Advertisement 1

Cyber risks to your finances are rising as big banks rely on the oligopoly of big tech

Alarms are being raised from the threat posed by sourcing technology from a small cluster of tech companies that do business beyond the reach of financial watchdogs

Article content

It is often said that practice makes perfect. Maybe that’s why a few of Canada’s larger financial institutions were recently asked to participate in what one regulator called a “severe but plausible cyber scenario.”

That scenario, as it was explained to the Senate of Canada’s banking committee on Feb. 28, “involved a data breach of customer information at a third party that led to a spike in bank accounts being hacked and drained of funds.”

The roundabout risk posed by a tech-related third party has the attention of those charged with keeping watch over the financial system. Recent comments from regulators suggest they are very aware of the intersection of big banks and big tech, which comprises a small group of heavyweights.

Article content
Advertisement 2
Story continues below
Article content
Recommended from Editorial
  1. /
    Federal budget: Ottawa to study merits of ‘open banking,’ a catalyst for fintech
  2. Three of Canada’s Big Six banks reported today, showing gains in wealth management, capital markets and lower loan loss provisions.
    Bank bosses talk up tech spending amid financial sector 'arms race'
  3. National Bank's current headquarters in Montreal.
    'A big step forward': National Bank CEO praises federal cybersecurity plan
A PricewaterhouseCoopers report cites security as an ever-present risk in the banking business, similar to other sectors.
A PricewaterhouseCoopers report cites security as an ever-present risk in the banking business, similar to other sectors. Photo by Brent Lewin/Bloomberg

For instance, the Office of the Superintendent of Financial Institutions reviewed the companies’ responses to “assess the institutions’ detection and prevention capabilities, as well as how they might react to a quickly evolving cyber event,” said Judy Cameron, a senior director at the regulator.

The reason for their interest is that banks keep huge amounts of personal information and money in their care, and alarms are being raised from the possible threat posed by sourcing technology from a small cluster of tech companies that do business beyond the reach of the financial system’s watchdogs.

As an official from the Bank of Canada summed it for the banking committee: “If everyone is using Amazon Web Services for their cloud computing, then … there’s a new vulnerability.”

The idea of third-party tech-related vulnerability problems comes as banks undergo a great digital transformation, shuttering brick-and-mortar branches and pouring billions of dollars into technologies to manage and upgrade their businesses.

Advertisement 3
Story continues below
Article content

The future for financial institutions involves mobile and online banking, as well as the potential use of artificial intelligence and automation to reduce costs.

“Canada’s Big Six banks are transforming key aspects of their front and back offices as they continue to modernize their cores,” noted a recent report from PricewaterhouseCoopers. “Yet cyber risks are an ever-present element in banking, as is the case in other sectors.”

The banks’ transformation itself could be breeding risk as well, according to a white paper, called Innovation-Driven Cyber-Risk to Customer Data in Financial Services, that was published by the World Economic Forum on March 6.

The paper said “technology-driven innovations,” such as digitization and robotics, are increasing how much customer data could be at risk and “enabling” more complicated cyberattacks.

“Newer is not always better,” the report added, “as organizations can also face challenges around ensuring the security of new software programs, particularly those created by third parties.”

***

Carolyn Wilkins, deputy governor of the Bank of Canada, has concerns about the concentration of cyber providers to Canada’s large financial institutions.
Carolyn Wilkins, deputy governor of the Bank of Canada, has concerns about the concentration of cyber providers to Canada’s large financial institutions. Photo by David Kawai/Bloomberg

Cyber risk in the financial sector is already all too real. The banks had reported eight “major” cyber-incidents since 2016, Cameron told the Senate banking committee on Feb. 28. Though none of those incidents affected the banks in a material way, she added that OSFI, Canada’s banking regulator, also requires financial institutions to advise of “noteworthy” cyber-incidents, and it usually gets two or three of those per quarter.

Article content
Advertisement 4
Story continues below
Article content

Eliminating those risks isn’t as simple as closing the digital door. Cameron said consumers have come to count on ongoing innovation in their banking services, noting that the shift from cash and cheques to e-transfers and tap-to-pay features was made possible “because financial institutions have leveraged technology to develop highly integrated systems with a wide variety of partners.” 

But there are concerns they do not have a wide variety of partners available for all digital services, and that there could be problems if, for example, the banks all wound up using the same brand of anti-virus software, or the same data storage platform.

Carolyn Wilkins, the Bank of Canada’s senior deputy governor, mentioned the third-party issue in a Feb. 8 speech at the G7 Symposium on Innovative and Inclusive Growth. The speech took special aim at the tech industry, with Wilkins saying the size and market dominance of some firms “raise many of the usual concerns about the potential effects of monopoly power.” 

Wilkins also told her audience that one area where there could be a better strategy is in managing the risks related with a small group providing digital services to systemically important financial institutions. 

