Cyber-attack risks increased over the past years, resulting in cybersecurity and digital operational resilience being a top priority for banks all over the globe. Most banks are prone to cyberattacks now customers are relying more and more on digital channels and electronic banking to perform their daily transactions. The risks that the banking sector faces are multiplied by the large number of users involved – and the lack of control banks have over the behavior of these users. That is why financial institutions are significantly investing in cybersecurity strategies, to remain one step ahead of cybercriminals.

The gap between cybersecurity and business needs

Despite all the security measures taken, banks continue to face certain challenges to protect their systems, their customers and their data, and their financial holdings. Ransomware and phishing attacks remain a common issue and are also getting more disruptive. Cybersecurity awareness is improving, however, especially as more ransomware attacks get publicized in the media. But as time progresses, the level of complexity increases. IT systems and software are getting increasingly interconnected and more complex in general – and so must be the cybersecurity measures that are put in place to protect banks and their customers.

One of the main issues is bridging the gap between cybersecurity and business needs. Good cybersecurity means adapting to the business needs. Philipp Schaefer, Cyber Risk Expert and Peter Mikeska, Cyber Security Expert at Erste Bank Group, highlighted the organisational challenges banks are dealing with: “As savings banks find themselves in an environment of ever-increasing cyber threats, the heterogenic nature of how saving banks are organised provides challenges for a sound response to sudden cyber challenges. Swift communication lines among saving banks and towards their ICT are key for identifying threats quickly and allow partner banks to benefit from individual discoveries immediately”, the experts said in a written statement.

“In addition, as costs for protective and anticipatory measures towards cyber threats increase, a unified approach towards cyber threats and its communication becomes necessary to allow the individual savings bank to keep its cost at bay while also benefitting from a state-of-the-art level of know-how and protection”, the statement continued. “However, this doesn’t come without caveats, as savings banks would need to surrender some of their direct control over part of their business to a centralised entity consolidating the ICT efforts, making it both a challenge and chance for the savings banks.” The shortage of cybersecurity professionals to handle all these aspects remains a considerable challenge as well.

Initiatives on European level

“You no longer need armies and missiles to cause mass damage. You can paralyse industrial plants, city administrations and hospitals – all you need is your laptop. You can disrupt entire elections with a smartphone and an internet connection”. These are the words of Ursula von der Leyen, President of the European Commission, used in her State of the Union Address in September 2021 to underline the growing importance of cybersecurity and call for stronger measures to address cyber threats.

Similar to banks, the European Union is also taking steps in the field of cybersecurity. Following up on its path to the digital decade to deliver on the Union’s digital transformation by 2030, the Cybersecurity Act entered into force in 2021, defining the tasks of the European Union Agency for Cybersecurity (ENISA), the European watchdog for cybersecurity.

In May 2022, the Council and the Parliament reached provisional agreement on the revision of the Directive on Security of Network and Information Systems, better known as the NIS2 Directive, to further improve the resilience and incident response capacities of both the public and private sector. Political agreement was also reached on the Digital Operational Resilience Act (DORA), the lex specialis of the NIS2 Directive for the financial sector. Banks, stock exchanges, clearinghouses, as well as FinTechs, will have to respect strict standards to prevent and limit the impact of ICT-related incidents.

Additionally, the Commission published the proposal for the Cyber Resilience Act in September 2022, which aims at establishing common cybersecurity standards for digital products and associated services that are placed on the European market.

The road ahead: Education and innovation

All these regulatory initiatives can certainly set requirements to be put on actors like banks, however, at the end of the day, the weakest links are usually humans – be they bank employees or bank customers. Continuous education is required to keep them aware of possible cyber threats.

On that note, CaixaBank offers their customers and employees extensive cybersecurity awareness programs and content in matters relating to cybersecurity through their Security space, a section on their website specifically dedicated to a secure online experience for customers. The website contains tips and advice on how to use products and services securely and reliably. Next to initiatives like the CaixaBankProtect News newsletter, CaixaBank has also set up a podcast featuring fraud victims, in which they touch upon a variety of topics such as fraudulent messages, how to manage passwords, secure online shopping, and antivirus software for your mobile phone.

Technological initiatives are important as well, as Philipp Schaefer and Peter Mikeska explain: “Focal point at Erste for online banking and communication with the customer is the platform George. Here, all data flows are monitored and permanently analysed towards anomalies. Should threats be discovered, an immediate response is initiated by blocking harmful actions and the affected customer will be contacted and informed. In case of a significant uprise of a threat, each customer entering our platform will be briefed and needs to confirm the message to proceed. The smartphone application of George can also discover if harmful code from other applications tries to gain access. Lastly, multifactor authorisation protects our customers from further threats.”

Despite the cyber threat constantly being present, there is also room for optimism. The fast development of cyber threats and both European and national regulation to address those threats will push banks to innovation. In addition, strong cybersecurity measures could lead to increased consumer trust. As Ursula von der Leyen stated in her State of Union Address: “We should not just be satisfied to address the cyber threat, but also strive to become a leader in cybersecurity”.

Criminals will always be on the watch out for the weakest link. WSBI-ESBG members stand ready to counter this challenge and enhance the security of both their customers and the society at large.

Janine Barten is WSBI-ESBG adviser with expertise on digital finance and innovation.