Banks Silent About Cybercrime

Investors need more disclosure on how banks fight their biggest threat

Bankers can hardly contain their enthusiasm for new technology -- from peer-to-peer lending platforms to bitcoin and blockchain. They're investing in fintech startups, and a steady stream of former bank executives is popping up at these hot new businesses.

Bank Shares Falling

Source: Bloomberg data.

But while fintech generates excitement, the technological development that leaves bankers most anxious is more sinister: cybercrime has risen sharply to become the top concern among bankers in the U.K. and North America.

The risk of an attack is a bigger worry than tough capital requirements, shaky macro-economics or employee misconduct, according to a survey by the Centre for the Study of Financial Innovation and PricewaterhouseCoopers earlier this month.

One respondent in the survey warned of the potential for “a cyber-attack so powerful on an individual bank that it has the power to bring down the institution, necessitating a state bailout.”

Yet it's almost impossible for investors to see how firms are prepared for cyber-attacks.

That's because there's no specific obligation for firms to do so. At most, cyber-crime is caught by the requirement to disclose broader potential risks to the business. All investors get are assurances like this one from Royal Bank of Scotland's annual report:

RBS has experienced cyber-attacks, which are increasing in frequency and severity across the industry. This risk affects all customer businesses.

No-one can say RBS failed to warn investors. But it's far from being actionable information. That doesn't mean disclosing information that could help criminals.

Shareholders don't get to know how much banks are spending on IT security unless the companies choose to tell them. (After it was the subject of a cyber attack, JPMorgan said in October 2014 it would double its $250 million annual cyber-security budget within the next five years). And investors have no real way to determine how well that money is actually spent.

By contrast, investors are overwhelmed with data on what they view as less important risks such as the health of banks' capital buffers.

Regulators aren't providing much more information either. At the request of the Bank of England’s Financial Policy Committee, some big U.K. banks have completed a self-assessment.

Last month, authorities in the U.K. and U.S. conducted a joint exercise with major global financial firms. The regulators were at pains to say it wasn't a cyber war game, and no details about the performance of individual firms were released.

The FPC said earlier this year that all “core” financial firms should test their vulnerability and their capacity to get back to business after an attack. The regulator isn't due to provide an update on this until next year, but it needs to give investors more details than previous tests.

In the meantime, the big concern for investors is that the industry's tangle of creaking IT systems -- many of which were built long before today's cyber-criminals were born -- will complicate any recovery from a cyber-attack.

Investors need more information to help them judge better if the bankers are responding to the threat properly. At the moment, they have to take too much on trust.

This column does not necessarily reflect the opinion of Bloomberg LP and its owners.

    To contact the author of this story:
    Duncan Mavin in London at

    To contact the editor responsible for this story:
    Edward Evans at

    Before it's here, it's on the Bloomberg Terminal.