SASB Speaks: Finance is going tech, but how secure are the clouds?

Investors should assess the robustness of data security.

The second of SASB’s regular columns on sustainability issues materially affecting companies across sectors. The first, by Michael Kinstlick, is here.

The global fintech industry, i.e. the use of software to provide financial services, is now growing at over 60% annually, and large financial institutions are at the forefront of placing their bets on financial tech startups.

In 2016 alone, notable acquisitions include Ally Financial’s purchase of an online trading firm TradeKing Group for $275 million and BlackRock’s acquisition of FutureAdvisor, a firm specializing in robo-advice investment, for $150 million. JPMorgan went even further by organizing a six-month program called In-Residence, through which the bank would foster fintech startups in-house and investing in the most promising ones. By 2015, global investment in financial technology ventures reached $22.3 billion with 27 startups exceeding $1 billion valuation.
While financial institutions have always been among those using technology for data processing, the use of consumer information is a more recent trend. Specifically, another seemingly fast-growing segment of the financial services industry is mobile banking, with 52% of smartphone owners with a bank account using mobile banking in 2014. JPMorgan Chase has 25 million active monthly users of the bank’s mobile app, Bank of America has 20 million, and Wells Fargo 18 million.
To support the growth of mobile banking, financial institutions are increasingly turning to cloud storage service providers. While the use of the public cloud may help banks save hundreds of millions of dollars, it also may further increase the exposure of customer data to cybersecurity threats and put data security protection outside their direct control.

As these trends continue and more of banks’ operations become technology- and internet-dependent, data security will be an increasingly important issue to manage. The 2016 Cost of Data Breach Study by Ponemon Institute found that the financial industry experiences some of the costliest data breaches, with a cost of $221 per record affected. While cyber-attacks are generally acute events, financial impacts on companies are not only acute, such as cost of compensating consumers for damages and regulatory fines and settlements, but also chronic, such as decreases in revenue related to customer loss.

These are only the costs that can be quantified. There are also costs that are harder to quantify, such as the significant opportunity cost to banks that have weak data security policies and procedures. For example, the growth in mobile banking is slower than it could be, and a recent survey found that 74% of people not using mobile banking cite cybersecurity concerns as the main reason.

Banks understand the need to manage this increasingly relevant issue. According to a survey of over 300 chief information officers from financial institutions with a wide range in assets, 70% of companies will increase their investments in technology in 2017.

The median budget for cybersecurity management of the surveyed companies was $110 million – with money spent primarily on compliance (55% of the respondents), security (53%), and mobile device management (47%).However, the size of expenditures or teams focused on cybersecurity protection may not lead to more secure systems. In 2014, the personal information of 76 million households with accounts at JPMorgan was compromised, which cost the bank $1 billion. In the years leading up to 2014, the bank was spending $250 million annually on cybersecurity measures and employing more than 1,000 dedicated professionals. Bank of America, Citigroup, and Well Fargo have comparable cybersecurity budgets.
According to JPMorgan’s fiscal year 2015 Form 10-K, the company’s cybersecurity expenditures doubled in 2015 and reached $500 million and expected to further increase to more than $600 million in 2016. The firm stated that the budget is spent towards “more robust testing, advanced analytics, improved technology coverage, strengthened access management and controls and a program to increase employee awareness about cybersecurity risks and best practices”.
Sophisticated technology and continuous training of personnel are essential in a world of growing cyber security threats. Companies are also looking to collaborate to promote cyber security. JPMorgan Chase, Goldman Sachs, Bank of America and five other banks are forming a team to tackle the growing issue.
The banks plan to collaborate and engage in rapid information sharing, which could be expected to improve the effectiveness of detection and prevention of cyber-attacks.
In order to evaluate risk, investors need to know how companies are investing to protect the personal information of their clients. Specifically, a detailed discussion of management’s approach to identifying and addressing vulnerabilities and threats to data security, i.e. how the cybersecurity money is being spent, would help investors to identify those better positioned to avoid data breaches and capitalize on growth opportunities.
The annual filings with the Securities and Exchange Commission (SEC) would be the right place for such information to be disclosed. SASB’s analysis of SEC disclosures from the largest companies in the Commercial Banks and Consumer Finance industries shows that while all 20 companies discuss data security, 50% of those disclosures are boilerplate statements that do not provide decision-useful information to investors. Moreover, those companies that provide relevant information to investors do not do so in standardized matter, which prevents cross-company performance comparability.
If financial institutions want to be successful in capitalizing on the growth in Fintech, mobile banking, and cloud computing they need to prioritize strong data security. At the same time, the market needs comparable and consistent disclosure from these companies.
The excitement around Fintech could easily be blunted by just a few major data breaches impacting individual consumers. Therefore, investors should not be blindly placing their bets before assessing the robustness of data security.

Anton Gorodniuk is a Financials Sector analyst for the Sustainability Accounting Standards Board (SASB).