Banks ready for cybercrime?

Bankers can hardly contain their enthusiasm for new technology – from peer-to-peer lending platforms to bitcoin and blockchain. They’re investing in fintech startups, and a steady stream of former bank executives is popping up at these hot, new businesses.

But while fintech generates excitement, the technological development that leaves bankers most anxious is more sinister: Cybercrime has risen sharply to become the top concern among bankers in the U.K. and North America.

The risk of an attack is a bigger worry than tough capital requirements, shaky macro-economics or employee misconduct, according to a survey by the Centre for the Study of Financial Innovation and PricewaterhouseCoopers earlier this month.

One respondent in the survey warned of the potential for “a cyberattack so powerful on an individual bank that it has the power to bring down the institution, necessitating a state bailout.”

- Advertisement -

Yet it’s almost impossible for investors to see how firms are prepared for cyberattacks.

That’s because there’s no specific obligation for firms to do so. At most, cybercrime is caught by the requirement to disclose broader potential risks to the business.

Shareholders don’t get to know how much banks are spending on IT security unless the companies choose to tell them. (After it was the subject of a cyberattack, J.P. Morgan said in October 2014 it would double its $250 million annual cybersecurity budget within the next five years.) And investors have no real way to determine how well that money is actually spent.

By contrast, investors are overwhelmed with data on what they view as less important risks such as the health of banks’ capital buffers.

Regulators aren’t providing much more information either. At the request of the Bank of England’s Financial Policy Committee, some big U.K. banks have completed a self-assessment.

The FPC said earlier this year that all “core” financial firms should test their vulnerability and their capacity to get back to business after an attack. The regulator isn’t due to provide an update on this until next year, but it needs to give investors more details than previous tests.

In the meantime, the big concern for investors is that the industry’s tangle of creaking IT systems – many of which were built long before today’s cybercriminals were born – will complicate any recovery from a cyberattack.

Investors need more information to help them judge better if the bankers are responding to the threat properly. At the moment, they have to take too much on trust. •

Duncan Mavin is a Bloomberg Gadfly columnist covering finance.

No posts to display