Last year, JPMorgan Chase devoted $5.42 billion to keeping its technology up to snuff. Where did all the money go? It was devoted to enabling retail banking clients to access their accounts on mobile devices and making forays into mobile payments; trying to woo clients into consuming more of the bank’s products and services; keeping track of customer funds; managing trading systems and networks; and, increasingly over the last several years, putting in place the systems required by new regulations.
Oh yes, of that sum, about $250 million was earmarked for cybersecurity, to protect and defend the bank from attacks.
According to an investigative report by Bloomberg News, by the time that heightened level of spending kicked in, it may already have been a question of too little, too late.
As the world discovered last week, a group of hackers — whom investigators now believe may be based in Russia — spent much of the summer burrowing their way into JPMorgan’s systems and rummaging around there, thanks to a small, overlooked flaw in the design of one of its public websites. They had the best part of two months to wreak havoc before a routine survey uncovered what was afoot and slammed the door shut on the intruders.
This hacking attack hasn’t gotten quite the same amount of coverage as the one involving Jennifer Lawrence and other nude celebrities, but it should worry you more.
If the banking industry, whose biggest members (in North America, Europe and the Asia Pacific region) were forecast to spend a total of $188 billion on technology this year, can end up with a problem of this magnitude, what hope does it offer for the rest of us? But the whole snafu isn’t really about dollars, or even about technology. It’s about the way banks think about the money they spend on technology — and that’s where there is still room for change.
A recent survey devoted to information security by global accounting firm PricewaterhouseCoopers pointed to one of the chief problems confronting financial institutions: Regulatory compliance is the single largest driver of their spending in this area, rather than the security threats they might confront. “That’s not surprising in a highly regulated industry, but a security model centered on existing compliance standards will not adequately address today’s evolving security threats,” the report’s authors concluded.
Whether JPMorgan CEO Jamie Dimon authorizes spending $200 million, $250 million or $500 million on cybersecurity, what will matter more is whether the bank’s IT team is able to identify the kinds of attacks they could be confronting in the future and prepare to deal with them.
As a report published by the New York State Department of Financial Services on cyber security in the banking sector noted, pithily, “the amount of money spent on a cyber program is by no means the best reflection of its strength.” More important, the report’s authors conclude, is whether a bank is able to design programs around specific risks, and stay abreast of the changes in both the technologies available to them and the increasingly sophisticated threats they face.
This may prove tricky, for a number of reasons.
For starters, IT departments in the banking sector are in the uncomfortable position of being cost centers that don’t generate revenues. Admittedly, they’re not quite as bad as risk management, which can actively prevent a bank from generating revenue and profits if its employees think that a proposed transaction is overly risky (especially nowadays, full of new power and influence in the wake of the financial crisis). Yes, intellectually, a CEO realizes that without spending on IT they’ll be left behind in the technology arms race, but that isn’t likely to make executives feel much better about signing off on ever-increasing bills at a time when the business environment is becoming tougher.
Indeed, the country’s biggest banks are in full-fledged cost-cutting mode. Even JPMorgan, 18 months ago, announced plans to axe 17,000 jobs by the end of this year and trim $1 billion from its expenses. When Citigroup cut $1.1 billion in costs (and 11,000 jobs) at the end of 2012, CEO Michael Corbat made it clear that technology spending wasn’t going to be exempt. "We will further increase our operating efficiency by reducing excess capacity and expenses, whether they center on technology, real estate or simplifying our operations," he said at the time. (Emphasis added.)
Then there’s the fact that banks like JPMorgan and Citi face almost constant computer attacks of a more “normal” kind — phishing, account takeover attempts, identity theft or ATM/point of sale skimming frauds, for instance. If you’re accustomed to fending off a certain kind of cyber attack, that’s probably what you’re looking for. “Most organizations are defending yesterday, even as their adversaries look to exploit the vulnerabilities of tomorrow,” the PwC report concluded.
Some other numbers in that report might help explain why, in spite of all that spending by JPMorgan, the malefactors were able to spend their summer rummaging through the bank’s computer network. While 79 percent of survey respondents believe they are prepared to deal with a cyber attack, that’s 5 percent fewer than felt that way only a year earlier. And the banks that responded to the PwC survey reported that they detected 169 percent more computer security incidents in the year prior to the survey than they had in the previous year; loss or damage of internal records almost doubled.
Hackers are only going to become more sophisticated. If banks are to better combat this threat, it’s going to require more than dollars.
Top Reads from The Fiscal Times: