The Risk of Banking
I just came off a big Zoom call with traditional bankers where they discussed changes in client behaviors, and the impact that new technologies bring, which fundamentally challenge today’s traditional European banking models.
At the end of 2019, Boston Consulting Group published a white paper called “The Race for Relevance and Scale” in which they analyzed how much digital technology is used in the different regions. They concluded digital transformation is already in full swing. At the end of 2019 in fact only 12% of all banking transactions were executed within branch offices with local banking employees.
A big majority of the participants, however, talked about the rising risks of electronic banking and pointed specifically to cyber risks. While COVID-19 has accelerated the shift toward digital channels in 2020, it has also brought significant changes to overall customer behavior. But have cyber risks really changed?
Research shows that the general channel usage during COVID-19 has changed. More than 18% of customers for example have increased their usage of mobile banking apps. The attack surface and the amount of people who can fall victim to a banking application cyberattack, though, has also increased. Nevertheless, 87% of all customers surveyed place the same trust in their bank as they did before the crisis, independent of the channel they use.
“These users want to be in control of their data and are willing to let companies use their data only if they receive clear value in return.”
Why do people believe that cyber risks have grown exponentially over the last 10 years? If we look at typical cyber risks around web- or cloud-based applications, we often see certain clusters of risks. Customer data exfiltration and/or manipulation, financial resources theft, and system and resource availability are good examples. These clusters, however, have not changed much lately, and despite evolutionary changes in technology, these risks have fundamentally stayed the same.
Technology has certainly evolved with lightning speed. Mobile devices and applications have drastically reshaped the way we do business. More change is on the horizon as voice recognition, virtual and augmented reality, and artificial intelligence create new customer interfaces and business platforms. Such technologies and platforms will be key enablers for new services and will definitely intensify the digital transformation and the competition between product and service providers. Is new technology driving the increased sense of risk?
Customer preferences have also changed over time. More than 21% of banking customers plan to limit or completely stop using branches for their banking activities. Younger consumers at the same time are fueling the Sharing Economy (think AirBnb and Uber), marked by changing views in buying and owning (or not). This has significantly impacted traditional banking products like loans. Have these changes triggered the feeling of increased cyber risk?
“I believe all of these trends are responsible for the feeling of increased cyber risk. They all share one common theme: TRUST. Like any relationship, when trust erodes, it signifies the end of the partnership.”
The pandemic has also created changes in customer expectations and digital adoption. On average, 8% of survey recipients in Switzerland enrolled in 2020 in online banking on top of the 78% who were already enrolled. These digital users cited two reasons for their move to online banking: They wanted to own their digital identities and manage the use and monetization of their data. These users want to be in control of their data and are willing to let companies use their data only if they receive clear value in return. Is loss of control driving the feeling of increased cyber risk?
What is the right answer? I believe all of these trends are responsible for the feeling of increased cyber risk. They all share one common theme: TRUST. We place greater trust in companies’ purpose and values. We trust our banking partners to keep our data and information safe at rest and in motion. We trust them to understand our context and monitor the content so that they always act in our best interest and to our benefit. We trust our money will be safe and available, independent of the medium we use. Like any relationship, when trust erodes, it signifies the end of the partnership. What are you as a banker doing to keep the precious trust of your customers?
Frequently Asked Questions
Cybersecurity Risk Management is a strategic approach used by organizations to identify, assess, and prioritize potential threats to their digital assets, such as hardware, systems, customer data, and intellectual property. It involves conducting a risk assessment to identify the most significant threats and creating a plan to address them, which may include preventive measures like firewalls and antivirus software. This process also requires regular monitoring and updating to account for new threats and organizational changes. The ultimate goal of Cybersecurity Risk Management is to safeguard the organization’s information assets, reputation, and legal standing, making it a crucial component of any organization’s overall risk management strategy.
The key components of a Cybersecurity Risk Management program include risk identification, risk assessment, risk mitigation, and continuous monitoring. It also involves developing a cybersecurity policy, implementing security controls, and conducting regular audits and reviews.
Organizations can mitigate cybersecurity risks through several strategies. These include implementing strong access control measures like robust passwords and multi-factor authentication, regularly updating and patching systems to fix known vulnerabilities, and conducting employee training to recognize potential threats. The use of security software, such as antivirus and anti-malware programs, can help detect and eliminate threats, while regular data backups can mitigate damage from data breaches or ransomware attacks. Having an incident response plan can minimize damage during a cybersecurity incident, and regular risk assessments can identify and address potential vulnerabilities. Lastly, compliance with industry standards and regulations, such as the Cybersecurity Maturity Model Certification (CMMC) and National Institute of Standards and Technology (NIST) standards, can further help organizations mitigate cybersecurity risks.
A risk assessment is a crucial part of Cybersecurity Risk Management. It involves identifying potential threats and vulnerabilities, assessing the potential impact and likelihood of these risks, and prioritizing them based on their severity. This helps in developing effective strategies to mitigate these risks.
Continuous monitoring is a vital component of Cybersecurity Risk Management, providing real-time observation and analysis of system components to detect security anomalies. This enables immediate threat detection and response, helping to prevent or minimize damage. It also ensures compliance with cybersecurity standards and regulations, allowing organizations to quickly address any areas of non-compliance. By tracking system performance, continuous monitoring aids in identifying potential vulnerabilities, while the data gathered informs decision-making processes about resource allocation, risk management strategies, and security controls.
Additional Resources