Banks operate in a digital economy where threats are constantly increasing. In the third quarter of 2023, the number of unique cyber incidents doubled compared to the previous year. It has become essential to put in place safeguards for banking customer data throughout the customer journey, from acquisition to engagement, retention and even customer exit. With AI-based malware creating a new generation of attacks, traditional cybersecurity methods are no longer sufficient. The new threat landscape requires systems that can adapt and evolve in real time and actively resist new forms of threats.
Cybersecurity is essential for banks
Banks around the world are increasing their spending on cybersecurity, as would be expected in an age of constant and evolving threats. However, this figure increased slightly in North America, to 4.3% in the first quarter of calendar year 2024, compared to 4.0% in the rest of the world. The average cost of a data breach in 2023 reached $9.5 million in the United States (the highest in the world) and $5.1 million In Canada, compared to a global average of $4.4 million, due to system complexity, lack of security skills and regulatory compliance. While banks are increasing their spending faster than their global counterparts, cybersecurity still occupies a smaller share of North American banks’ budgets, accounting for 23% of budgets compared to 25% for banks worldwide.
One reason North American banks are lagging in cybersecurity may be the challenge of finding talent. Cybersecurity tops the list ranking of technological difficultieswith a difficulty score of 30 (a higher score means the skills are harder to acquire). This score is higher than the global average of 25 and surpasses AI and cloud in terms of difficulty. In terms of skills, cybersecurity talent accounted for 49% of technical hiring in North America, compared to a global average of 35%.
AI: Cybersecurity Defender or Offender?
AI is both a threat and a defense. Its predictive capabilities improve the speed of fraud monitoring and detection, making fraud prevention more productive while improving the customer experience. But malicious actors are also using it to commit cyber fraud.
Banks need to detect vulnerabilities, deploy patches, and security controls more effectively and efficiently. This is where AI comes in. AI-powered fraud detection systems analyze transactional data in real-time to detect suspicious activity and flag anomalies such as large withdrawals, frequent transfers to a new account, or transactions far from the customer’s usual area of activity. JP Morganfor example, uses AI to analyze transactions on its network, identifying potential fraud in real time. AI tools are trained to continuously learn from each attack, improving their defense mechanisms. When vulnerabilities or threats are detected, automatic alerts are sent to relevant stakeholders, speeding up responses and mitigation measures. Wells Fargo uses a machine learning model to identify and adapt to sophisticated fraud attacks in real-time and reduce false positives.
AI is improving defense tactics, and attack methods are evolving as well. There is an increasing focus on identifying security vulnerabilities, spanning a range of attacks from poisoning, pattern extraction, and evasion to rapid injections and pattern leaks. AI systems can amplify cyberattacks using audio and video deepfakes, resulting in increasingly sophisticated, adaptable, and difficult-to-detect threats. As the capabilities of large language models (LLMs) expand, so does their potential for misuse. Cybercriminals are creating increasingly sophisticated malware with alarming ease. Their coding prowess is accelerating, resulting in more complex and advanced capabilities than ever before. Polymorphic malware demonstrates a new level of sophistication by dynamically adapting to evade antivirus and antimalware defenses, skillfully slipping under the radar to evade detection.
Strengthening end-to-end defenses
Banks must continue to develop dynamic defenses to not only respond to the ever-changing threat landscape, but also monitor the evolution of AI to anticipate potential new threats. Key defense strategies include implementing a zero-trust environment, which restricts access to necessary assets and data and requires authentication at every step. Other strategies include multi-layered security protocols, continuous monitoring, and regular employee training. Defenses specific to financial services institutions include:
- Customer integration: In addition to the robust identity verification required by KYC/AML regulations, AI enhances protections such as encryptionAI/ML algorithms verify customer identities by analyzing identity documents and comparing them to existing government databases. Data must be encrypted during transmission and storage to prevent unauthorized access. ML models optimize encryption algorithms, ensuring robust data protection.
- Customer management: Implement strict access controls to limit who can view and edit customer data. Role-based access ensures that only authorized individuals access sensitive information. AI-based access control systems dynamically adjust permissions based on user behavior, detecting anomalies. AI can also be used to conduct periodic audits to review access logs, identify anomalies, and ensure compliance with security protocols. AI-based data masking protects sensitive information, reducing insider threats. For example, Social Security numbers are not accessible to staff unless necessary.
- Customer exit: Clear protocols should be in place to delete data from closed accounts. Data should be encrypted to protect personal and financial data on exit, and necessary data should be archived to comply with regulations. This includes measures to review inactive accounts for suspicious activity. For example, AI can identify when a customer’s transaction history after a certain date is no longer needed for financial reporting and automatically schedule its deletion, in compliance with data retention regulations. Technology can automatically remove a customer’s Social Security number from a scanned document before it is archived.
Combating cybercrime is an ongoing process that requires banks to continually adapt and evolve their security measures. Yet, banks are struggling to find cybersecurity and AI talent, the Infosys Bank Tech Index confirms. Globally, there is a shortage of nearly 4 million cybersecurity professionals, according to the World Economic Forum. Banks must accelerate their reskilling or rely on their technology partners to find and train the right talent.
To bridge the talent gap and retain the best talent, Infosys partners with banks to demonstrate its strategic commitment to employee development through comprehensive training and reskilling initiatives. The company has already successfully trained thousands of employees in cybersecurity. Additionally, through its learning platform Springboard, Infosys is extending cybersecurity education to communities beyond its organization’s boundaries. This initiative not only addresses skills shortages but also attracts top talent by providing them with opportunities to engage in leading cybersecurity projects, thereby setting industry standards.
About the Author
Ajay is the Regional Head, Financial Services, North America at Infosys and is part of the Global Financial Services Leadership Team. Ajay has over 25 years of experience in financial services and insurance. Over the last decade, he has helped bring digital transformation solutions and advanced insights to financial services clients, improving customer experience and driving greater customer value. He has significant experience in professional services, outsourcing and executive consulting. He has also held leadership roles in business development, client services and service delivery in the financial services and insurance industries.
Currently, Ajay is responsible for the strategic business sub-segments for Regional Banking and Mortgages. Previously, he led sales and relationship management for Financial Services clients in the US Southeast region. And prior to that, he was responsible for global delivery for Financial Services in the new areas – Data, Digital and Enterprise Packages. Over the years, Ajay has won numerous awards for driving sales and delivery, and has a proven track record of delivering industry-leading growth and profitability for his portfolio.