Smaller banks are more vulnerable to cyberattacks than bigger counterparts as they have fewer resources and less manpower to deal with the growing risks, according to S&P Global Ratings.
Cyberattacks are becoming increasingly sophisticated, and banks have to evolve to address this, Ratings analysts said during a Sept. 13 webinar. Banks are competing to attract skilled personnel to respond to cyberattacks, which may leave smaller banks lagging behind.
"What's really interesting is that the big banks are willing to attract resources. However, if one looks at the smaller banks and maybe some of the mutual banks, they have difficulty attracting resources," said Nico de Lange, director for Financial Institutions Ratings.
Australia, as an example, faces a shortage of an estimated 30,000 cyber professionals over the next four years, and the skills are in high demand at the nation's banks, said de Lange.
Asia-Pacific experienced, on average, 1,835 cyberattacks per organization per week in the first quarter of 2023, higher than the global average of 1,248 attacks, according to a report by cyber threat intelligence provider Check Point Research. Cybercriminals are "finding ways to weaponize legitimate tools for malicious gains," the report said, noting recent examples where AI was used to generate code by less-skilled actors to launch cyberattacks.
Banking and finance was behind only government and military in raking of the most-targeted sectors for ransomware attacks, with one out of every 25 organizations experiencing such an attack, 32% higher than in the previous year, according to the April 27 report.
There "is definitely a challenge in getting the right skills, the right people" as banks are competing with each other to attract the right talent, said Martin Whitworth, lead cyber risk expert at Ratings. Companies need to look at automation and use of AI and machine learning to address simpler and repetitive tasks while their staff could upskill and focus on higher-level issues, Whitworth said.
Regulation also plays an important part in managing cyberrisk for financial institutions. The consequences of penalties or fines may incentivize institutions to prioritize cybersecurity risk management, de Lange said.
The Australian Prudential Regulation Authority had found several concerning gaps in cybersecurity among the country's financial services providers. The regulator is evaluating more than 300 banks, insurers and superannuation trustees in their compliance with information security standards.