Trust can be destroyed by a cyberattack. To maintain or restore trust, cyber strategies must protect, optimize and enable an organization.
New technologies are exposing financial services firms to greater vulnerabilities. While cybersecurity is enabling innovation and change, the ongoing impact of cyberattacks threatens to erode trust in many institutions. And many organizations have yet to provide the levels of cyber resilience and protection needed to maintain or restore the trust of their customers and stakeholders.
In recent years, there has been a significant trust disconnect between the public and major institutions. This is exacerbated by macro and geopolitical trends, as well as a concern for data privacy and cybersecurity. As customers provide more data, it becomes more costly for firms to take care of that data. Not only is there an immediate operational impact, but long-term brand reputation will likely be at risk.
Securing trust is critical for firms seeking to sustain long-term value in their business, products and services. In fact, the 2018 Edelman Trust Barometer reveals that building trust is the most important job for today’s CEOs. Cybersecurity is an increasing priority.
The EY Global Information Security Survey (GISS) shows that cybersecurity is also rising the board agenda, as firms work to optimize their programs. In today’s digital era, many have a long way to go to fine-tune their capabilities.
"Cybersecurity is an increasing priority
6% of financial services companies say their information security function currently meets their organization’s needs."
The survey reveals that “only 6% of financial services companies say their information security function currently meets their organization’s needs, but 65% plan to make the required improvements.” In one sense, these results are shocking. But, if you reflect on all the shocks in the system, the continued pace of new cyberattacks, and increased risk to a firm’s brand (loss of data, a breach or reputation), the figures are not surprising. Do financial services firms truly think their security team is best in class in protecting their organization? Most would say no. And for those that have a cyber risk program, the pace of improvement needs to increase.
Organizations in this sector are most anxious about the immaturity of their information security processes in the areas of architecture (cited as non-existent or very immature by 18%), metrics and reporting (18%) and asset management (17%), based on survey results. There is a concern that cyber expertise is not as involved as it should be in the ongoing transformation. Most organizations are on a digital transformation journey and are talking about adding artificial intelligence (AI), robotics and more valuable customer data into their operational models. However, cyber data, metrics and reporting should be embedded in the system from the outset to achieve agile transformational change – which is clearly not the case right now. If you build the right systems and security level into the design phase, it is easier to address gaps and flaws in the lifecycle.
Readiness requires a level of education from the top. Yet, there is an ongoing concern about the lack of talent in this area. In fact, 31% of survey participants warn that skill shortages are a potential stumbling block. Employees can also be a major threat to an organization. Certain cybersecurity functions can be automated through the use of robotics and AI, reducing risks and often improving efficiency. Innovation presents one of the biggest opportunities for the industry, and technology can help accelerate the level of organizational change. A high degree of trust in business correlates to the critical role of leading change.
Inadequate board level reporting 84% of firms are not getting adequate board level reporting for cyber risk.
Keeping the board in the dark
Even though the majority of cyber functions are in-house, the levels of board reporting are insufficient. The survey shows that 84% of firms are not getting adequate board level reporting for cyber risk. Financial services is increasingly dependent on data. If boards' risk and audit committees lack the data they need, how can they effectively influence change?
If your firm is subject to an attack or data breach – and lacks a clear view of the risks – how prepared will it be?
If you step back, cyber risk is large and growing – and not going away. If your firm is subject to an attack or data breach – and lacks a clear view of the risks – how prepared will it be? What are the consequences of reputational risk and loss of trust in your organization? Time and again we see that when organizations suffer a breach, they are not well rehearsed. Simulations and exercises are a powerful means of responding to stress. When an incident is mentioned in the media, you think there should have been a different approach to the response.
Technology is changing the shape of banking, leaving banks more exposed. We see a number of firms ultimately establishing “Greenfield” banks to support their bricks and mortar. As cybersecurity grows, embedding these into the change will be critical. Yet, many times we hear: “cyber security will slow us down. We haven’t got time to wait for it. We need the results now.” That’s a concern.
Think about the ecosystem, not just the servers
One area not highlighted in the survey is the ecosystem. The supply chain within financial services is very complex, presenting risks for those firms that rely on outsourcing. There is increasing evidence that attackers are targeting third parties at the weak end of that ecosystem by accessing data as entry to the financial services industry. It’s important for firms to have a good handle on where their customer data resides if they are to secure the ecosystem supply chain.
On a global level, protecting customer privacy and personal data is part of cyber and will not change. Organizations need to think about how they are using data – not just about how to protect it with the law, but the ethical aspect as well. Yes, you want value and need to be regulatory compliant, but are you doing it the right way?
In the next 12 months, financial services firms need to be prepared, developing sustainable strategies, while keeping data secure at all costs and sharing it externally with trusted partners. The challenge will be to protect their enterprise, optimize cybersecurity, and accelerate the pace of growth.
By Steve Holt, EY Partner, EMEIA Financial Services
Where there is risk, there is also reward – and doing nothing presents the greatest risk. Those companies with robust cyber platforms are enabled to grow and build the long-term trust which we believe will be a critical competitive advantage in the future.