MEMBER RESEARCH & CONTENT
EVENTS
ACADEMY
BLOG
MAGAZINE
SUCCESS STORIES
PARTNERS

   
Request new password
Print

Banks: Get Serious About Supply Chain Cyber Risk


27-Mar-15 09:18
banks_get_cyber_serious.jpg

The digital banking revolution; for consumers as well as businesses, it means more convenience. Apps will replace branches and the management of our finances will become increasingly virtual. It also means more competition. Regulators around the world are coming down hard on incumbents while granting “challenger” banking licenses at a somewhat alarming, although more recently arrested, rate.

 

For procurement in established banking groups, all of this creates a headache, or, rather, a number of headaches (a few of which are documented here and here). Not least among these is the heightened presence of cyber risk within the supply base.

 

Competitive and cost pressures are forcing the closure of branches in favour of digital services, for many of which banks will rely on third-party systems. "Whether it is external data feeds, customer and staff devices or cloud services, banks find themselves having to adapt to relying on systems that are outside their control," said Nicola Crawford, a board member of the Institute of Risk Management in an interview with UK newspaper The Financial Times. For many, the capabilities necessary to compete in the digital age are being developed among the supply base, rather than internally.

 

So what are we relying on these suppliers for? Well, beyond innovation, quality of delivery and everything else, it has to be security. As digital interactions grow in importance and the number of virtual points of entry into sensitive systems increases, so does the appetite of the sophisticated hacker. Already, digital weaknesses have been exposed; apparently, Touch-ID – a biometric authentication tool recently unveiled by RBS for its mobile banking app – was hacked only a month after its introduction.

 

Consider these weaknesses alongside the following. In February 2015, US regulator the Securities and Exchange Commission (SEC) released one of its risk alerts following an investigation by the Office of Compliance Inspections and Examinations (OCIE) into a cross-section of the financial services industry, conducted during 2014 under the cybersecurity examination initiative.

 

In the report, it is found that periodic firm-wide assessments as part of cybersecurity policy and procedure were common among as much as 93% of the sample, but, the report added, "fewer firms apply these requirements to their vendors." In some cases, as follows, dramatically fewer.

 

At most, 84% do. Looking at financial advisors, though, only 32% claimed to offer the same cybersecurity assessments of their vendors as they do of themselves. To some, that vendor assessments are 9 percentage points less likely to be conducted than internal ones may sound negligible, but that there is a gap at all is striking.

 

Even more so, 74% of advisors, who, again, are least likely to uphold vendors to strict standards and assessments, recognise that they have experienced cyber-attacks directly or through one or more of these external parties.

 

All in all, then, rather a bleak picture: the threat is very much there, the industry knows it and as digital interactions become more important to consumer interactions with their banks, it’s probably only going to intensify. Yet not enough is being done. It’s time to wise-up.

 

 

The Industry Intelligence Channel for financial services is a new intelligence and collaboration service dedicated to your unique, sector-specific procurement challenges. This new channel provides deep category and strategy expertise, market intelligence and analysis designed to inform planning and best practice for those in the FS sector. Sign up to content alerts here.

 

For existing Procurement Leaders members interested in this service, contact Joanna Nightingale at: j.nightingale@procurementleaders.com

 

For non-Procurement Leaders members, contact Andrew Deakin at: a.deakin@procurementleaders.com

 

What should you include in a cybersecurity policy? Collaborate with industry peers here.

 

 

This article is a piece of independent writing by a member of Procurement Leaders’ content team.


Harry John Harry John is category research manager at Procurement Leaders, specialising in financial services procurement. He draws upon a background in academic research and analysis, and experience in cross-industry indirect category research. Follow Harry on Twitter @aharryjohn

 
Subscribe to feed Subscribe to feed Print page
Topics
Category
IT

SUBSCRIBE TO NEWSLETTER


FREE 

SUPPLEMENTS

PREDICTIVE INSIGHT TO FUEL WORLD-CLASS DECISIONS

Unique, high value research and analysis provides CPO's with the information they need to make the right strategic choices.

FREE 

WHITEPAPERS

OFFERINGS

 

ABOUT

MEMBERS

FOLLOW US

AWARDS

MEMBERSHIP

 

COMMUNITY

 

MAGAZINE

 

EVENTS

 

ACADEMY

 

RESOURCES

CONTACT US

 

ABOUT US

 

ADVERTISE WITH US

 

FREQUENTLY ASKED QUESTIONS

SIGN IN

 

HELP CENTER

 

BECOME A MEMBER

 

REQUEST A DEMO

LINKEDIN

 

TWITTER

 

GOOGLE+

 

RSS

 

NEWS ARCHIVE

Procurement Leaders Awards

TERMS OF USE . PRIVACY POLICY . COOKIE POLICY

© Sigaria Ltd and its contributors. All rights reserved. www.sigaria.com

Sigaria accepts no responsibility for advice or information contained on this site although every effort is made to ensure its accuracy. Users are advised to seek independent advice from qualified persons before acting upon any such information.