main picture

“Bank-Level Cybersecurity”: Is It Enough?



23 Sep 2015

Banks and other financial institutions cultivate an aura of strength and dependability.  Bank buildings are easy to spot in older towns – they are the ones which hulk over the main street, an architectural advertisement in their solid construction.  Financial industry logos tend to feature seemingly immovable objects like rocks or large, sturdy mammals.

Yet in the information age, strength of a bank’s reputation isn’t defined by the size of its safe or the width of concrete in its façade.  Financial institutions build and maintain their image of security today by protecting the information of their customers.  The growing parade of cybersecurity incidents makes this an incredibly difficult task. 

“Bank-level security” used to mean something.  It symbolized an almost redundant level of protection – complicated to the point that it would be foolhardy to even try breaking through.  Yet in the context of a globally interconnected banking system, security is only as good as the most recent holder of financial data makes it.  Banks themselves might have very strong protections, but what about the firms they contract with?  What about the many subsidiaries, rating and credit agencies, or other affiliates which make up the financial industry?  All the protections of a financial institution can come to naught when information is handed off to a third party. 

Increasing complexity of the financial system also makes it more difficult to distinguish between a cybersecurity incident and a money laundering incident.  As the latest FINRA cybersecurity report details, the two now frequently go hand in hand.  Cybersecurity isn’t just about protecting customer information and assets – it also involves cyber threats which use legitimately opened accounts as a platform for fraud.

Perhaps the worst part of the cybersecurity equation for the financial services industry is the public relations angle.  Lax protections at an affiliate or partner firm may be the source of an incident, yet the media will often place public blame on the largest or most visible firm involved.  After all, a tiny Pennsylvania HVAC company didn’t get blamed in the court of public opinion for one of the largest corporate cybersecurity incidents, but its client (Target) did. 

Banks and brokers may have strong cyber protections in place, but customers will ultimately judge security on the entirety of where their information is used – a much larger and complex picture.  Firms may protest that it is unreasonable for customers to associate the practices of third parties with their core business.  Yet the potential impact on customers spans the full spectrum of the information handling cycle.  For them, “bank-level security” is starting to extend far beyond what the bank itself does.

Interested in hearing more about what your financial institution can do to improve cybersecurity?  Join Echo for drinks and a discussion in New York on October 7th.