KPMG in UK’s Bia Bedri explores bank CEO perceptions around cyber security and shares tips and ideas for turning cyber into a competitive advantage.
Bank CEOs have made great headway on the cyber agenda over recent years. Most banks have made significant investment into cyber security and their CEOs recognize it as part of their personal responsibility. For the most part, major events have been avoided, regulatory requirements have been met, and awareness is rising.
So it is not surprising that bank CEOs say they are increasingly confident about their cyber capabilities. Indeed, in a recent global survey of 120 bank CEOs conducted by KPMG International last year, 42 percent reported that they were now 'fully prepared' for a cyber event (a massive jump from the 19 percent who said the same the previous year). And at least six-in-ten said they are now fully prepared for a customer data breach or software attack.
Bank CEOs are so confident, in fact, that many seem to believe that their cyber security prowess could help them improve their brand reputation and rebuild trust with customers. In our survey, two-thirds of the respondents said they see investment into cyber as an opportunity to find new revenue streams and drive innovation. And 78 percent said they plan to increase investment into cyber security over the next three years.
While bank CEOs have lots of reason to be confident in their progress, my experience working with leading banks over the last twenty years suggests that some may be underestimating the challenge.
The reality is that it is very difficult to be ‘fully' prepared for a cyber event. In part, this is because the nature of the threat and the risk vectors are continuously evolving and cyber attackers are constantly adapting. At the same time, the introduction, development and adoption of new technologies and business models also lead to new and unexpected cyber risks. It's hard to be ‘fully' prepared for something that is rapidly changing.
The response may also suggest that – while awareness of the cyber risk has certainly increased at the board level – this may not be translating through the business management structures in a way that allows them to fully understand or appreciate the real nature of the risk they are trying to manage. More often than not, cyber is viewed through the lens of a technical discipline and set of controls rather than through a genuine understanding of the cyber risks and their business impacts. It is easier to be confident in whether a control is operating or not; less so to understand the end-to-end business operational risk.
The survey data also indicates that there may be a bit of a gap between executive awareness and execution. Bank CEOs may be aware of the challenge, they may be pouring in investment and driving development of the right frameworks and controls, but this may only provide a false sense of security if the rank-and-file don't understand the risk and take ownership of it.
CEOs have a lot to be proud of on cyber security. And they should keep up their momentum. Keep improving awareness of the risks and threat environment. Keep championing the drive for better cyber security. Keep encouraging your organization to be better, more aware and more responsible. And keep investing in the cyber technical capability (this is increasingly critical to securing the ever-evolving business technology infrastructure).
However, my experience also suggests that there are a few areas where bank CEOs may want to focus if they hope to turn cyber into a real competitive advantage.
While it may be easy to become discouraged or fatigued by the never-ending cyber battle, bank CEOs should take heart; they are making good progress and seem to be maintaining an upper hand. They should keep doing what they have been doing. But if bank CEOs want to turn cyber into a competitive advantage, they'll need to invest more effort in key areas.
© 2018 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.