Every year, consumers and businesses alike suffer significant losses as a result of fraud and cybercrime, a large amount of this stemming from criminals taking advantage of an increasingly digital world.
This is an extract from The Future of the Global Financial Ecosystem 2024 report, in association with Sibos.
Digital fraud rose dramatically in 2022 compared to 2021, which is a year-on-year increase in global attack rate up 20%. These figures come from the Lexis Nexis Risk Solutions 2022 Cybercrime Report which took data from the 78.9 billion transactions processed
through its Digital Identity Network throughout the 2022 calendar year.
These figures are concerning not only for the consumers and businesses targeted by criminals but for the financial institutions working to combat fraudulent behaviour. Financial institutions are racing to build and implement heightened and sophisticated
security measures to protect their customers' wealth and financial information, particularly given the increased regulatory attention being placed on them by supervisors across the globe.
According to Gianluca Pometto, head of group security at UniCredit, this year-on-year rise of cybercrime has serious implications for the financial sector – posing both business and reputational risks for an industry that relies on digital infrastructure
and technology.
“This dependence on interconnected systems makes the financial sector an attractive target for cybercriminals seeking financial gain,” Pometto observes. To counter this, financial institutions have been investing significant resources in recent years to
mitigate against cybercrime and other unexpected events.
“This is important, but investment alone is not enough – a change in mindset is also essential. The evolving nature of cyber threats demands ongoing efforts and the flexibility to adapt to stay ahead of malicious actors. As technology advances and cybercriminals
become more sophisticated, they will continuously leverage on the latest technologies, as they have always done,” warns Pometto. “Financial institutions must evolve alongside this.”
Findings from
Statista (pictured above) predict that between 2023 and 2028, the global estimated cost of cybercrime is forecast to increase by $5.7 trillion US dollars in total, an increase of 69.94%. According to the latest estimates, by 2028, the cost of cybercrime
worldwide will reach $13.82 trillion.
What are the hidden impacts of cybercrime?
The rise of cybercrime impacts both customers and entities in different direct and indirect ways, explains Juan Manuel Matalobos, head of global cybersecurity culture, BBVA. “The most obvious are the direct losses caused by cybercrime that must be covered
by customers of entities depending on policies, regulations applicable in each country, specific circumstances of the loss.”
While more difficult to quantify, Matalobos notes that the indirect costs can include:
- Increased cost of control: deployment of security technologies, training and awareness for employees and customers;
- Loss of trust by customers and the market, which can interfere with the normal evolution of the market and can harm innovation;
- Increase of regulatory pressure with the aim of defending the customers’ interests, but also increase compliance costs and complexity when working with multiple countries;
- Fines and sanctions derived from incidents; and
- Loss of profit due to the need to devote resources (people, budget) to recover from incidents or to control.
He observes that entities are making a large effort to mitigate cybercrime, which is evidenced by a steady increase in budget and headcount.
Tom-Martijn Roelofs, global head of security strategy and data at ING, echoes Matalobos, noting that the rise of cybercrime is requiring financial institutions to make significant investments in order to keep up with developments.
Roelofs states that these investments are needed to match the pace with the threats and are necessary to ensure continuity. “So far this has proven to be adequate to safeguard the financial ecosystem. Furthermore, international laws and regulations on cyber
also propel cyber hygiene and create further attention at board level.”
While regulatory attention is working to increase the focus on protecting consumers in their increasingly digital financial lives, it can be a double-edged sword for the institutions required to implement stringent prevention measures. Not only are these
requirements costly and likely to introduce friction, but given the legacy-heavy technology in these financial institutions, they can be very challenging to introduce.
“In some areas, entities are reaching the limits of what is achievable, due to constraints like availability of protection technologies, regulatory restrictions. It is also worth noting the impulse that is being given by regulatory authorities and public
administrations, with the development of increasingly exigent regulations aimed to protect the customers and the market,” says Matalobos.
“These regulations provide all stakeholders with confidence in the robustness of the measures, but, aside from the associated increase in costs, they sometimes introduce distortions when they affect in an uneven way by entities from different geographical
areas or of different nature or size.”
Matalobos continues that while individual efforts performed by entities are relevant, there are also areas for improvement in collaboration. There are regulatory restrictions for sharing information, and still resistance inside the organisations to share
information related to their own cyber incidents. Regulations are taking a big stake in transparency and collaboration that will evolve in the coming years.
How should financial institutions improve cybersecurity and prevent online crime?
Data from
McKinsey shows that cyberattacks are on track to cause $10.5 trillion of damage per year by 2025, a 300% increase from 2015. To defend against this wave of cyber threats, firms spent approximately $150 billion on cybersecurity in 2021, a sum which is growing
by 12.4% a year.
A
2022 paper from the consultancy explains that the sooner that banks begin their journey toward establishing a model risk management of cybersecurity solutions, the faster they will be able to manage incoming threats.
