Financial institutions failing to detect cyber breaches for over a week

27 September 2018 Consultancy.uk

The world of business has been working diligently to respond to a glut of cyber threats that have hit home in recent years. While financial firms have built good cyber security in the past year, however, over 40% of breach attempts still slip under the radar.

According to a recent estimate by anti-virus software giant McAfee, the threat of cybercrime to businesses is rising fast, with damages associated with such breaches now towering at over $400 billion. This represents a boom from up from $250 billion in 2016, with the costs incurred by UK business also running in the billions. As firms of all shapes and sizes battle to stave off e-criminals, organisations are increasingly investing in ramping up their digital frontiers and security protocols; something which is finally beginning to yield tangible results – particularly in the financial sector – according to a new study.

A paper from Accenture, based on a survey of more than 800 enterprise security practitioners (75 from the UK), has discovered that financial services firms stopped 81% of breach attempts in 2017, up from 66% in 2016. As a result, confidence among banking and capital markets leaders is riding high, in terms of their cyber resilience, with 80% of respondents reporting "confidence" or "extreme confidence" in their ability to resume activity after a breach. On top of this, firms further believe they are ahead of the curve when it comes to cyber security, with leaders saying they are well positioned in an average of 19 out of 33 capabilities, including stakeholder involvement, cyber security accountability and cooperation during crisis management.

Succes rate in stopping cyberattacks

However, Accenture’s analysts were keen to warn against complacency when it comes to this improvement. Carmina Lees, a Managing Director for UK Financial Services at Accenture, cautioned, “Over confidence combined with under investment in cyber resilience could spell bad news for the sector. As financial services become increasingly digital and open banking and third-party data sharing change how business is done, cyber risks are only going to grow both in scale and sophistication. AI, machine learning and robotic process automation can provide a consistent way to monitor for and combat these threats, but only if firms are willing to invest in them.”

Undetected breaches

According to the data, one in seven breach attempts against banks and capital markets firms still succeed, and a massive 42% of attempts go undetected for at least a week. This figure falls to 25% with regards to UK financial services firms, however the fact that around a quarter of breaches are still going undetected for more than a week can mean a difference of huge sums of money and data for those firms, amid troubled economic times in Britain, particularly with an uncertain Brexit due to come to fruition next year.

At the same time, the researchers also pointed toward a greater reliance on partnerships for growth as a potential factor which will drive up external cyber threats in years to come. Accenture found that institutions hold their partners to lower cyber security standards than their own, leaving them more open to hackers via the proverbial backdoor. As financial services firms are also adding more connected devices to their infrastructures, amid a drive to make the most of digital from a point of customer service, criminals are finding more potential entry points than ever before, driving up the need for more robust security capabilities. External threats are not the only factor which the financial sector needs to keep an eye out for, though.

Most frequent sources of cybersecurity breaches

70% of global respondents and 64% of banking and capital market leaders cited fear that they could be subjected to internal breaches from malicious insiders, while the same number of both groups worry that they could be hit by a hacker attack, such as the famous Wannacry attack. Meanwhile, more banking and capital leaders than the global average are concerned that insider errors could compromise their security measures. Accidentally published information resulting from a failure to follow processes and policies was cited by 45% of financial services leaders, compared to the global 44%, as a key threat.

Advanced sophistication

While defences have improved, a cycle of escalation has likewise seen cyber threats grow in sophistication, thanks to the wider availability of technologies like automation, machine learning and artificial intelligence. At the same time, while these technologies pose new threats, they can also help improve a firm’s cyber resilience. Despite the promise of such innovations, however, many remain reluctant to invest. When asked which new and emerging technologies they were investing in to evolve their security programme, just 38% of respondents replied Robotic Process Automation (RPA), and a sparse 43% had directed funds toward machine learning.

The use of advanced technologies in cybersecurity

Blockchain also languished beneath the 50% mark, even though it is already being leveraged by a plethora of other industries beyond the financial sector. In the UK, at the same time, while 80% of UK financial services executives regard these technologies as essential to combatting cybercrime, just a third of them are actually investing in them and only 21% plan to significantly increase their investment in the next three years.

Remarking on the slow adoption of these technologies, Carmina Lees added, “While UK financial services firms are making strides to close the gap on cyber-attacks, there is still work to be done given the amount of breaches that go undetected for so long. Historically, the focus has been placed on external threats. But firms also need to look closer to home at threats that already exist inside the organisation. It’s no good building a wall outside to stop people getting in. They need to work on the assumption that the hacker has already broken into the house and they need to contain them in one room to quickly prevent more damage.”

