Reg comments21

Rethink on bank cybersecurity rules might only follow major bank breach, says expert

Banks 'effectively unregulated on cybersecurity'

DOor to a bank vault. Photo by Shutterstock

It might take a major bank to fail as a result of a cyber attack for meaningful changes in cybersecurity practices, regulation and governance in the UK banking market to be implemented, a leading industry commentator has said.

In an interview with Out-Law.com, professor Richard Benham, chairman of the National Cyber Management Centre, expanded on earlier comments he provided to the BBC.

He reiterated his view that there will be a run on a bank in 2017 as a result of customers losing confidence in the security of their funds following a cyber attack, and said more formal regulation of cybersecurity is needed in UK banking.

Benham said that, despite the existence of Bank of England guidance, the banking industry is currently "effectively unregulated on cybersecurity". There is a lack of "mandated standards", he said, and that these should be put in place.

"At the moment there is a tendency to leave banks to manage their own security," Benham said.

The Tesco Bank incident, and the attacks carried out via the financial institutions’ backoffice environments, such as those that affected Bangladesh’s central bank and Ecuadorian bank Banco del Austro, should "serve as a wake up call" to industry over cybersecurity vulnerabilities, he said. However, he said he believes some banks appear too willing to sacrifice an element of security when working on initiatives aimed at enhancing the customer experience, in response to consumers' demand for faster means of transferring money.

Citing the greater regulation banks have faced since the "credit crunch" as an example, Benham predicted, though, that "it might take a major failure" of a bank, stemming from a successful cyber attack and subsequent run on the bank as customers seek to withdraw funds, to prompt tighter regulation of cybersecurity of banks by central banks, governments and regulators.

Benham said that the Tesco Bank case showed that banks can fall victim to hackers and that leading industry figures admit that, should attacks be successful, it is inevitable customer funds will be stolen.

Online-only banks are perhaps more vulnerable to reputational damage, loss of customer confidence and a subsequent run on funds, should a cyber attack knock-out their systems, Benham said. High street banks, able to deal with issues in-branch, might be able to better respond to customer concerns and issue refunds quicker in the event they are hit by such an attack, he said.

The ability to reassure customers about the security of their funds, and issue refunds speedily, will be vital to a bank should they fall victim to a cyber attack, he said. Bank customers are likely to show "a degree of apathy" towards a bank's cybersecurity failings if they are promptly refunded for any losses they have sustained, he said.

At the moment, the true scale of losses banks suffer from cyber attacks is unknown, Benham said. This is because banks are able to disguise figures under the generic 'fraud' label, he said. However, he said the forthcoming General Data Protection Regulation (GDPR), with its new data breach notification obligations, is likely to bring a greater number of such attacks to light, as well as more details about their impact.

He said it is hard to predict what impact that might have on customer confidence and their eagerness to move money out of accounts.

Last month, Andrew Tyrie, chair of the UK parliament's Treasury Select Committee, said the current "lines of responsibility and accountability for reducing cyber threats" in banking "appear to be somewhat opaque". Tyrie said the UK should consider reorganising its governance of cyber risk in financial services so that there is "a single point of responsibility".

Copyright © 2016, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Biting the hand that feeds IT © 1998–2017