As cybercrime has increased in volume and intensity, many organizations have come to rely on cybersecurity scorecards to help evaluate the security preparedness of both themselves and the third-party firms they have relations with. Obviously, that includes banks and financial institutions.
Building cybersecurity into scorecards is a good thing. Still, many corporations are slow to build cybersecurity analysis of their banks into their scorecards, or to evaluate how banks build cybersecurity into their own scorecards.
“I work with multiple global banks, and I cannot say that I have encountered one that has approached me with building cybersecurity in their scorecard review process,” says Lee-Ann Perkins, assistant treasurer at oil and gas company Ion Geophysical Corporation in Houston, Texas. “Many of the banks provide cybersecurity training and act as a partner in the mutually beneficial process of protecting financial transactions — but to date, that’s the extent of the review and measurement process I have been involved with.”
“Interestingly enough, one of our rating agencies has approached me about cybersecurity,” Perkins said. “They are building a model to use as a scorecard in evaluation ratings. If they are doing it, I fully expect the banks to follow. I am surprised the banks have not led this process.”
Surprising indeed, considering how rapidly cyberattacks are increasing in number and intensity. A recent cybersecurity study says cybercrime has seen a 600% increase since the start of the pandemic. Another study says that by the end of 2021, the financial toll taken by cybercrime will top $6 trillion dollars.
Among the victims, 67% of financial institutions reported an increase in cyberattacks last year, and 79% of financial CISOs say threat actors are employing more sophisticated methods of attack.
Despite the statistics, many banks appear to be laggards rather than leaders.
“I haven’t seen either of my transitional banks include anything about cybersecurity controls or tools into their scorecards. It will be something that I ask them to do going forward, but it isn’t part of the process at this time,” says William Lundeen, assistant treasurer at Indivior Inc., in North Chesterfield, Virginia.
The common practice for many organizations seems to be ‘trust, but verify,’ notes the assistant treasurer at a global manufacturing company.
“Banks will support our efforts, but most support comes from us proactively reaching out,” the assistant treasurer said. “We don’t directly incorporate within a scorecard. However, when we established the banking relationship, we made the decision that they can support our needs — security, new products, IT formats, etc. If we develop a different opinion, then we work closely with the bank to see if they can make us feel comfortable, or we would change banks.”
As cybercrime continues to rise, make sure your organization is prepared for these attacks by downloading AFP’s Payments Guide to Combating Fraud in a Remote Working Environment. This guide examines how fraudsters have adapted their tactics to the current, remote working environment and what you can do to thwart their efforts.