Every business in every industry is concerned about cybersecurity — and if it isn’t, it should be. While cyberattacks can threaten a company of any type and size, the financial services market is — unsurprisingly — a top target for cybercriminals and fraudsters.
Eighty percent of FinServ executives, surveyed by FICO for its “USA — Views from the C-Suite Survey 2018,” said they expect overall cyberthreat and data breach levels to increase in the coming year, more than any other industry except retail and eCommerce. In the past year, more than a third of executives in financial services companies said cyberattacks and incidents at their firms increased by as much as 25 percent.
The rising anxieties over cyberthreats are, by no means, exaggerated. However, understanding the severity of the threat of cyberfraud and acting accordingly against that threat don’t always go hand in hand, even for large financial services firms.
“A lot of times, companies trying to fight fraud will panic, or they won’t have the answers they need,” said Brian Pozza, executive director at Outlier Analytics. “So in response, they end up buying more and more [tool] ad solutions, and layer them on top of each other. It turns out to be a very inefficient process, and an expensive process.”
Though the corporate community — and particularly the financial services community — is increasingly paying attention to the risk of cyberfraud, these organizations are all at different points in terms of their understanding of these threats, which specific threats they face most and how to adequately mitigate the risks. Pozza noted that one of the biggest realizations to emerge among FinServ players today is that there is no “silver bullet,” yet the solutions that organizations offered are designed as a one-size-fits-all solution.
“There are lots of different solutions on the marketplace, and they all focus on a specific segment and specific type of fraud,” he said. Fraud continues to rise, he continued, offering a lucrative opportunity for antifraud and cybersecurity solutions providers to continue pumping out new solutions — which organizations quickly adopt, adding more layers to their cybersecurity strategies.
One of the largest ways this approach goes awry is due to the fact that corporates are all at different places in their understanding of fraud risks.
“I’ve seen just as many companies that do have a good sense of what their business fraud exposure is as there are companies that have no idea,” said Pozza. “Even some of these large, multinational banks that have the people and data and tools, but one of the most basic fundamentals around monitoring your fraud exposure seems to be lacking.”
An overwhelming deluge of cybersecurity solutions providers, all assuring customers that they are experts, isn’t helping matters, Pozza added. In reality, it’s not always clear exactly what the fraud landscape looks like at any given time. These research reports aim to build awareness of cyberthreats, he said, but readers cannot be certain how robust the data may be. Furthermore, there is no single way to streamline and monitor information that’s out there today, which may lead to contradictory or misaligned findings.
That can be particularly true in the area of internal fraud. It’s not surprising that the data on internal fraud is lacking, considering businesses may not be willing to share that type of information with researchers, or even know that employees or business partners are committing fraud. Analysis from PricewaterhouseCoopers (PwC), published earlier this year, emphasized that internal fraud can be traced back to both full-time and part-time workers, and can appear in different ways, including insider trading, theft or cyber vandalism. Researchers at PwC forecasted a rise in the focus of internal risk analysis in the financial services space, “both to protect against nefarious behavior and to identify workers who may have been unknowingly compromised,” the report concluded.
“It’s a sensitive topic,” said Pozza. “There may not be a lot of information around people recognizing that internal threat, but the topic is starting to surface more and more.”
Financial institutions (FIs) and other services providers in the industry have begun to embrace external consultants to develop their cybersecurity solutions, he noted, meaning these enterprises can gain an unbiased assessment of their risk exposures, both internal and external.
Data analytics are critical to assessing and addressing the risk of fraud, and are at the center of Outlier Analytics’ strategy — deploying machine learning to analyze how an organization’s existing systems and solutions are working, then designing a custom cybersecurity strategy based on the findings.
This approach means that financial services organizations’ digitization journeys are especially important to arm cyber analysts with the data they need. But data analytics is no silver bullet, either, considering organizations are all at different points in that journey. Research from Forbes pointed to a hesitancy among FinServ firms in being first adopters (instead preferring to be “fast movers” on new technologies), as well as legacy infrastructure and cost barriers as top hurdles to digitization.
However, blindly adopting dozens of cybersecurity technologies won’t do the trick, either. It’s why Pozza said an external partner must come in to gauge where a firm’s unique risks exist, and how effective (or not) their existing tools and strategies may be.
“We can tell you which solutions — whether they’re predictive scores, or vendor solutions — and … which combination of items are the best predictors and performers for detecting fraud,” he said. “That way, the organization can go through and say, ‘I now know this group of items [is] helping, and this other group of solutions — processes, time, people — [is] not adding any incremental value, so I can eliminate them.”