The threat of cyber attacks is a top concern for the UK’s leading banks, with one boss admitting it keeps him awake at night. Senior executives from major financial institutions have revealed the constant pressure from online criminals and the significant costs involved in defence, alongside facing scrutiny over wider IT resilience issues.
Constant Threat Keeps CEOs Up at Night
Ian Stuart, the CEO of HSBC UK, spoke plainly to the Commons Treasury Committee, stating that the threat of cyber attacks “keeps me awake at night.” He described cybersecurity as “top of the agenda” for HSBC and the sector as a whole, highlighting the relentless nature of the attacks. “It does worry me – we can be attacked and we are being attacked all the time,” Stuart told MPs.
This sentiment is echoed by cybersecurity experts. Lisa Forte of Red Goat Security notes that cyber attacks are increasing in both number and severity, with criminals becoming more adept at monetising them. The stark reality, she says, is that it’s now a matter of “when not if” businesses will experience an attack. Professor Oli Buckley, a cyber-security expert at Loughborough University, describes attacks on financial institutions as “relentless” and “increasingly sophisticated.”
Enormous Investment in Cybersecurity
Countering these persistent threats requires massive investment. Stuart confirmed that dealing with IT vulnerabilities is an “enormous” expense for the banking sector. He stated that HSBC UK is spending hundreds of millions of pounds on improving its IT systems and defense mechanisms, calling this work the bank’s “biggest expense”. The scale of operations – processing 1,000 payments per second and making 8,000 IT changes weekly – underscores the complexity and cost of securing these vast systems.
Beyond Cyber: Wider IT Outages Also a Concern
While cyber attacks are a critical focus, banks also face challenges with general IT resilience, leading to disruptive outages. Data presented to the Treasury Committee paints a clear picture:
Over the past two years, nine major UK banks and building societies accumulated at least 803 hours (equivalent to 33 days) of tech outages.
Between January 2023 and February 2024 alone, eight specific banks (Barclays, Lloyds, Nationwide, Santander, NatWest, Danske Bank, Bank of Ireland, and Allied Irish Bank) reported a combined 158 IT failures.
These failures can have significant real-world consequences for customers. A notable Barclays outage in January affected online banking for several days, impacting some people’s ability to move home. While Barclays CEO Vim Maru apologised for the disruption and stated this particular incident wasn’t caused by a cyber attack, a report estimated potential compensation payments could reach £12.5 million. This was followed by further outages affecting approximately 1.2 million people in February across Lloyds, TSB, Nationwide, and HSBC.
The Systemic Risk to Trust and Economy
The risks associated with both cyber attacks and IT failures extend far beyond individual accounts or temporary inconvenience. Experts like Professor Buckley emphasise that the threat impacts “every sector,” as seen in recent disruptions to major retailers like Co-op and Marks and Spencer.
More importantly, the potential consequences include:
Loss of Trust: A breach or significant outage erodes public confidence in the financial system.
Economic Impact: Ripples can spread through markets and affect the wider economy.
Reputational Damage: Banks face significant harm to their brand and customer relationships.
Regulatory Scrutiny: Failures lead to intense oversight and potential penalties.
While banks are investing heavily, executives also highlight the need for collaboration with other sectors. Charlie Nunn, CEO of Lloyds Bank, raised concerns about financial fraud, describing the UK as having “become the home of fraud” and stressing the need for social media and telecommunications companies to help stop illicit activities often facilitated through their platforms.
Ultimately, the testimony from UK bank leaders underscores that the fight against cyber threats and the push for robust IT resilience is an ongoing, expensive, and critical battle for the stability and trust of the entire financial system. The increasing sophistication of attacks and the volume of operational changes needed mean that vigilance and defence mechanisms will remain a top priority for the foreseeable future.
References
- https://www.bbc.com/news/articles/c4g3372vl3yo
- https://www.bbc.co.uk/news/articles/c4g3372vl3yo
- https://news.sky.com/story/hsbc-being-attacked-all-the-time-by-online-criminals-as-boss-kept-awake-at-night-by-cyber-threat-13371429
- https://rivercitybank.com/bank-ceo-why-cyberattacks-keep-me-awake-at-night/
- https://ground.news/article/cyber-attack-threat-keeps-me-awake-at-night-bank-boss-says
