together, private and public stakeholders must develop a new framework for understanding and mitigating the risk through shared solutions.
Banking in transition: overseeing non-financial risk in the midst of technological and business model transformation
Non-financial risks have been among the greatest sources of risk for large banks since the financial crisis. Conduct and compliance issues, systems failures, and cybersecurity have risen to the top of risk committee agendas, but remain difficult to monitor, measure, and predict. Even as technology offers new mitigation tools, the transformative changes underway in large banks are creating new and different sources of non-financial risks. As banks overhaul systems, operations, business models, and structures to become more agile and efficient, the pace and scale of change is creating execution risk. As banks navigate their way through this transformation, boards and executives are identifying ways to improve management and oversight of these risks.
Cyber risk management: the focus shifts to governance
Cyber risk has attracted a great deal of attention in recent years, and banks, who are among the most-targeted, have made substantial investments in cybersecurity. Despite this investment, cyber vulnerability continues to present unique challenges for risk management and oversight. As technology is increasingly embedded in all aspects of banking, cyber risk is expanding, requiring greater board attention. In response, boards are taking steps to improve governance and oversight of cybersecurity. At the same time, regulatory authorities are becoming increasingly prescriptive in defining cyber risk expectations and emphasizing the role of governance and controls.
Accelerating the technological transformation of banking
Technology is reshaping the competitive and operating landscape for banks. They face competition from tech-enabled competitors with new models, and pressure to reduce costs and improve efficiency. As technology becomes increasingly central to all facets of bank strategy and operations - from compliance and data analysis to the customer interface - bank boards need a more holistic, strategic view of technology investment. Regulation meanwhile, is slowly adapting to the changing environment.
Top and emerging risks: improving identification and oversight of key risks facing large banks
Bank boards continue to face increasing accountability for ensuring banks are effectively overseeing risks. Yet, despite improvements in risk identification, participants in the BGLN question whether they are truly engaging in the right ways on the key risks that could bring down an individual bank or have a broader systemic impact. BGLN discussions over the last six months, including two meetings in June, focused on top and emerging risks and how boards and supervisors can improve oversight. This ViewPoints captures the essence of these discussions with individual sections focused on top risks including emerging sources of systemic risk, persistent conduct challenges, increasing strategic risk intensified by possible disruption, and the growing cyber threat.
Board and audit committee oversight of cyberrisk
Audit chairs from North America and Europe discussed how the risks associated with cybersecurity have grown in breadth and impact the past few years and how they are stepping up their oversight in parallel. These efforts include having management provide dashboards with metrics on types and number of attacks on the company and in the industry as well as getting external evaluation of company cybersecurity efforts. Companies are also looking for generally accepted standards with which they can compare their efforts across borders to minimize the chances of serious incidents.
Exploring the cybersecurity landscape: growing risk and opportunity
Today, there are almost daily reports of cyberattacks. While much attention has been focused on banks, many insurers believe their industry needs to be better prepared to handle rising and evolving cybersecurity threats. Government officials, regulators, insurance non-executive directors and executives, and subject-matter experts addressed the state of the industry’s preparedness and innovative tactics for improving insurer defenses. Many boards also recognize the growing role insurers must play in the transfer of cybersecurity risk and are keen to encourage the growth and development of cyberinsurance markets.
Addressing cybersecurity as a human problem
Today, there are almost daily reports of cyberattacks on banks. The unique threat posed by cybersecurity is made all the more difficult by the constantly evolving methods of attackers, and a lack of principles for effectively governing the risk. Government officials, regulators, bank non-executive directors and executives, and subject-matter experts addressed the state of the industry’s preparedness, new ways to improve bank systems defenses, and the importance of developing a holistic and coordinated approach to manage cyberrisks within banks and across the sector.
Cybersecurity in financial institutions: a necessary framework for action
Cyberthreats are real and have accelerated up the agenda at major financial institutions. However, more alarming than the risk itself is that the financial services sector still lacks a common framework for progress on a broad defense system. Both banks and supervisors see real benefits to developing a shared framework that enables more effective communications, monitoring, governance and risk management, and improves decision marking in IT.
Cybersecurity: an emerging risk for global banks and the financial system
The issue of cybersecurity as a top and emerging risk in banking and the financial system arose during a series of Bank Governance Leadership Network (BGLN) discussions among directors, executives, and supervisors in early 2012. On June 18, 2012, six non-executive directors, two chief risk officers, and three supervisors met in New York to further examine this difficult to manage, but increasingly important risk for global banks. This ViewPoints summarizes key themes emerging from those discussions and ideas on how to address the threat.