Banks continue to face a variety of risks: some are familiar and have been publicly scrutinized, while others are less predictable and lurk in plain sight.
The banking landscape is only getting more complex, with the introduction of new technologies, including gen AI, heightened regulatory pressure and more sophisticated bad actors and security threats. Banks’ risk teams get little public credit when they effectively manage risk, but when something goes wrong, you can bet that it will quickly become front-page news that could cause significant reputational and financial damage.
While it’s impossible to create an exhaustive list of risks that banks face, three should be top of mind today. To borrow from Charles Dickens, I’ll refer to them as the ghost of bank risk managers’ past, present, and future.
The Present – Deepfakes
Is it really you? There used to be a degree of trust that when you heard a customer’s voice or saw a colleague’s face on a video chat you were actually speaking to them. The rise of deepfake attacks —realistic versions of images, videos or audio that have been manipulated using AI — is putting pressure on everyone from front-line banking staff and wealth managers to the C-suite and board.
We’ve already seen scammers walk away with millions by developing digitally recreated versions of CFOs, who appeared in video conference calls instructing employees to transfer funds to illicit accounts. Meanwhile, reporters have used AI-based voice impersonations to fool bank’s voice authentication security systems.
According to Accenture’s Cyber Intelligence research, threat actors are spending up to $20,000 per minute of high-quality video deepfakes, and there’s been a 223% increase year-over-year in the purchasing and selling of deepfake-related tools in dark web forums.
We expect banks to be a primary target of deepfake attacks. Attackers could use the technology to:
- mimic a senior banking executive to gain access to sensitive information or authorize fraudulent transactions
- spoof identities within HR systems, leading to unauthorized access or the employment of fictitious individuals
- impersonate customers and withdraw money from their accounts
The rise of deepfakes is also causing some finger-pointing among banks’ departments since it’s unclear who is responsible when someone falls victim to a deepfake. Is it fraud or is it cybersecurity? It may lead to a rethink of organizational models within banks and across all industries.
In the military, the idea of a deepfake is a well-known challenge and it is called Identify Friend or Foe (IFF.) Banking needs its version of IFF for deepfakes. It starts with ensuring robust identity and access management systems are in place and especially verification procedures for large money movement. Banks also need to prioritize – now – educating and training their at-risk employees, especially c-suite executives, to help spot deepfake threats. And, just as in the IFF case, the technology ecosystem is developing counter-intelligence capabilities that can help spot deepfakes.
The Future – Quantum Computing
It’s not science fiction or fantasy. Quantum computers are not just theoretical constructs, but real machines that have the potential to destabilize a bank’s entire business. For risk and security professionals, this goes beyond stamping out viruses or contending with malware. It’s an enormous risk.
Fortunately, August 13th is when the game shifted for banks, with the National Institute of Standards and Technology (NIST) releasing new algorithms that are resistant to quantum computers.
These algorithms have been long sought after as banks seek to reach post-quantum cryptography —cryptographic systems that are secure against both quantum and classical computers and can interoperate with existing communications protocols and networks. The milestone ought to be a turning point for the industry.
There is a subset of financial institutions which have made significant investments to put protections in place, however, most banks have said that they’ll study the NIST standards and devote some staff to it, but, ultimately, it’s not malware, or ransomware, or deepfakes. It’s simply a threat that they believe is not right here, right now. Entertainingly, the highest profile attack from quantum is literally named “steal now, decrypt later” so there is a major gap in perspective.
Case in point: Accenture’s most recent Pulse of Change surveyed 205 C-suite banking executives from July until September and found that malware and ransomware (37%) are the top cybersecurity threats that banks are worried about. Just 10% are concerned about future quantum threats.
The reality is that the day that quantum computing is able to break traditional encryption is coming. It’s not a question of if, but when, and it will take banks years to find their vulnerable encryption and swap it out for the new ways to manage quantum security. And it’s not just their own organization – banks have a whole financial services supply chain that needs to protect themselves.
In many ways, this is like Y2K all over again, except we don’t know the exact end date when it’s coming. To be sure, the risk to the global financial ecosystem is potentially catastrophic.
The Past – Third-Party Risk
While third-party risk never went away, it’s desperately in need of a rethink. The current approach of sending questionnaires to suppliers and then hoping for honest answers is beyond antiquated. Add to this, three other factors:
- There are more banking suppliers than ever before.
- There’s heightened pressure from regulators that are asking more detailed questions and requesting horizontal reviews of banks’ supply chains.
- The current approach doesn’t lend itself to preventing breaches and reducing risk. It’s a compliance-driven, check-the-box exercise that is very reactive.
This is complicated by the fact that banks have limited resources to address third-party risk. It’s a highly-manual process and there’s only so much capacity that banks can throw at the problem. Meanwhile, suppliers find themselves answering the same questions repeatedly.
It’s time for a different approach, one that is data and threat-driven and could help prevent third-party breaches. Increasingly, platforms and third-party dashboards can help banks better manage the process and tap advanced data analytics to determine how third-party vendors are performing. AI and gen AI are being infused into these to help improve efficiency and automation. Banks should watch this space closely and be open-minded to new approaches. It’s beyond time for the industry to get together and create a solution to this.
Boosting resilience
Risk remains everywhere all at once for banks. In a world where we can move money in real-time 24x7x365, managing risk through hope and manual processes could be a recipe for disaster. True business resilience will require a new mindset. The good news is that banks are moving to more automated and real-time approaches to threat management – just don’t be the last one to make the move.
Read the full article here