What banks are — and aren't — doing to repel cyberattacks

Four out of five bankers said they expect overall spending on cybersecurity to increase over the next 12 months compared with the previous 12 months. About three in five expect to invest at least 10% more, and a third of that group anticipates an increase of at least 25% more.

The heavier spending “reflects increased prioritization” among banks, says Teresa Walsh, global head of intelligence for the Financial Services Information Sharing and Analysis Center. Digital security is “no longer simply a back-office cost — it has become a critical business risk,” she said.

“Rapid digitization of financial services was already underway but accelerated with the pandemic and remote working,” Walsh said. “More digitization expands the attack surface of the industry, including through extensive use of third-party providers of software and infrastructure.”

“Institutions that are not heavily investing now because they believe they have a best-in-class cybersecurity enterprise will find themselves as ‘average’ or even ‘laggards’ in a short matter of time,” the Arizent report said.

The only way for an organization to reduce losses stemming from cyber crimes is to shore up its defenses, according to Keith Zielenski, managing director at the consulting firm Protiviti.

“This capability may come through greater intellectual knowledge, technology solutions, reducing an organization's attack surface, etc.,” Zielenski said. “The downside is these capabilities cost money.”

Arizent asked financial institutions which strategies they are employing to protect their customers, and it allowed respondents to select multiple options.

Sixty-seven percent of respondents in the banking sector said they require two-factor authentication compared with 39% who said they require geolocation and 43% who limit functionality on mobile banking.

While multifactor authentication is not impregnable, it can provide an extra layer of support if properly implemented. “We recommend all firms implement MFA as part of a robust cyber-hygiene program,” Walsh said.

Though multifactor authentication can annoy users, it is also “imperative under the current environment to have this line of defense,” said Raj Dasgupta, director of fraud strategy at the digital identity company BioCatch.

Cybercriminals facilitate most breaches “by way of weak or stolen passwords,” which makes multifactor authentication an important security measure, Zielenski said. “Therefore, this should not be a question of [return on investment] but rather ‘doing the right thing’ to increase client/consumer confidence in the banking entity,” he said.

On the subject of steps that organizations are taking to vet their vulnerabilities, 53% of banks said they review their cybersecurity practices and policies on an annual basis. The annual review practice could be getting supplanted by even more regular reviews.

“At the rate that cyber-criminal tools, techniques and procedures evolve today, many firms no longer believe that annual cybersecurity policy reviews are sufficient to maintain a robust cybersecurity posture,” Walsh said. “Some firms are implementing continuous controls monitoring, which can give real-time feedback on the firm’s security posture and controls.”

According to Dasgupta, annual reviews are far from sufficient.

“Companies should have cybersecurity task forces that meet regularly, as often as daily to review their vulnerabilities and the need to change policies and tools,” Dasgupta said. “At a minimum, these groups should be meeting weekly.”

Zielenski said a review should also follow any “major cyber event,” however an organization defines the term, and involve cybersecurity and business leaders from the firm.

“It should include a full review of cyber incidents and the related lessons learned from those incidents,” Zielenski said. “Additionally, the review and updates of cyber policies must be followed by an effective communication plan to drive compliance and/or required trainings.”