How Cybersecurity Flaws Impact the Reputation of UK Retail Banks

Vulnerabilities in banking systems are being exploited for personal gain, by cyber terrorists, and even in the name of state-supported cyber warfare. With stakeholders alert to the growing risks, the impact of digital breaches on banks’ reputations can be severe.

Changing threats: cybersecurity in banking

Financial institutions are among the top five sectors hit most frequently by the most brutal cyberattacks. The potential for high-impact, high-profit breaches of banking data is leading to increasingly sophisticated onslaughts. The internet is a battleground filled with those seeking to profit from disrupting banking operations. Cyberterrorism is proliferating, with some digital warfare even apparently state-sponsored.

IT disruption took the top spot in Risk.net’s 2021 global ranking of operational risks facing financial services. Data compromise came in second. In the wake of the coronavirus, remote working created greater exposure to cyberattacks, with ransomware targeting home workers. Meanwhile, VPN access by remote staff opened the door to bank data breaches, and the industry reported a sharp increase in phishing.

But it’s not only changes in the working landscape engendered by the pandemic making banks digitally vulnerable. Trends in Financial Services cybersecurity include rising costs of mega breaches, greater regulatory exposure, more class action litigation, and increasingly complex cyber claims.

Digital vulnerabilities in the banking system

The types of cyberattacks on banks include:

• Unencrypted data: Any unencrypted information lifted by hackers can immediately be employed to exploit customers or damage banking operations. Unencrypted internal data can also be manipulated, inserting errors into banking systems.
• Authentication: Texts and emails verifying customers are vulnerable to hijacking. Lack of complexity around password creation also increases cyber risk.
• Online banking security: Balancing robust security while being user-friendly and not blocking genuine customers is an ongoing challenge.
• Malware: With customers and employees using external devices to access banking systems, malware has multiple opportunities to spread from compromised hardware.
• Phishing: As phishing becomes more sophisticated, banks need to block fake emails and texts, and alert email service providers. Relying on customers to recognize phishing attacks is insufficient.
• Third parties: Suppliers connecting to banks’ systems represent a potential weak point in their defenses. Hackers are increasingly targeting banking data shared with third parties.

The reputational impact of banks’ cybersecurity flaws

Both the risk and realization of these threats can damage banks’ reputations. With mainstream media reporting high-profile cyber failures, stakeholders are rating banks on their ability to avert or withstand cyber threats. Employees, customers, and shareholders are all heavily invested in the ability of financial institutions to deny data breaches. Consequently, content such as the January 2022 Which? Money Report on the cybersecurity of UK high street banks can cause reputational damage.

Highlighting the 97% increase in online banking fraud in early 2021, Which? experts identified deficiencies in specific banks’ front-end security. When the Which? Money Report was released, an analysis by Penta recorded a spike in the volume of wider reporting around banks’ cybersecurity.

Simultaneously, Penta’s proprietary stakeholder sentiment index picked up a significant dip in sentiment scores surrounding cybersecurity for many UK high street banks. The majority dropped to negative sentiment scores ranging from -64 to -66. Only Barclays, at -30, was relatively able to weather the impact of the report and recover more quickly. Barclays received fewer mentions than the average for all banks in negative reporting around cybersecurity in this period.

Neutralizing risks, expanding opportunities

Cybersecurity in banking is also under heightened scrutiny from regulators, with continuous upgrades in data protection and privacy rules. These are accompanied by higher fines and regulatory costs – and the impact is not just financial. In the UK, banks must comply with multiple information security standards. Negative reporting around failure to comply damages corporate reputation. Compliance, by contrast, increases data breach resilience and therefore mitigates reputational risk.

For many years now, banks have developed cybersecurity strategies to protect their data, their systems, and their reputation. Platforms such as UK’s Cyber Security Information Sharing Partnership (CiSP) allow organizations to exchange cyber threat information in real-time, offering situational awareness in order to reduce risk. Its confidential nature reduces the reputational risk associated with publicly reporting cyberattacks.

A transparent cybersecurity plan represents a reputational opportunity for banks to demonstrate to stakeholders how critical digital protection is. Banks can also play a role in educating users and employees on how to avoid phishing and malware attacks, and counter the negative impact of cyber vulnerability.

Penta’s Reputation Intelligence solution is part of Penta’s Stakeholder Intelligence that enables corporates to make better decisions and connect better with their stakeholders. Click here to discover more.