Cybersecurity is top of mind for bank executives, but too few lenders are sufficiently conveying their cybersecurity practices to customers, creating a trust gap.
“There are banks out there that have a static website, that talk about information security, and it kind of gives you the bare bones,” said Valerie Abend, global financial services cybersecurity lead at Accenture. “That’s not enough anymore.”
A recent poll from the global professional services firm found that 85% of bank customers say clear communication about cybersecurity practices is essential. However, 28% rate their bank highly when it comes to providing such clarity. Meanwhile, the majority of banks surveyed believe they’re doing well in this area, revealing a discrepancy between how banks and their customers feel about banks’ cybersecurity messaging.
Accenture in October surveyed 600 cybersecurity executives at global banks with more than $50 billion in assets, and 1,400 banking consumers across 17 countries.
Some banks are taking their messaging a bit further, Abend said, spelling out on their websites, “this is how we’re protecting you in the cloud,” or explaining concepts like zero trust (a security strategy focused on strict controls and continuous authentication) or sharing what good supply chain security practices look like. That’s incrementally better, she noted.
The banks with superior approaches, though, are proactively messaging customers within their apps – rather than email – and giving customers security scores or tips, such as encouraging them to enable multifactor authentication. Those banks are also holding webinars specifically for retail customers or midsize business customers, to share cybersecurity information.
Banks going a step further are weaving these messages into marketing opportunities, such as when hosts of a popular podcast talk about customer trust and security during an ad for the bank.
“This is what I'm starting to see the best banks proactively do to enable customer trust,” Abend said.
The top 10% of banks are being proactive and transparent in how they communicate to customers about cybersecurity practices; embedding cybersecurity up front in their strategic initiatives and priorities, rather than treating it like a compliance-based initiative; and they’re empowering their workforces, customers and third parties to detect and deter the latest threats, she said.
That leaves “a lot of room for other banks” to incorporate these practices, said Abend, who previously served as senior critical infrastructure officer at the Office of the Comptroller of the Currency and worked at BNY before that.
Another survey finding: Customers trust banks with their data, but that trust doesn’t extend to banks’ third parties, and the majority of breaches at banks are caused by third parties. Banks are struggling with the volume of third parties they work with and the complexity of those relationships, Abend noted, making supply chain security a top challenge for most banks.
Customers “are not going to care who’s to blame if there is a breach on their data or fraud committed against them,” Abend said. “They’re just going to blame the bank.”
As lenders leverage new technology and artificial intelligence to a greater degree, “they're going to have to really focus on this area of customer trust and cybersecurity and data protection philosophy across the entire supply chain, and not just in the walls of the bank,” Abend said.
Big banks’ cybersecurity teams are also struggling to keep pace with their organizations’ technology adoption efforts, Accenture found. The majority of bank executives say bad actors have a leg up in leveraging artificial intelligence to conduct their attacks, versus the banks’ ability to prevent them, Abend noted.
Banks should not only consider how they can employ AI capabilities for their own security purposes, but also must empower their workforces, customers and third parties with current information on AI-powered threats and help them quickly evolve, she said.
Most banks’ threat intelligence teams use reports issued by companies that scan the dark web. But the lenders in the best position have analysts going into specific dark web chatrooms to monitor evolving deepfake tactics and techniques twice a day, Abend said.
“Any time there is a material evolution in the approach in which they're using that AI-generated deepfake, [analysts] immediately go and use that information to educate their executives, to change their internal security awareness training, to go out and communicate to their supply chain partners, and even to incorporate in their customer webinars,” she said.
