It is not boardroom pressure that keeps chief executives of global banks, who manage trillions of dollars in aggregate balance sheets, awake at night; rather, it's the increasing number of cyber security risks.
As the imprint of technology continues to deepen on the financial services sector and the push for digitisation in operations is growing, cyber security has risen to the fore.
Jane Fraser, the chief executive of Citigroup, says cyber security is the risk “you can't really control” despite the fact that the fourth-largest lender in the US is spending “a huge amount” to mitigate it.
“We have a lot of intelligence and other support around it but cyber I think is the risk to major ecosystems. That I think keeps most global bank CEOs up at night,” Ms Fraser told The National in an interview earlier this year.
Ahmed Abdelaal, chief executive of Dubai lender Mashreq, agrees.
“This is the number one threat on any board’s table. Period. Earlier, it used to be credit and compliance, but if it's not the case,” he said.
chief executive, Mashreq Bank
“I can sit here talk to you for the next two hours about what we are doing in terms of innovation and transformation and business expansion, but if I'm not paying equal attention to this important front, then I'm not doing my job.”
The financial services and technology landscape are both evolving at a breakneck speed and the advent of disruptive tech such as the Internet of Things, machine learning and generative artificial intelligence are exposing financial institutions to vulnerabilities they never had to contend with in the past.
Global banks, wealth and asset managers and the insurance industry, as well a host of digital banks and FinTechs that have cropped up in the past decade are pouring in hundreds of billions of dollars a year in cyber security to protect their systems from attacks.
“They say when investigating criminal activity, you should 'follow the money'. When it comes to cyber threats, they also follow the money, making banks and financial institutions a big target,” James Maude, field chief technology officer of US cyber security company BeyondTrust, told The National.
“In general, the financial sector is uniquely exposed to cyber risks, that cannot only impact an individual but an entire economy, given the financial holdings combined with the vast amounts of personal data.”
Cyber security is the second most concerning challenge for banks in 2024, just behind inflation and high interest rates, a 2024 survey from UK research firm GlobalData found.
However, with bank chief security information officers contending with spending cuts, it has led to reduced cyber security budgets as a share of total revenue, Deloitte said in its 2023 cyber security report on financial institutions. Spending for cyber security still grew slightly, relative to total revenue in investment management, with digital transformation the top business driver, the London-based consultancy said.
Banks around the world are expected to spend more than $8.5 billion this year, nearly double the $4.29 billion they doled out in 2019, an April study from the Brazilian Banks Federation and Deloitte revealed.
JPMorgan, the biggest US bank that has been a victim of cyber breaches, had said it spends about $600 million per year for cyber security and claimed to repel about 45 billion attempted attacks per day. Bank of America, the second largest, said it raised its spending on the sector to $1 billion from 2021.
Regulatory scrutiny is also adding pressure. The EU, for instance, encouraged more spending after a landmark stress test for banks in June.
In the UAE, Mohammed Al Kuwaiti, chairman of the UAE Cybersecurity Council, recently announced that the executive regulations for an encryption law, which will establish key standards for data transmission security in line with quantum systems, are expected to be finalised before the end of the year.
On a broader scale, the value of the global banking cyber security market – which includes the tech, protocols and infrastructure to counter attacks – is projected to hit $282 billion by 2032, from an estimated $74.3 billion in 2022, growing at a compound annual rate of 14.4 per cent, data from Allied Market Research shows.
Will quantum computing pose a bigger threat?
While quantum computing is still about a decade or two away, depending on various estimates, it is a clear danger that requires investments in protection today.
Quantum computing uses highly-specialised technology to solve complex problems that traditional computers or even supercomputers cannot, or reduce the time it takes to solve them. A qubit – short for quantum bit – is the basic unit of quantum computing that is more versatile than binary bits in classical computers.
Quantum computers are exponentially faster than their counterparts. In 2019, Google claimed that its Sycamore chip was able to solve a mathematics problem – that would take 10,000 years – in just 200 seconds. However, the secure keys and firewalls that banks have in place to protect their systems can also be dismantled with quantum computing, experts say.
“The major concern is a very real possibility of current encryption methods being rendered almost instantly redundant by powerful quantum computers,” David Boast, managing director for the Middle East and North Africa at UK tech consultancy Endava, told The National.
“These encryption techniques are what currently underpin the secure storage and handling of data related to customer details, account balances, transaction histories, financial records, official communications and more.”
Vishal Pala, a senior solutions engineer at California-based Barracuda Networks, agrees: “A quantum computer will be able to crack almost any current cryptographic encryption – the foundation for almost all current security technology – in a matter of seconds.
“Highly-sensitive communications could be read or financial transactions could be hacked. This is a major concern for companies, banks, intelligence agencies and other organisations that rely on encryption to secure their data, but ultimately also for citizens,” he told The National.
It’s a never-ending race which top executives in financial services industry have to win, especially since criminals can go to any lengths to get into banking coffers. “I tend to agree as quantum computing journey is going to actually increase significantly the capacity and attributes of bad actors and people on the other side and less so for banks or financial institutions,” Mr Abdelaal said.
“Regardless of how much you invest in new technology, we are at disadvantage because we also have the vulnerability of our clients.”
Banks, he said, can protect their own shores and build super-smart firewalls with multiple layers of protection. However, a client clicking on a wrong link will dismantle everything. “This is also a key disadvantage that financial institutions have vis-a-vis bad actors,” he said, adding that Mashreq's annual spending is “an ever-evolving number”.
Costly price to pay
The financial sector is the second highest when it comes to monetary consequences, of cyber attacks with the average breach of data cost pegged at more than $6 million in 2024, IBM said in its latest industry report.
That's as much as 138 per cent higher than other industries except for healthcare, which tops the list. The industrial, technology and energy sectors rounded out the top five in IBM's Cost of Data Report – a list that proves cyber attackers are primarily targeting key industries vital to economies and societies.
What is needed is a balancing act for enterprises: keeping down financial damages and their fallout, while also ensuring cost-effectivity for the measures they take.
Companies can take advantage of AI, particularly behavioural analytics, which can be especially helpful in keeping bad actors out, Mr Boast said. “Spotting unusual patterns and detecting anomalies is a strong weapon in the chief security officer's arsenal.”
He argues that this is especially important in the Middle East, due to the heavy reliance on internet banking and e-interactions with customers. “The more data these protective systems have, the more useful they become … if this is not something you have considered, you should invest now,” he added.
When specifically dealing with the potential threats posed by quantum technology, post-quantum cryptography algorithms – one that cannot be easily cracked by quantum computers – is a viable option, Mr Pala said. “It remains essential to educate employees on cyber security best practices to reduce the risk of phishing and other social engineering attacks.”
In short, “get the biggest bang for your buck”, Mr Boast added.
The use of AI indeed helps: cost savings from the extensive use of the technology in cyber attack prevention showed that enterprises averaged $2.2 million less in breach costs compared to those with no AI use in prevention workflows, according to the IBM report.
“We have now entered the age of identity security where attackers find it easier to log in than hack in. This means we need to rethink our security approach to be more identity centric,” Mr Maude said.
Measures are already being taken by the banking sector globally as well. Last month, HSBC joined the Monetary Authority of Singapore for a collaboration on quantum security.
In 2023, the US National Institute of Standards and Technology teamed up with MasterCard and other industry players to develop and test post-quantum cryptography standards that can be used to secure financial data when the time comes.
Cryptography refers to the method of coding or hiding information so a message can only be read by the person it was intended for. “Defending against these attacks will call for financial institutions to fight fire with fire, deploying quantum computing and AI in defence,” Mr Boast said.
