The digital banking revolution; for consumers as well as businesses, it means more convenience. Apps will replace branches and the management of our finances will become increasingly virtual. It also means more competition. Regulators around the world are coming down hard on incumbents while granting “challenger” banking licenses at a somewhat alarming, although more recently arrested, rate.
For procurement in established banking groups, all of this creates a headache, or, rather, a number of headaches (a few of which are documented here and here). Not least among these is the heightened presence of cyber risk within the supply base.
Competitive and cost pressures are forcing the closure of branches in favour of digital services, for many of which banks will rely on third-party systems. "Whether it is external data feeds, customer and staff devices or cloud services, banks find themselves having to adapt to relying on systems that are outside their control," said Nicola Crawford, a board member of the Institute of Risk Management in an interview with UK newspaper The Financial Times. For many, the capabilities necessary to compete in the digital age are being developed among the supply base, rather than internally.
So what are we relying on these suppliers for? Well, beyond innovation, quality of delivery and everything else, it has to be security. As digital interactions grow in importance and the number of virtual points of entry into sensitive systems increases, so does the appetite of the sophisticated hacker. Already, digital weaknesses have been exposed; apparently, Touch-ID – a biometric authentication tool recently unveiled by RBS for its mobile banking app – was hacked only a month after its introduction.
Consider these weaknesses alongside the following. In February 2015, US regulator the Securities and Exchange Commission (SEC) released one of its risk alerts following an investigation by the Office of Compliance Inspections and Examinations (OCIE) into a cross-section of the financial services industry, conducted during 2014 under the cybersecurity examination initiative.
In the report, it is found that periodic firm-wide assessments as part of cybersecurity policy and procedure were common among as much as 93% of the sample, but, the report added, "fewer firms apply these requirements to their vendors." In some cases, as follows, dramatically fewer.
At most, 84% do. Looking at financial advisors, though, only 32% claimed to offer the same cybersecurity assessments of their vendors as they do of themselves. To some, that vendor assessments are 9 percentage points less likely to be conducted than internal ones may sound negligible, but that there is a gap at all is striking.
Even more so, 74% of advisors, who, again, are least likely to uphold vendors to strict standards and assessments, recognise that they have experienced cyber-attacks directly or through one or more of these external parties.
All in all, then, rather a bleak picture: the threat is very much there, the industry knows it and as digital interactions become more important to consumer interactions with their banks, it’s probably only going to intensify. Yet not enough is being done. It’s time to wise-up.
The Industry Intelligence Channel for financial services is a new intelligence and collaboration service dedicated to your unique, sector-specific procurement challenges. This new channel provides deep category and strategy expertise, market intelligence and analysis designed to inform planning and best practice for those in the FS sector. Sign up to content alerts here.
For existing Procurement Leaders members interested in this service, contact Joanna Nightingale at: firstname.lastname@example.org
For non-Procurement Leaders members, contact Andrew Deakin at: email@example.com
What should you include in a cybersecurity policy? Collaborate with industry peers here.
This article is a piece of independent writing by a member of Procurement Leaders’ content team.