Banks tackle cybercrime

“The sophistication on the ‘demand side’ – the cybercriminals – combined with the ubiquity of technology allows attacks to be achievable,” says John MacKinlay, national leader of the financial services consulting and deals practice with PricewaterhouseCoopers LLP (PwC) in Toronto.

The reliance on antiquated information-technology (IT) systems and legacy technologies at some global financial services institutions represents another source of risk, both in security and competitiveness.

“[Legacy technologies] can be a challenge in the banking space relative to other industries that are competing with the banks,” MacKinlay says. “Your ability to change aspects of your core [technological] capabilities are compromised somewhat.”

So-called “technology risk” was ranked as the fourth-greatest risk facing international banks over the next several years in The Banking Banana Skins 2014 report, ranking just below the risks related to overregulation, political interference and macroeconomic factors. The report was released in May by the U.K.-based Centre for the Study of Financial Innovation in association with PwC, and was based on a survey of bankers and other banking industry insiders in about 60 countries, including Canada.

Cybercrime has become an increasingly worrisome concern for corporations, both in terms of financial risk and reputational risk, with recent incidents resulting in unflattering headlines.

In May, the CEO of U.S.-based retailer Target Corp. resigned, in part because of a cyberattack on the firm months earlier in which the credit card information of tens of millions of customers was compromised. In April, the Canada Revenue Agency was forced to shut down full access to its website for five days after a data breach that resulted from the Heartbleed bug, a flaw in the code of what were supposed to be secure, encrypted web pages.

Notably, Canadian banks were unaffected by Heartbleed. The Canadian Bankers Association (CBA), the association representing the banking industry, released a statement at the time reassuring customers that they could “continue to bank with confidence.”

“[Cybercrime] is certainly a risk, but it’s a manageable risk,” says Darren Hannah, acting vice president, policy and operations, with the CBA in Toronto. “[It’s] one that we’ve identified, and one that financial institutions proactively try to address.”

Canadian banks are able to provide consumers with secure, reliable and up-to-date technology in large part because of the substantial investment the industry as a whole has made in technology – $61 billion over the past 10 years, Hannah says.

In addition, he adds, the CBA and its members work co-operatively with government on security issues and also benefit from a strong regulatory environment: “This is a shared responsibility and a shared objective.”

No borders

Industry observers agree that Canada’s domestic banks have shown resilience against cybercrime and benefit from a few key advantages, including the resources to build and maintain needed protections.

However, Canadian banks, as well as their global peers, cannot afford to be complacent about guarding against potential technological vulnerability.

“Cybercrime is not geographically bound; it knows no borders,” MacKinlay says. “Everyone should be concerned about how they are steeling themselves against attacks from the virtual world.”

Banks, both in Canada and in other jurisdictions, must balance providing their clients with access to new technologies, including mobile technology, with a commitment to security and privacy. This is a traditional competitive advantage for the banking industry relative to new, untraditional providers of banking services, such as the digital currency Bitcoin.

“Payment systems, for example,” says Gordon Roberts, professor of finance at the Schulich School of Business at York University in Toronto, “that either already exist or may be developed in the future could provide alternatives for consumers to the banks [if trust were to be compromised].”

A key factor in combating cybersecurity is for organizations to take an open attitude to new technology, says Walid Hejazi, associate professor of international business at the Rotman School of Management at the University of Toronto. “Organizations that say no to new technologies actually have more breaches than organizations that are open [to them],” says Hejazi, who co-authored the 2014 Telus-Rotman IT Security Study, an annual report on IT security among Canadian corporations. “Organizations that are open can educate their employees on new technology and can monitor their use of new technology.”

High priority

Such firms are also better at retaining IT talent, Hejazi adds: “If you’re in an environment in which the security policy really inhibits the ability of people to be leading edge, IT people will leave. Organizations that have better retention within IT security have much lower number of breaches.”

Other ways to reduce breaches include having a “security first” approach when launching new IT projects and involving top management in any initiatives.

Despite the challenges of keeping up with new technology, banks, in some respects, may be better positioned to prevent cybercrime relative to other industries. That’s because banks historically have placed high priority on security and the privacy of client information, says MacKinlay: “It’s in the industry’s DNA, in a way that it might not be for other industries.”

© 2014 Investment Executive. All rights reserved.