Cyber-security risk: Increasing vulnerability of banks and financial institutions

Md Hakim Ali | Published: May 24, 2019 21:17:18 | Updated: May 31, 2019 20:35:40

Technology has become more embedded in our economies and surprisingly keeps steeping along the way particularly into the banks and financial institutions sectors. This trend is associated with beneficial and adverse externalities to society. On the benefits side, improvement in technology offers low transaction cost, low latency, agility, flexibility, and virtualisation of the things in the banks and financial institutions. Broadly, technology in the banks remarkably enhances financial inclusion by transforming the formerly unbanked people into banks' clients; helps financial integration by cross-border sharing of information; leads to financial innovation by offering new financial products and payment systems and catalyses financial intermediation by fastening deposit mobilisation. All these combined enhance the economic growth of a country.

Technology also has dozens of drawbacks for financial institutions, and there is a cost deductible for it. The frequent changes and improvement of software and hardware in addition to training and development of human capital due to the constant development and innovation in nature, has led to the increase in cyber-technological costs in the banks and financial institutions.

In fact, technological upgradation is a continuous requirement and oddly, amortisation rate of technology is higher than any other amortisation/depreciation rate of goodwill, patent, furniture, motor vehicles, and building. Thus, technology adoption is yielding the higher operational risk parameter by enhancing the operational-fixed cost (business risk) in the banks and financial institutions.

PROLIFERATION OF CYBER INCIDENTS: Moreover, digitalisation of the banking and financial sector has paved the way for cybercrimes. Banks and financial institutions are confronting proliferation of cyber incidents across the globe and such incidents have become rather usual in daily newspapers. To name a few, though the majority of cybercrimes is not released to the public, Bangladesh Bank was embarrassed after the $81 million heist through the SWIFT system, Mexican Central bank found $15.33 billion fraudulent transfer in 2018, NIC Asia bank lost data loss of customers via SWIFT system in 2017.

Globex bank in Russia faced a total loss of $ 940,000-dollars in 2017 via an attack through SWIFT while Bancomext, a government-owned export bank, confronted a $ 110 million heist in 2018. Santander, Tesco Bank, RBS, Lloyds, HSBC, Clydesdale, Yorkshire Banking Group and Barclays in the UK were forced to shut down their operation for two days because of DDOS attack in 2017; Canadian Imperial Bank of Commerce in Canada faced phishing and hacking in 2018; Bank of Montreal lost data of 90,000 customer's leading to a drastic fall in their share prices; £ 2.5 million was hacked from 9,000 people from Tesco Bank in the UK. There are many other incidents like these.

Surprisingly, over the past few years, the frequency of such cyber incidents have skyrocketed leading to concerns among academicians, industry people, regulators, and policymakers. The inability to tackle this increasing problem can affect the financial market in many ways. There could be risks like the accounting performance volatility or operating income volatility, corporate performance volatility, fluctuations in stock prices etc. These are areas where the sentiment and perception of investors are easily reflected as per the signalling effect. Therefore, sentiment has predictive power for near-term future equity returns. Hence the cyber-security issue can significantly influence the market performance of financial institutions.

Cyber-security breaches affect banks the most as these organisations maintain large stakeholders. Their trust and confidence regarding the banking system plays an important role in the variation of overall sentiment.

A study conducted by Reuters in 2016 claimed that cyber-security breach erodes company's stock price permanently and the financial firms face the most severe consequence among the different market industry sectors. In addition, a report by TechRepublic mentioned that a share price drops by 0.43 per cent on average immediately after a security breach. Nearly 1 per cent of the market value is negatively affected during the few days after any such event.

Loss of confidence on the cyber-security system of the banks and financial institutions also drives customers to pull out cash from the affected banks. They usually park the withdrawn funds at another financial institution. Therefore, the liquidity crunch (known as another channel) is likely to emerge in the affected financial institution provided customers switch to other institutions on a massive scale due to security system fragility. Because of this, often, banks and financial institutions are required to liquidate its held-to-maturity investments through fire sale. This leads to loss of the affected bank and financial institutions as they forego earnings.

Overall, cyber-security breaches are becoming a systemic phenomenon in the financial industry. Since the failure to settle one bank's obligation within the interbank transaction settlement system make other banks unable to settle their commitments, this often leads to financial payment system failure. Therefore, the policymakers and regulators have recognised that a cyber-intrusion not only distorts a single institution but also disturbs different elements of the entire financial network and other service providers.

Moreover, intuitively, cyber-security risk raises operational costs, lowers revenue and equity value, increases customer loss, brand loss and reputational damage. Whereas, the performance variable of bank stability is affected via higher fixed operating cost, there is increased volatility in stock prices, potential for liquidity crunch as well as reputational risk. This is why the international bodies such as the Organisation for Economic Co-operation and Development (OECD) and International Monetary Fund (IMF) have recognised the cyber-security risk as a systemic issue and recommends relevant measures to mitigate cyber risk as soon as possible.

It is time to rethink the benefits and impacts of technology concentration in the banks and financial institutions. Estimating the technology threshold and a banks' boardroom position about technology is now more important for bankers, regulators and academicians.


Md Hakim is a Research Associate at Taylor's University, Malaysia. His ongoing PhD research work concentrates on "Cyber-security risk and Bank stability".



Share if you like