Cyber controls for banks during COVID-19 and beyond
It's an unfortunate fact that fraudsters tend to prey on unexpected events or challenges. When normality becomes disrupted, they see an opportunity they can exploit.
It shouldn't be a surprise, therefore, that the COVID-19 pandemic has brought with it a significant increase in fraudulent activity. For many people, life has become suddenly very different and unusual, making them potentially more susceptible: working from home instead of the office, juggling childcare, worrying about finances and the future. Businesses too are facing some significant worries over cash flow and revenues, with companies around the world applying for emergency loans or government-backed support.
This all makes personal and corporate banking customers a natural target for fraudsters. And indeed, banking clients have told us that there has been a significant rise in the number of 'phishing' emails connected to COVID-19 being sent to customers – emails that look like they are from the bank and that may be about financial support available in the wake of the pandemic, but which are actually a lure asking customers to provide or validate their account or identity information. Other emails may contain malware that downloads onto a customer's system once a link is clicked.
There has also been an increase in call center fraud. Fraudsters may engage in what we call social engineering – posting innocent looking 'fun' questions on social media platforms such as 'what was the name of your first pet?' in order to gather information from individuals that they can use to impersonate them with their bank or to make a false insurance claim.
These ploys are nothing new, but the volume of such attempts has certainly spiked. Banks are proactively working to raise awareness amongst customers and providing guidance on the basics of good security. Some are taking enterprising approaches – for example, replacing on-hold music at call centers with recorded tips and advice on staying safe.
The staff remote connection challenge
However, it's not only customers that banks are having to work hard to protect: there is an increased risk with staff as well. It is perhaps one of the unintended consequences of the mass migration to working from home that fraudsters have been handed a new and very tempting field of play. Employees could be more vulnerable to phishing emails and other scams. The threat is what we call the 'hostile home network': in a household, multiple family members could be logging in on the same network and clicking on links and content of many different kinds, potentially exposing devices to malware that could then enter the firm's enterprise if the right endpoint controls are not in place.
There has also been a huge rise in the use of video conferencing facilities. But some of these have been shown to have sub-optimal security standards, with suspected instances of uninvited parties eavesdropping or even hijacking the conversations.
Banks of course have sophisticated and established connectivity and IT systems and already enable many staff to work remotely when needed. But the huge jump in the number of staff at all levels of the organization needing remote access has created an initial challenge even for them. Some staff may have lacked the hardware or software needed to access the bank's Virtual Private Network (VPN), leading to IT teams loosening some controls in the short term.
What COVID-19 has created is effectively a huge monitoring challenge. Banks (and indeed all businesses) need to ensure that remote users are who they say they are, and that their behavior is consistent with what would be expected. This is difficult when users may be logging in not only from company-issued laptops but also their personal phones, tablets and other devices. Usual BYOD (bring your own device) protocols that allow remote access only from one device may need to have been relaxed. In addition, staff are most likely not following their usual work patterns (logging on at circa 9am, logging out at circa 5pm) but may be working in bursts across different hours due to child care and other duties. So, how do monitoring systems spot 'unusual' patterns of activity and flag it for further investigation?
Trader surveillance interrupted
Another important area is trader surveillance. Regulatory rules require that traders' calls are recorded and monitored. But traders have been working from home and calls have gone unrecorded. Some banks have begun bringing traders back to the office, but others are still working from home. Regulators have allowed some short-term leeway here, given the importance of keeping liquidity flowing in the marketplace, but it is a situation that can't go on forever. In the meantime, banks are sure to be scrutinizing trades very carefully for signs of anything unusual.
All of these issues only underline the key importance of strong information security, cyber and anti-fraud controls. It is an area that will continue to be a major focus as we move into the post-COVID recovery. Another factor at play here will be that due to lockdowns, banks are expanding the range of self-service options available to customers online – for wealth management trades, mortgage, loan applications, etc. Ensuring robust security controls are in place over this new customer functionality becomes even more essential.
Priorities for the future
Looking forward, we see two key trends arising out of this experience. Firstly, with levels of remote working likely to remain higher than they were pre-COVID-19, banks may need to 'reset' some of their protocols and policies around access management, finding ways to increase flexibility without compromising security. They are also likely to look for more secure video conferencing services.
Secondly, we anticipate an increase in banks moving parts of their IT operations to public cloud environments. Most banks use their own private clouds at present. But in a lockdown and other emergency situations, these can be challenging to maintain. If a security patch needs to be rolled out across a system, for example, private cloud requires a team member be physically on site. But with public cloud, patch management and other security features can automatically run remotely. For this move to happen, public cloud operators will need to meet the very specific and stringent extra security requirements that banks are likely to have. But we expect the will to be there on both sides to make it work. It may be phased and gradual, but is likely to be a trend over the coming years.
Alongside all the other pressing issues of supporting customers and providing liquidity, cyber security will remain a top priority for banks for the future.
If you have any questions or would like additional advice, please contact us.
© 2020 KPMG LLP, an Ontario limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.