Advertisement 5
Story continues below
Article content

“Top of mind for me are the growing operational risks, including the cyber risks, from a very concentrated set of third-party service providers that our financial institutions use — cloud services or data aggregators,” she said. “We’re going to need to judge wisely when it’s best to use public policy tools to manage the risks, and when it’s best to let private enterprise work its magic.”

The Basel Committee on Banking Supervision noted in a February report that many banks and financial institutions have been partnering with “bigtech” firms, such as Amazon.com Inc. or Alphabet Inc.’s Google, “which then become relevant third-party providers in the financial system.”
The Basel Committee on Banking Supervision noted in a February report that many banks and financial institutions have been partnering with “bigtech” firms, such as Amazon.com Inc. or Alphabet Inc.’s Google, “which then become relevant third-party providers in the financial system.” Photo by Spencer Platt/Getty Images

Sean Mullin, executive director of the Brookfield Institute for Innovation + Entrepreneurship, said that what he gleaned from Wilkins’ comments was the possibility of a new area of risk, however unlikely it could be. 

“Because without knowing how these services are apportioned amongst banks and other institutions, we don’t know how concentrated they are on the service-provider level,” he said. “And so if, let’s say, all five banks and a bunch of insurance companies all happen to have used Amazon’s cloud services, and that somehow got hacked, that would be one point of defence. That would then allow all the financial institutions’ data from across the whole country to potentially be compromised.”

Advertisement 6
Story continues below
Article content

It’s a different concern from the one that usually comes up when big tech and banking are mentioned together, which is typically about the likelihood of a digital giant wanting to become a bank. 

But banks, like other businesses, rely on third parties for some services, even simple ones such as keeping the lights on, and increasingly use technology companies, and big ones at that.

The Basel Committee on Banking Supervision noted in a February report that many banks and financial institutions have been partnering with “bigtech” firms, such as Amazon.com Inc. or Alphabet Inc.’s Google, “which then become relevant third-party providers in the financial system.”

The committee added: “It will therefore be important to properly monitor and assess the concentration risk, given that bigtech firms could become systemically important.”

Banks could snuff out the market risk from a fintech startup by buying it, but the same can’t be said of tech companies with massive market caps. Those same tech companies are the ones banks could also turn to for relatively mundane services, such as storage. 

Advertisement 7
Story continues below
Article content

“We have basically an oligopoly that’s forming in infrastructure around data management, around cybersecurity, around cloud storage, around computation, I would say, with all the platforms that are used for machine learning and data processing, data analytics,” said Jean-Philippe Vergne, an associate professor and co-director of the Scotiabank Digital Banking Lab at the University of Western Ontario’s Ivey Business School.  

The regulators, he adds, see no reason to take action because the companies provide economies of scale, and the prices of these services keep decreasing, which makes banks and their customers happy.

***

Ottawa has recently announced a federal cybersecurity plan.
Ottawa has recently announced a federal cybersecurity plan. Photo by Justin Tang/The Canadian Press

Canadian regulators have made it clear that they have not forgotten about third-party tech risks. For example, OSFI has a guideline for federally regulated financial institutions and their interactions with outside service providers.

A spokesperson for the regulator said federally regulated entities may have some flexibility, but they have “ultimate accountability” for their outsourced activities.

“Furthermore, OSFI’s supervisory powers should not be constrained, irrespective of whether an activity is conducted in-house, outsourced, or otherwise obtained from a third party,” the spokesperson said in an email.

Advertisement 8
Story continues below
Article content

“OSFI does monitor trends and developments related to third-party service providers and fintech and we expect institutions to have processes and controls in place to manage their risks, including those from potential concentration.”

But OSFI, according to current legislation, is not mandated to regulate third-party service providers or fintechs. Any change to those marching orders would have to come via legislation.

The federal government has proposed a number of commitments aimed at bolstering cybersecurity, such as updating a national strategy.

Annette Ryan, an associate assistant deputy minister in the federal finance department, told the Senate banking committee that they have also been talking to partners in the G7 economies about third-party risks, which can come from another sector or industry.

“Assessing those risks and planning measures to harden systems against those risks is actively underway,” Ryan said.

The banking sector, like many others, is still wrestling with a big tech dilemma, including any third-party risks.

“There will be new resources coming for those critical cyber systems, and then beyond that, we’re trying to identify, well, what are the next wider set of concentric circles out?” Ryan told the Senate committee, which is studying the issues and concerns around cybersecurity and cyber fraud.

Mullin sees that debate as one that is just starting.

“And it’s one that I think if there’s an easy answer,” he said, “we’d be gravitating towards it by now.”

Financial Post

• Email: gzochodne@nationalpost.com | Twitter: GeoffZochodne

Article content
Comments
You must be logged in to join the discussion or read more comments.
Join the Conversation

Postmedia is committed to maintaining a lively but civil forum for discussion. Please keep comments relevant and respectful. Comments may take up to an hour to appear on the site. You will receive an email if there is a reply to your comment, an update to a thread you follow or if a user you follow comments. Visit our Community Guidelines for more information.

Latest National Stories
    This Week in Flyers