Bank executives already know what their investors don’t want to hear: Spending on cybersecurity is climbing, and there’s little way around it.
The cost of fighting cybercrime at banks rose 9% over a recent 12-month period, according to a new LexisNexis Risk Solutions survey of 175 executives from bank and nonbank financial services firms.
Those firms spent an average of $2.92 for every dollar of fraud or theft stemming from a digital attack in the 12 months ending in April — an increase of 25 cents from a year earlier. So, say a breach resulted in $10 million of theft or unauthorized charges, a bank could spend nearly $30 million to find the cause of the problem, fix it, reimburse customers and cover other related costs.
Commercial banks with $50 billion of assets or more spent an average of $2.97, which was a 30-cent increase, the survey found.
LexisNexis Risk did not provide an estimate of the total cost of cybercrime to financial services in the 12-month period it studied. Still, its figures were eye-catching, and more spending increases are expected because of the increasing sophistication of high-tech criminals. It’s a sore point from an investor-relations standpoint.
Bankers frequently argue that the high cost of tech investments will eventually result in lower overall expenses, as it allows them to make back-office work more efficient and to close costly retail branches.
A lot of banks’ tech spending goes to cybersecurity technology. That spending does not reduce a bank’s expense base, but it is a necessary evil of doing business in today’s banking industry, said Mark Zeichner, a New York attorney who advises banks on fraud issues. Changes must be made to keep up with advances among criminals.
“As Butch Cassidy and the Sundance Kid kept robbing banks, the banks kept getting more sophisticated with their vaults. So Butch and the Kid went to Bolivia,” Zeichner said. “It’s the same point with technology. The criminals move ahead, and you’ve got to move with them.”
It’s not a discretionary expense category, said Dan Healy, an attorney at Anderson Kill who advises banks on cyberinsurance recovery issues. Cybersecurity technology has become a fundamental cost of doing business in the banking sector, he said.
“It’s a race to keep up,” Healy said. “Even if banks didn’t continually advance their own technology, that doesn’t mean the scammers wouldn’t advance their technology anyway.”
One of the challenges in the fight against soaring tech costs is it is extremely difficult for banks to recoup money lost to cyberfraud through litigation or insurance claims. Many banks are reluctant to sue software vendors after a fraud-related outage because it suggests that a bank’s defenses are vulnerable, Healy said.
“There’s not a whole lot of litigation out there because banks worry it would be bad for their reputation,” Healy said. A lawsuit could raise safety and soundness issues for a bank, he said.
Insurance is available for cybercrime-related events, and there are multiple ways for a bank to pursue a claim, Healy said. But other attorneys have said that the premiums for this type of insurance are prohibitive, and
A bank’s best defense is to pay up for software that fights cyberfraud in the growing number of channels they do business, from mobile banking to call-center-based customer service, said Kimberly Sutherland, senior director, fraud and identity management strategy at LexisNexis Risk.
“The best approach is to try to address all of the channels because fraud is always going to go to the weakest link,” she said.
Fraud-related costs are lower for banks that have deployed technology across multiple business channels and payment methods than for those who have applied technology to just one or two channels, Sutherland said. If an institution has tackled multiple channels and payment methods, the average cost of fraud drops from $2.92 to $2.55. But it rises to an average of $3.71 per dollar for banks that only have one or two layers of defense. Most banks seem to be in the middle in terms of how much cyberdefense they have installed, which results in the $2.92 average.
“When you take a multilayered approach, banks actually see their cost of fraud reduced significantly,” she said.
The $2.92 per dollar average consists of several different cost categories. It takes into account what banks must spend on labor costs to investigate the fraud, paying fines and legal fees, the lost value of the transaction, customer reimbursements and other areas. LexisNexis Risk did not provide a breakout of the $2.92 per dollar average by expense category.
For bankers and investors who hope there is a permanent solution to ever-rising tech costs, they are probably going to be disappointed, said Daniel Garrie, an attorney at Zeichner Ellman & Krause who advises banks on cybersecurity. As soon as one type of cyber problem is solved, another will always take its place.
“There are inherently more bad actors entering the marketplace now than there were two years ago,” Garrie said. “It’s not that banks’ security is getting worse. It’s that the criminals are getting better.”