Safeguarding web and mobile applications, identifying risk exposure and revisiting pre-existing cyber defences are front of mind for the banking c-suite. This is only accentuated by pressure to meet increasingly onerous regulatory obligations, which range
from the need to bolster operational resilience, improve transparency, and accountability while reinforcing the need to protect consumers’ personal and financial data. Institutions must therefore consider employing a range of solutions, technologies and forward-thinking
frameworks to strengthen cybersecurity and prevent online crime.
Fighting online crime will require higher collaboration between public and private entities, which in turn will require appropriate regulatory and technical frameworks besides operational technologies, states Matalobos.
He predicts that one of the “next big things” in cybersecurity will be the uptake of AI, which will increasingly be used on both sides of the fence. “If we lag behind attackers in AI usage, we will certainly be at a disadvantage.Analysts’ roles will evolve
with the usage of AI, and new roles will arise, so training programs and even organisations and budgetary structures will have to evolve accordingly.”
The ability to identify abnormal user behaviour will be a strong use-case for AI, but in order to leverage this we must first deepen our understanding of customers, how the “human factor” impacts these situations, and improve training and awareness around
crime prevention within institutions.
Pometto furthers that the rise of AI, in particular, could pose new challenges once again to the current generation of cybersecurity countermeasures. This continuous battle against the new and unknown could be fought together and financial institutions must
remain vigilant and committed to enhancing their cybersecurity strategies.
Bain & Company explains that while generative AI has the potential to significantly improve the productivity and quality of many types of knowledge work,
increase revenue, and reduce costs, it also opens up a new set of potential risks which must be managed. The paper reads: “The breadth and scale of generative AI’s likely uses combined with its evolving social and ethical risks make creating and managing a
comprehensive governance program complex.”
In the Bain & Company visual below, we can see both the existing and the new risks that generative AI models can present for financial institutions.
Co-head of payments products at BNY Mellon, Isabel Schmidt, explains that in order to tackle the challenges that fraud prevention brings, BNY Mellon is focused on building solutions that help to mitigate fraud attempts at two critical stages along the payment
life cycle: before and after a payment is sent. “Our account validation service, for example, enables clients to validate account numbers, routing numbers and authenticate the owner in real time prior to sending a payment. As a second line of defence, we can
also validate the payment instructions that we receive, using historical data to determine any discrepancies that should be flagged to the client before we process the payment.
“Ultimately, however, the success of any fraud prevention framework depends on reliable and robust data and intelligence – and this is not always guaranteed. To ensure that we are all on the same footing in the fight against fraud, there is a growing need
for greater collaboration across the industry. Shared data networks, for example, would help to ensure that we can all provide fraud controls that are accurate and quick enough for the real-time world of today. That is why we are currently collaborating with
Swift to develop strategies and technology solutions to combat fraud through the potential use of artificial intelligence/machine learning (AI/ML) models and privacy-enhancing technologies (PETs).”
This thinking is reinforced by ING’s Roelofs, who furthers the concept that to tackle fraud and cybercrime is to smartly combine the best practice frameworks. “Currently, institutions use for instance the National Institute of Standards and Technology (NIST)
framework, the Standard of Good Practice and ISO standards for information security. No matter what framework an organisation is using, it is important to always actually test cyber controls and continually improve. This is nearly always part of the frameworks.”
Matalobos extends the point raised on collaboration, stating: “relationships between companies are becoming more and more complex. This increasing complexity implies a challenge for cybersecurity teams that must deal with incidents initiated outside their
boundaries, ensure there are no gaps in the responsibilities assigned to several incumbents, and manage permissions with different degrees of affiliation.”
As illustrated in the visual below, firms are looking to increase their spending on cybersecurity in the coming years, underscoring their appetite to reduce or at least mitigate cyber risks by working with third parties to improve their risk management strategy.
McKinsey projects that $101.5 billion will be spent on service providers by 2025, illustrating the desire to branch out from traditional internal risk management to embrace market-leading tech solutions available elsewhere in the market. To improve cybersecurity
and prevent online crime, Pometto recommends that organisations adopt a multi- layered approach that encompasses a range of solutions, technologies, and frameworks. Efforts should be focused on, but not limited to: endpoint and infrastructure protection, encryption,
cyber threat intelligence, and advanced threat detection and prevention – and these should be selected and tailored based on the context.
“But improving the technical defences alone is not enough: it is also critical to foster greater awareness among employees and customers, who may find themselves targeted as the weak point in the chain. All the above should be driven by a clear cybersecurity
strategy. It is crucial to approach cybersecurity as an ongoing and evolving effort, continuously adapting to new threats and staying informed about emerging technologies and best practices,” adds Pometto.
The escalating surge in cyber threats poses a formidable challenge to the financial services industry, propelling it to navigate a careful balance between safeguarding against digital fraud and managing burgeoning compliance costs.
The alarming rise in cybercrime underscores the urgency for financial institutions to fortify their security measures. While investments and regulatory scrutiny strive to bolster resilience, the complex landscape demands not only technological advancement
but also a fundamental shift in mindset. In light of the complex impacts of cybercrime, financial institutions must forge new alliances and embrace innovative solutions. As the industry moves forward, harnessing AI, enhancing collaboration, and adopting multifaceted
strategies emerge as key imperatives to more effectively manage cyber threats in the future.