×

The business and operating models of digital-only banks

04 April 2019 Consultancy.uk

In recent years, several digital-only banks have successfully managed to nestle themselves in the banking landscape, with their popularity continuing to increase. Looking at it from the customer’s point-of-view, there is little difference between these FinTech unicorns; looking at the bigger picture, however, reveals significant variation in their business models. Matyas Fekete, a consultant at KAE, explores some of the main similarities and differences in digi-bank business and operating models. 

What about the profit?

Unlike in the UK, in most of continental Europe, bank accounts and corresponding banking services are historically paid-for services. The fact that digital banks offer most of their services free of charge has undoubtedly helped them build a large customer base. On the other hand, despite comparatively low set-up and minimised operational costs compared to that of traditional banks, and given the lack of revenue stemming from the typically no-fee model, profitability has proved difficult to achieve. Monzo, for instance, recorded a net loss of £30+ per customer in its most recent financial year. 

In the start-up world, it is customary to focus on expansion rather than profit – see the case of Uber, for instance. Still, while profitability might not be their number one priority in their early stages of development, it must be a long-term goal of any business. With their ever-growing customer base, digital banks are increasingly under pressure to turn their business from loss- to profit-making. 

Credit where credit is due

Digital banks pride themselves on their fair (often meaning “free”) proposition and have so far stayed clear of offering loans (including credit cards & overdrafts), traditionally amongst the most lucrative products for traditional providers. Though somewhat reluctantly, newcomers are also realising that offering lending products is one of the most straightforward ways to offset losses made on their free, often high-cost services (e.g. overseas ATM withdrawals). Monzo, N26 and Starling have recently started offering credit products to their customers, with their loan offering expected to be extended to a wide range of services, from mortgages to overdrafts. Correspondingly, creating a lending portfolio can also pave the way for launching an interest-paying savings offering – a proposition seen as a basic banking product that is yet to feature in most digital banks’ portfolios. 

The business and operating models of digital-only banks

The premium customer

While most digital banks offer most of their products for free, some have extended their offering by paid-for premium services in order to create a revenue stream. As these premium features – including different types of insurance, unlimited free transfers/withdrawals, faster payment settlement or concierge services – are often offered in a subscription format, customers are typically prompted to pay for the full package rather than just the desired service(s), providing a significant revenue stream for the bank. Revolut, for instance, was amongst the first digital banks in Europe to break even earlier this year, a feat largely due to revenue from its premium subscription.

SMEs like digital too

Traditional banks typically service small and medium sized businesses under their retail rather than corporate banking arm. Having their product offering tested with consumers, and consequently gaining a reasonable customer base, digital banks have also identified SMEs as an ideal segment to extend their target audience to. The five FinTechs profiled have already gone, or plan to go, down this path by following up their consumer solution with a business account. While both propositions are typically built on similar features, some providers charge businesses a monthly subscription (e.g. Revolut), while others apply additional fees to specific services (e.g. TransferWise), banking on the expectation that businesses are more likely to be willing to pay for banking – something they are already used to doing. 

The marketplace model

While most digital banks offer a wide range of banking services, some of these tend to come from partnering with third-party providers. For instance, Starling Bank’s only proprietary product is its current account, which serves as a basis for the provision of ancillary services, ranging from loans to insurance, to investment opportunities. Instead of developing these services in-house, Starling enables a select group of partnering financial service providers access to its platform in exchange for a fee. In effect, Starling is using its customer base to create a market for its partners, charging a commission for each acquired customer. 

In such cases of digital banks applying this marketplace model, the majority of their income often comes from partners rather than customers. Naturally, only banks with a large enough customer base can be successful in this set-up, underlining the current intensity of competition amongst digital banks.

Banking as a Service

While customer-centricity is heralded amongst the main USPs of digital banks, some are looking beyond offering consumer-facing services to diversify their revenue streams. Starling, which is among the few digital banks built on its own proprietary platform, has recently leapt into the Banking as a Service (BaaS) industry, making its technology available to other start-ups looking to launch a digital bank. Naturally, this raises the question whether the two offerings could threaten each other’s success. Generally, as long as such partners operate in different markets, the two business lines should be able to thrive alongside each other. Further along the line, however, such partners could easily end up expanding their banking solution into the same market(s) as they aim for global success, and by doing so, becoming direct competitors. 

Different approach, same result?

It is fair to say that consumers in Europe looking to bank with a digital-only provider would have a difficult time finding relative advantages/disadvantages amongst the leading players in the industry. Still, despite the limited surface-level variety, exploring the business models of leading digital banks reveals different approaches to the challenge of making money. Alongside the more straightforward method of offering paid-for premium features/subscriptions, some are banking on the value that access to their customer base offers to third-parties, while others outsource their technology to neobanks wanting to focus on the Fin rather than the Tech. With competition amongst digital banks heating up, it will be interesting to see which business model(s) prove to be the winning formula in the long term.