Banks Silent About Cybercrime

Cattura

Bankers can hardly contain their enthusiasm for new technology — from peer-to-peer lending platforms to bitcoin and blockchain. They’re investing in fintech startups, and a steady stream of former bank executives is popping up at these hot new businesses.

But while fintech generates excitement, the technological development that leaves bankers most anxious is more sinister: cybercrime has risen sharply to become the top concern among bankers in the U.K. and North America.

The risk of an attack is a bigger worry than tough capital requirements, shaky macro-economics or employee misconduct, according to a survey by the Centre for the Study of Financial Innovation and PricewaterhouseCoopers earlier this month.

One respondent in the survey warned of the potential for “a cyber-attack so powerful on an individual bank that it has the power to bring down the institution, necessitating a state bailout.”

Yet it’s almost impossible for investors to see how firms are prepared for cyber-attacks.

That’s because there’s no specific obligation for firms to do so. At most, cyber-crime is caught by the requirement to disclose broader potential risks to the business. All investors get are assurances like this one from Royal Bank of Scotland’s annual report:

RBS has experienced cyber-attacks, which are increasing in frequency and severity across the industry. This risk affects all customer businesses.

No-one can say RBS failed to warn investors. But it’s far from being actionable information. That doesn’t mean disclosing information that could help criminals.

Shareholders don’t get to know how much banks are spending on IT security unless the companies choose to tell them. (After it was the subject of a cyber attack, JPMorgan said in October 2014 it would double its $250 million annual cyber-security budget within the next five years). And investors have no real way to determine how well that money is actually spent.

By contrast, investors are overwhelmed with data on what they view as less important risks such as the health of banks’ capital buffers.

Regulators aren’t providing much more information either. At the request of the Bank of England’s Financial Policy Committee, some big U.K. banks have completed a self-assessment.

 

Read the full article here

Credit: Bloomberg