What Are the Costs to Banks from Cyberattacks?

Nicholas J Price
6 min read
Banks and other financial institutions are prime targets for hackers because criminals can gain access to financial and personal information that leads them to additional sources of funds. For the same amount of effort, corporate accounts give hackers access to much more data. Criminals are working hard to stay a step ahead of security experts, who are trying their best to protect corporate accounts.

IT departments are studying consumer analytics and behavior patterns and adding layers upon layers of security measures to block and secure sensitive information. While consumers admit that security is important to them, they don't want to have to remember PINs and passwords for every account or to answer a long list of questions to verify their identity.

Hackers are looking at the interconnectivity of mobile devices and other systems to find ways to squeeze in viruses and capture information. IT experts are also looking at how they can use interconnectivity to incorporate security tools for banks and other industries.

As if all of that is not complicated enough, financial institutions also have to try to protect against employees who gain and use information internally for fraudulent purposes.

No system is as secure as banks would like for it to be, which makes it difficult for them to know how much insurance would be sufficient in the event of a breach.

Any way you approach it, protecting against cyberattacks is an expensive proposition.

Cyberattacks Cause Multiple Losses

Banks and other financial institutions stand to lose more than funds and data. Other potential costs include the loss of brand reputation and losses due to exposure for not complying with security regulations.

Research from Kaspersky Lab and B2B International shows that the combined losses due to cybersecurity incidents cost banks about US$1.75 million per incident, on average.

What Makes Corporate Banking Accounts So Difficult to Protect?

Several different things make corporate banking accounts difficult to protect. Corporations usually have multiple people listed on their accounts who need to be able to deposit, transfer and withdraw funds. Having different employees accessing the account on a regular basis, either in person or remotely, opens up opportunities for fraud. Transactions tend to be larger on corporate accounts than on personal accounts, so there is more to lose.

Managers and board directors don't always understand the information that their tech departments explain about how they are protecting systems, so they have no way of assessing whether the security programs are effective. A 2017 report by MediaPro surveyed 809 employees working in the financial services industry and classified 80% of their employees as 'risks' or 'novices' relative to cybersecurity. Lack of awareness among financial services employees increases the risk of work practices that could lead to a security breach.

Do Stronger Security Measures Sacrifice Consumer Convenience?

The banking industry has a healthy fear that if they were to experience a major security breach, they would lose a large number of customers. Many of the security measures exist internally within computers and electronic systems. IT departments use biometrics, fingerprints, behavioral characteristics and other measures to analyze consumer behavior to help authenticate identities as the first layer of security. IT experts build other layers of security on top of that to further lock out cyber threats. Employees are often the first line of defense when it comes to verifying the identities of their customers.

Mobile transactions make it easier for banks to confirm legitimate transactions because they can track the source. Mobile apps also help to legitimize transactions, approve payments and provide evidence of fraud, if necessary.

Enhanced security measures may mean placing an extra call to the corporate office, requiring additional signatures or PINs, or answering security questions.

Financial institutions are also aware that their customers have many passwords to remember and that they may forget their PINs and their original answers to security questions. While customers appreciate the extra security measures, they feel frustrated by verification procedures that are inconvenient and time-consuming. When banks reject a transaction because they can't verify its validity or customers are frustrated with too many questions, the bank risks losing business.

Mature Cyber Tools Don't Equal Effectiveness

Cybersecurity expert Ariel Evans cautions managers of financial institutions to be aware of IT departments that take a 'bottom-up approach' to cybersecurity. Evans notes that many security systems are mature and measure controls on the technical level. However, when these tools fail to tie in the business processes to the data assets and systems, the security essentially stops at the system level. A bank may have the most sophisticated, mature security system available, but its effectiveness is nil because it's not being measured at all.

Evans recommends a top-down approach that ties the business impact of the assets and processes to cyber risk. This approach measures the risk posed to the assets and prioritizes remediation efforts. This information is also helpful to insurance providers that can get more accurate information to offer cyber-risk insurance policies that cover adequate amounts in the event of a breach.

Controlling Risk of Internal Fraud

Financial institutions are also at risk of information being stolen internally by their employees. Internal fraud can be more difficult to detect than fraud that comes from outside the company. Some financial institutions now require that employees have their own unique cards, which they are not allowed to share with their peers. This helps the company monitor the context of transactions and narrow down the devices that need further investigation.

Does Cyber Insurance Offer Enough Protection?

Financial institutions protect their consumers with cyber risk insurance policies. Many experts question if banks are considering the full cost of what they would risk in the event of a cyberattack. Board directors need to carefully assess if they have enough cyber risk insurance. Discussions will no doubt include weighing the cost of the insurance with the amount of protection it provides, due to the large amounts that could be lost in the event of a breach.

Having data about the effectiveness of cybersecurity systems is instrumental in keeping insurance premiums low enough to offset large liability limits.

Reducing Costs From All Angles

Board directors have a huge task in front of them as they make decisions about cybersecurity. They need to have assurance from the IT department that the security tools they use are mature and effective. They also need to understand all the layers of security, including making sure that they've taken steps to make employees aware of their responsibilities in keeping accounts secure. Board discussions should include awareness of the risks of internal fraud, and board members should know how their corporation is protecting against it. Finally, board directors need to understand what their cyber risk insurance policies cover, as well as any limits, conditions and exclusions that apply. ''''