In the first half of the year, North American banking executives’ spending on cybersecurity actually outpaced that on artificial intelligence (AI). In both areas, talent has proven the most difficult to recruit. These spending insights are part of key findings revealed in the second edition of the Infosys Bank Tech Index, according to Ajay Bhandari from Infosys.
Banks function in a digital economy where threats are constantly rising – there were twice as many unique cyber incidents in the third quarter of 2023 compared to the previous year. Building guardrails for banking customer data across a customer’s journey has gained paramount importance – from customer acquisition, as well as through customer engagement, retention and even at exit. With AI-powered malware creating a new generation of attacks, traditional cybersecurity methods are not enough. The new threat landscape requires systems that can adapt and evolve in real time and can actively resist new forms of threats.
Cybersecurity is pivotal to banks
Banks all around the world are increasing their spend on cybersecurity as might be expected in the time of ongoing and evolving threats. It was slightly higher in North American though at 4.3% in the first quarter of calendar 2024, compared to the 4.0% in the rest of the world. The average cost of a data breach in 2023 reached $9.5 million in the US (the highest in the world) and $5.1 million in Canada, versus the global average of $4.4 million due to system complexity, security skills shortage, and noncompliance with regulations. Although banks are increasing their spend more quickly than their counterparts in the rest of the world, cybersecurity still takes a smaller slice of budgets in North American banks, accounting for 23% of budgets versus 25% among banks in the rest of the world.
One reason why North American banks’ lag on cybersecurity could be the challenge to find talent. Cybersecurity topped the technology difficulty rankings, with a difficulty score of 30 (a higher score means the skills are harder to acquire). This was higher than the global average of 25 and outranked AI and cloud in difficulty. In terms of skills, cybersecurity talent accounted for 49% of North American tech staff recruitment, against the global average of 35%.
AI: Cybersecurity defender or offender?
AI is both a threat and a defense. Its predictive capabilities enhance the speed of fraud monitoring and detection, making it more productive to fight fraud while improving customer experience. But bad actors also use it to commit cyber fraud.
Banks need to detect vulnerability, deploy patches and security controls more effectively and efficiently. This is AI’s strong suit. AI-driven fraud detection systems analyzes transactional data in real time for suspicious activities and flag anomalies such as large withdrawals, frequent transfers to a new account, or transactions far from the customer’s usual activity area. JPMorgan, for example, uses AI to analyze transactions across its network, identifying potential fraud in real time. AI tools are trained to continuously learn from each attack, improving their defense mechanisms. When vulnerabilities or threats are detected, automatic alerts are sent to relevant stakeholders, speeding up responses and mitigation. Wells Fargo uses a machine learning model to identify and adapt to sophisticated fraud attacks in real-time and reduce false positives.
As AI enhances defense tactics, attack methods also evolve. There is an increased focus on identifying security vulnerabilities, covering a range of attacks, from model poisoning, extraction and evasion to prompt injections and model leaks. AI systems can amplify cyberattacks using audio and video deepfakes, resulting in increasingly sophisticated, adaptable, and difficult to detect threats. As the capabilities of large language models (LLMs) expand, so too does their potential for misuse. Cyber criminals are making more sophisticated malware with alarming ease. Their coding prowess is accelerating, yielding more intricate and advanced capabilities than ever before. Polymorphic malware demonstrates a new level of sophistication by dynamically adapting to bypass antivirus and anti-malware defenses, expertly slipping under the radar to evade detection.
Strengthening defenses end-to-end
Banks must continue to develop dynamic defenses to not only respond to the constantly changing threat landscape, but also monitor AI’s evolution to anticipate new potential threats. Key defense strategies include implementing a zero-trust environment, which restricts access to necessary assets and data and requires authentication at every stage. Other strategies are multilayer security protocols, continuous monitoring, and regular employee training. Specific defenses for financial services institutions, involve:
- Customer onboarding: Besides robust identity verification required by KYC/AML regulations, AI enhances protections such as encryption. AI/ML algorithms verify customer identities by analyzing identity documents and comparing them against existing government databases. Data must be encrypted during transmission and storage to prevent unauthorized access. ML models optimize encryption algorithms, ensuring robust data protection.
- Customer management: Implement strict access controls to limit who can view and modify customer data. Role-based access ensures that only authorized people access sensitive information. AI-driven access control systems dynamically adjust permissions based on user behavior, detecting anomalies. AI can also be used to conduct periodic audits to review access logs, identify anomalies, and ensure compliance with security protocols. AI-driven data-masking, protects sensitive information, which reduces insider threats. For instance, social security numbers aren’t available to staff unless required.
- Customer exit: Clear protocols should be in place to delete data from closed accounts. Data must be encrypted to protect personal and financial data at exit, with necessary data archived to comply with regulations. This includes measures to review dormant accounts for suspicious activity. For example, AI can identify when a customer’s transaction history after a certain date is no longer required for financial reporting and automatically schedule its deletion, complying with data retention regulations. The tech can automatically redact a customer’s social security number from a scanned document before it is archived.
Fighting cybercrime is a continuous process that requires banks to constantly adapt and evolve their security measures. Yet banks face issues with finding cybersecurity and AI talent, confirms the Infosys Bank Tech Index. Globally, there is a shortage of nearly 4 million cybersecurity professionals, as per the World Economic Forum. Banks need to speed up their reskilling or rely on their technology partners to find and train the right talent.
To bridge the talent divide and retain top performers, Infosys is partnering with banks to demonstrate its strategic commitment to employee development through comprehensive reskilling and training initiatives. The company has already successfully trained thousands of employees on cybersecurity. Additionally, through its learning platform, Springboard, Infosys extends cybersecurity education to communities beyond its organizational boundaries. This initiative not only addresses skill shortages but also attracts top talent by offering them the opportunity to engage in top cybersecurity projects, thereby setting industry standards.
About Author
Senior Vice President and Regional
Head, Financial Services | Infosys
Ajay is the Regional Head of Financial Services for North America at Infosys and is part of the Global Financial Services Executive Leadership team. Ajay has more than 25 years of experience across Financial Services and Insurance. For the last decade, he has been in involved in bringing digital transformation solutions and advanced insights to clients in financial services, thus improving customer experience and generating higher customer value. He has significant experience in professional services, outsourcing and consulting with executive management. He has also had leadership positions in Business Development, Client Services and Delivery across the industry segments of Financial Services and Insurance.
Currently, Ajay is leads strategic business sub-segments for Regional Banking and Mortgages. Previously, he led sales and relationship management for Financial Services clients in the southeast region of the US. And prior to that, he was head of global delivery for Financial Services in the new areas – Data, Digital and Enterprise Packages. Over the years, Ajay has won multiple awards for driving sales and delivery, and he has a proven track record in successfully driving industry-leading growth and profitability metrics for his portfolio.
Sponsored by:
