The cyber attack on JP Morgan Chase last year is still fresh in our memories.
Over 83 million accounts were compromised, names, phone numbers and addresses and emails breached, making millions of people vulnerable to phishing attacks. It is one of the worst possible nightmares for a bank.
Closer to home, there was the South Korea Cyber-attack in 2013 where internet banking servers were compromised and recently in Japan, where personal information leaked from the Japan pension service.
JP Morgan Chase has not revealed the total cost of the data breach, but it has announced a spend of USD 250 million a year in improving its security.
An oft-quoted study conducted by the Ponemon Institute found that a data breach costs an average of USD 154 per record. Multiply that by the 83 million records that JP Morgan Chase is reported to have lost, and the result is a staggering USD 12.782 billion. The study says that high profile, mega breaches such as this tend to cost even more in reality, not to mention the loss of potential business.
So how is the finance sector dealing with this risk?
According to Operation Waking Shark II, led by the Bank of England to test the banks’ contingency plans against potential cyber attacks, the response has been poor. The report released in 2014 revealed a lack of "central industry coordination" on sharing financial sector information and communicating to the public.
Government-led initiatives are still in infancy. It took the US until February this year to announce plans to ring-fence $14 billion for cyber security. Japan announced in July that they will create a specialised department within the FSA for cyber security and the UK has pledged more funds in education on this matter also.
In Japan, Financial ISAC (Information Sharing and Analysis Center) was launched in 2014 as an information sharing platform to combat cyber security. Membership is growing - from 70 banks and financial institutions in July this year, to 130 as of 17 November. But these are all Japanese organisations - and as far as investment banking is concerned, the presence of foreign banks surely cannot be ignored to ensure an effective stand against cyber attacks.
Individually however, banks are investing huge amounts of money - and more crucially time - to ensure their compliance, auditors and cyber security professionals are technologically proficient enough to deal with the threat.
Future auditors and compliance officers must increase their knowledge in this area and put proper procedures in place to protect information. They cannot simply rely on current procedures and adherence to out-dated regulations to combat the threat.
Instead, they must be proactive in identifying future threats and also ensure that the culture of the organisation changes so that every single worker is looking out for potential risks. This requires innovation and creativity in firm-wide governance and training.
However, this is easier said than done with demand for these professionals well above supply.
It is a frustrating game of cat-and-mouse, but weighing the cost of hiring good, reliable IT security experts, versus the potential risk of exposing the bank to a cyber attack is not a difficult decision.
With major banks starting to realise this, cyber security professionals are in high demand and organisations are willing to pay premium wages to attract the best skilled professionals in this field.