After a US regulator recently found that half of the major banks it oversees have weak or insufficient operational risk management in place and a global IT outage impacting financial institutions around the world, FStech senior reporter Silvia Iacovcich speaks to industry experts to investigate whether the banking industry is on top of its risk strategy and explore some of the measures firms can take to address vulnerabilities.
If it wasn’t evident before, the importance of effective risk management in financial services was clearly proven at the end of July, when American cybersecurity company CrowdStrike released an update which triggered a Microsoft system crash. The global IT outage caused disruption to banks around the world, meaning some consumers were unable to access their digital app services.
The potential need for the industry to address vulnerabilities in its approach to operational resilience and risk was once again echoed at the end of last month, when the US Office of the Controller of the Currency (OCC) found inadequate risk management across 11 of the 22 major banks it supervises in areas such as cyber and employee errors.
The Bank of England has also recently urged UK companies involved in payment facilitation to do more ahead of the March 2025 deadline to meet its new operational resilience rules.
But are banks really lagging behind in managing operational risk? FStech speaks to industry experts to see whether the industry as a whole is struggling and explores some of the preventative measures firms can take to manage the inevitable disruptions that come their way.
A positive outlook
Desre Sheen, head of Capgemini's UK financial services advisory practice, believes that banks are particularly well placed to manage operational risk compared to other industries.
Sheen points out that the CrowdStrike incident highlighted the importance of having robust contingency plans in place, showing how financial institutions had alternate emergency and disaster recovery plans that allowed them to more easily deal with the outage’s consequences.
Jeff Taft, global co-leader of law firm Mayer Brown’s financial services department, agrees, adding: “I suspect that you will find that banks are well ahead of most industries in this space, given how they are regulated and given the role that they play. That does not necessarily mean that they are meeting all of the regulator’s high expectations.”
Unlike other industries, banks are subject to a high level of supervision and regulation. Operational risk is often measured subjectively because of the lack of uniform agreement when assessing it – leading to the banking industry simply having higher standards, Taft explains.
Being heavily regulated and interlinked with other industries, the financial services sector is subject to more oversight, placing the industry in a better place in terms of cyber risk mitigation compared to the broader market of businesses using technology which can expose them to cyber risk.
And the increase in the use of technology in the banking sector cuts both ways. Firms can use technology to monitor the cyber threats which have ultimately been exacerbated by their digital transformation and the rollout of new tech.
Keeping control
“You can eliminate humans and eliminate human error, but you also raise concerns by bringing in third parties, whether it’s cloud or service providers who are not under your control as directly as your employees are,” notes Taft.
The relationship between banks and third-party vendors is one of the biggest risks identified by the regulators. As more services are now outsourced, banks face a reduction in the control they exercise over them.
As a result of this, failure to assess third-party risks brings higher chances for organisations to be exposed to supply chain attacks, data breaches, and reputational damage.
With the consolidation of process, suppliers, automation tools, dependence on third parties, and financial market infrastructures (FMIs), banks are seeing a rise in concentration risk due to the fact they are relying on somebody else to be that controller, Sheen explains.
As an example of this, partner at Mayer Brown Ana Hadnes Bruder, who focusses on global security, data privacy and intellectual property, recalls when one of its clients, a bank, suffered a breach last year caused by a zero-day exploit of a software from a third-party provider. The breach had a significant operational impact - for three weeks, the systems were down.
“Some cases can be avoided by enhancing security,” Bruder says. “But with the growing sophistication of hackers, in many cases there is nothing you can do as it happens quickly, and banks are just vulnerable to that.”
Although it is impractical to create a perfectly secure system, many defence mechanisms can make a system more difficult to attack and the best practices have their roots in a robust prevention strategy, notes Bruder.
Prevention is better than the cure
“Banks need to be able to have a contingency process, to recover from an attack quickly,” says Sheen. “But they should really want to be able to prevent it, if at all possible. Prevention is better than the cure.”
To safeguard institutions, Mayer Brown emphasises the need for firms to focus on the interconnected nature of cybersecurity and AI in the financial services sector, highlighting how front-end and back-end resiliency measures are crucial to avoid downfalls.
According to Mayer Brown’s Taft, banks’ first step to maintaining control involves conducting initial due diligence during the vendor onboarding. After that, monitoring with ongoing diligence over that vendor remains an essential task.
Both front-end and back-end procedures need to be in place to ensure that organisations can overcome possible threats.
On the back-end side, Taft says that the focus should be placed on business continuity, resiliency, and redundancy on systems so that no provider can present systemic risks.
“There has to be some sort of redundancy that gives the ability to return to operations,” he explains.
Basic security measures need to be in place, for example, organisations need to have privileged accounts with better protections; embedding security controls such as multi factor authentications; and a robust password policy.
Bruder emphasises that cybersecurity governance can successfully enable the flow of cybersecurity information and decisions around the whole of any financial organisation.
“All of those entities in the financial sector, those that don’t have it yet, they need a role,” she notes. “The chief information security officer (CISO), the chief financial officer (CFO), or the chief information risk officer (CIFO), and these are the ones who are going to establish private practices, cyber practices.”
If prevention is the fundamental cure from cyber-attacks, partner at Mayer Brown’s IP and data monetisation Mark Prinsley stresses how training and education are crucial for businesses trying to establish an appropriate risk mitigation plan for cyber risk.
Regulators can also encourage experiences to be shared and educate, with testing being a very important part of the process and cyberattack simulations recently becoming the norm across organisations.
“Cyber response exercises might be something that you start to see more as I think that organisations are connected and have realised that what affects one of them, will affect another one of them,” Prinsley highlights.
The role of AI
In the context of operational risk management, AI can be a double-edged sword. For example, it can be useful from a compliance and regulatory perspective.
“It can be very helpful in generating information about your vendors, flagging incidents, tasks that normally would require more workflow and time, such as searching negative news stories on your vendors,” Taft highlights.
More broadly AI can also now be used in cyber tools, with a range of leading cyber firms now implementing the technology, Bruder adds.
However, generative AI could also potentially increase cyber threats. Bruder reports how half the breaches the law firm helped its clients within the last three years started with a phishing email.
“GenAI is obviously doing a lot for fraud detection, but it’s also lowering the bar for cyber threats - if you think about bad actors, and how they can use GenAI for nefarious means without needing to have programmers’ skills anymore,” Sheen concludes. “The poor hackers who created this can now have some competition.”
Overall, it seems that banks are well positioned to tackle many of the difficult challenges they face in the operational risk management arena. In fact, the banking sector largely finds itself ahead of other industries because of extensive regulatory oversight and its interconnectedness as an industry.
However, as the US OCC found last month, this doesn’t mean that all banks are living up to the high standards of the regulators. With constantly evolving risks that could lead to significant disruption, reputational risk, and costly downtime, it’s those firms that successfully roll out both a sound operational risk management strategy and emerging technologies that will be in the best position to further strengthen the industry and tackle any threats that come their way.
Recent Stories