US, Oct 1, 2020, ZEXPRWIRE, Cyberthreats were already at the top of the agenda for most Financial Institutions (FIs), pre-pandemic. However, they have taken on a whole new meaning in a context where institutions’ financials are squeezed on multiple fronts–from low interest rates, to increased capital spending, to digital transformation, and growing loan losses. The complexity and the cost of shielding themselves and their clients, compounded by the losses coming from successful attacks and punitive regulatory fines (a very recent example being Capital One fined $80 million for the 2019 hack of 100 million credit card applications) are making the situation very challenging for banks. If you add to that the shortage of expertise combined with the acceleration of digital transformation initiatives, it is easy to see a looming disaster. FIs have to up their game, quickly and materially, meaning: 1) allocate more capital to cybersecurity strategies (in many instances they need to develop such a strategy in the first place), 2) increase the mindshare of the Board & C-Suite regarding the issue, and 3) alter their approach from being reactive to proactive/predictive when it comes to cyber-threats. Smaller institutions, such as T2-3 banks, will have the most difficulty adapting due to the additional challenge of supporting these sizable costs with a smaller profit base.
Parallel to developing a holistic cybersecurity strategy and allocating more capital, several further steps will help large and small players to face down this potential Armageddon. The first and best option would be to develop an industry utility/ Center of Excellence/institute pooling resource out of large and small FIs in areas such as anti-fraud security, predictive intelligence, and autonomous systems. Doing so would accelerate their agenda and make it more financially palatable. Clearly, the current limited collaboration between banks won’t cut it (such collaboration is often limited to sharing information once a threat has been detected, which happens on average less than six months after an attack has taken place and companies have been breached). The second option would be less ambitious, but still helpful: heightened collaboration between banks, such as sharing strategies, best practices, and results from pilots/POCs. Along that line, if T1 banks would commercialize some of their cyber infrastructure to T2-T3 banks, it would allow smaller banks to operate more safely.
Cybersecurity is too important a topic for our economies and societies to ignore. If even a couple of institutions were to fall due to cyberattacks, we would be back to the bailout dynamic of the financial crisis, which would endanger stability, erode confidence in the system, and be extremely costly to the taxpayers. No one wins in this scenario, even the unaffected banks.
From an investor perspective, due to the growing risks associated with cyberattacks, banks are becoming inherently riskier investments while returns, due to the costs of putting solid, holistic cybersecurity strategies in place, are decreasing. This emerging trend has not yet permeated most analysts’ reports, despite its inexorability. Investors will have to get smarter regarding cybersecurity when allocating capital in the financial services space. The silver lining would be for banks to take the lead in packaging and commercializing their cybersecurity capabilities, as well as for some of them to take the lead in creating a cybersecurity industry utility.
More barriers to entry and less attractive risk/return profile for early-stage Fintechs
These days, banks’ CISO groups will more rigorously scrutinize B2B Fintechs during the procurement process. Considering the already punitive and lengthy process (akin to a colonoscopy) in most FIs, that might be difficult to envision. However, any banks that are intensifying their cybersecurity focus will look with renewed interest at their partners’ cybersecurity practices in order to mitigate their own risks. Fintechs that touch clients’ data, in particular, can expect longer sales cycles and more costs and challenges to be involved in partnering with large banks. This is not good news, especially for early-stage companies.
Another unintended consequence might be an FIs reluctance to announce their partnership with Fintechs to the world, in order to avoid visibility on another vulnerability point. This reluctance translates to less “free” PR for the Fintechs..
Given B2C Fintechs’ own exposure to end-clients (akin to banks), there is a burning need to up the cybersecurity game. This need becomes an even bigger challenge for typically cash-strapped, early stage companies.
Similar to the FI dynamic already discussed, Fintechs also need to increase their collaboration with one another to alleviate the burden of costs and improve client protection. The value of an industry utility is even greater for Fintechs than for banks; if T1 banks already struggle to adequately protect themselves, most Fintechs will face even greater pressures.
The risk-return profile of existing Fintechs is negatively impacted by increased cyberthreats, and as with banks, investors have not yet discounted this dynamic in their valuation process. Once the de-rating exercise takes place, it could create more barriers to entry when it comes to launching new Fintechs (on top of requiring them to raise more capital to address the cybersecurity conundrum). The opportunity for some Fintechs to pivot and commercialize their cybersecurity capabilities might in some cases be a great avenue.
About Peggy Van de Plassche
Peggy is a Senior Advisor to PE/VC funds, Fintechs, asset managers, and banks. She focuses on growth and transformation via strategic partnerships, sales process optimization, products & geographies expansion, product roadmap validation, and client procurement process navigation.
Peggy has spent close to 20 years in the IT and financial services industries as an advisor, executive, investor, entrepreneur, and board member in leading financial institutions, as well as software and IT services companies such as BMO, CGI, CIBC, FrontFundr, Invest in Canada, and Zoom.ai.
Her client base includes Fortune 500 companies and leading organizations such as BMO WM HOOPP PE, Impak Finance, OMERS VC, Portag3 VC, and Wondeur AI.
For more information:
Linkedin profile: https://www.linkedin.com/in/peggy-van-de-plassche/
Email: [email protected]
Ema Norton grew up in Chicago. Her mother is a preschool teacher, and her father is a cartoonist. After high school Ema attended college where she majored in early-childhood education and child psychology.
Disclaimer: The views, suggestions, and opinions expressed here are the sole responsibility of the experts. No Fortune Thinker journalist was involved in the writing and production of this article.