Cost of Neglecting Digital Security: Long-term Consequences for Banks

Financial institutions often underestimate the consequences of a breach. By doing so, they risk misjudging the value of high-quality online and mobile security, says Renata Fischer, SVP Sales of Entersekt.

Around the world, banks and their customers are under threat from increasingly sophisticated cybercriminals. The underworld is often quicker to apply advances in technology for their attacks than large enterprises are able to do in defense. One report released by the Centre for Strategic and International Studies in 2014 described cybercrime as a “growth industry”, noting that “the returns are great, and the risks are low”. According to the organisation, the likely annual cost to the global economy from cybercrime is more than $400 billion. “A conservative estimate would be $375 billion in losses, while the maximum could be as much as $575 billion,” the report stated.

In South Africa, the risks to banks are may be higher. Byron O’Connor and Verusha Moodley of legal firm Cliffe Dekker Hofmeyr, while commenting on the famous hacking of Sony, noted that “while such an occurrence may seem far removed from us, South Africa is in fact one of the foremost countries targeted for cybercrimes. When an organisation falls victim to cybercrime it’s exposed to a multitude of risks that Santam Limited identified as including loss of revenue, loss of data, loss of competitive advantage, industry and regulatory fines and penalties and fraud.”

Costs aren’t what they seem

Despite the threats, financial institutions often underestimate the costs of failed security. As a result, they can seriously misjudge the value of high-quality online and mobile security solutions. That’s a big mistake.

A study released by IBM and the Ponemon Institute has found that South African companies experience greater costs per security breach than the global average. The study, which looked at actual security incidents in 12 territories, assigned the largest costs to lost business. Other costs include forensics and investigations, audits, advisory, crisis management, public relations, marketing and call-centre staff.

Organisations also have to absorb expensive legal and administrative fees associated with any large breach, as well as fines. When the Protection of Personal Information Act comes into play, such fines will be steep. The bill has strong provisions around how consumers’ data must be protected, accessed and stored. Under the new law, companies face a fine of up to R10 million if they breach its provisions.

Previously, banks in this country were handed massive fines by the Reserve Bank for failure to comply with provisions of the Financial Intelligence Centre Act (FICA) designed to stop money laundering. These fines angered and unsettled shareholders. Non-compliance and any resultant penalties can also have a negative impact on credit ratings, especially at this present time, when foreign and domestic problems threaten growth.

“A heavy tax on potential”

Much harder to quantify are the serious opportunity costs banks face for many years after the initial breach. Spending resources on defence draws away money more constructively spent on developing the business, while risk-averse behaviour by consumers and businesses slows the adoption of cost-efficient digital channels and services. Over time, the reduced rate of return for innovators and investors stunts research and development across the industry as a whole.

As it stands, cybercrime statistics in several African countries have suggested that the banking industry is the most affected by cybercrime. According to CIO.com, this is raising concerns that Africa may face “a slowdown in international investment in the financial sector.”

“Another way to look at the opportunity cost of cybercrime is to see it as a share of the Internet economy. Studies estimate that the Internet economy annually generates between $2 trillion and $3 trillion, a share of the global economy that is expected to grow rapidly. If our estimates are right, cybercrime extracts between 15% and 20% of the value created by the Internet, a heavy tax on the potential for economic growth and job creation and a share of revenue that is significantly larger than any other transnational criminal activity.”

Reputational damage

Banks also face reputational damage if they fail to keep consumer data safe. As we have already witnessed among some of South Africa’s banks, one major glitch or breach can do severe harm to consumer trust. Once lost, it can be hard to regain.

Capitec Bank CEO, Gerrie Fourie, drew attention this year to his bank’s enviably strong brand, saying that 26% growth in total retail deposits to R37.8 billion attested to the “trust” it inspired. He was especially pleased with the exceptional growth in users of Capitec’s mobile banking. “This is the most convenient, low cost and safest way for clients to bank,” he said.

In a subsequent interview, Fourie mentioned that around three quarters of Capitec’s new customers had moved to it from other banks. Cost considerations may have drawn them to the relative newcomer, but Capitec’s sterling commitment to digital security has also undoubtedly contributed to its appeal. The bank’s growth story demonstrates how opportunities are there to be taken if you concentrate on the important things. When banks get too hitched on the initial cost of advanced security solutions, they risk making the most costly error that any major corporate can make: losing that all-important brand and reputational capital.

*Center for Strategic and International Studies and McAfee 2014 report, “Net Losses: Estimating the Global Cost of Cybercrime”