This article is an on-site version of our #fintechFT newsletter. Sign up here to get the newsletter sent straight to your inbox every Monday
A note to readers: We’re taking a break next Monday for the US and UK holiday. We’ll be back in your inbox on June 7.
Although big financial institutions like to talk about the billions they spend on technology to protect consumer data, the results aren’t always obvious.
Just one week after French insurance company Axa said it would stop reimbursing customers for payments to ransomware criminals, it was hit by cyber attack of its own, the FT revealed this month. Cyber criminals using ransomware called Avaddon hacked the group’s Asia operations and stole three terabytes of data.
Executives and analysts say cyber security risks have only increased over the past year as more employees worked from home and more services are digitised. And companies that don’t strengthen their security appropriately risk not only their reputations, but also their credit ratings.
“Cyber risk has increased that’s for sure, particularly ransomware,” said William Kadouch Chassaing, chief financial officer of Société Générale, the French bank. “It’s not just banks that can be affected by ransomware, a lot of partners they work with are also vulnerable. Any provider that uses data is.”
In fact, details of the Axa attack came just days after a high-profile ransomware hack of a crucial US pipeline caused fuel shortages on the East coast. Ransomware attacks typically seize control of victims’ data or computer systems, only to release it if they pay a fee.
But banks are especially attractive to cyber criminals because of the wide range of personal data they hold on customers, as well as giving attackers direct access to money. Their critical importance to a country’s infrastructure also make them a target for hackers looking to cause maximum disruption.
The finance sector was the most heavily hit by cyber attacks over the past five years, according to S&P Global Ratings and Guidewire, a US software company, with more than a quarter of all raids targeting financial institutions. Groups with annual revenues of between $10bn and $50bn were the most frequently targeted.
Given the rise in incidents over the past year, analysts have warned that banks suffering cyber security breaches are at risk of having their credit ratings downgraded, which would lead their borrowing costs to rise.
“This is a very important risk and the number of incidents appears to have grown in the past year due to the pandemic and working from home arrangements,” said Irina Velieva, an analyst at S&P. “Banks’ bigger digital footprint has increased their exposure online.”
The rating agency has already downgraded one bank after it was attacked. In February 2019, Malta’s Bank of Valletta was targeted by cyber criminals, who moved €13m into foreign accounts. The bank responded by temporarily shutting down all its branches, cashpoints, mobile banking and email services, as well as taking its website offline for several hours.
As a result, S&P lowered its credit rating of the lender from BBB/A-2 to BBB-/A3, citing uncertainty “about the bank’s ability to adequately manage the complexities of its operations”.
S&P also considered lowering its rating of Capital One, the US credit card issuer, after hackers obtained the personal data of more than 106m of its customers and credit card applicants in 2019.
In the end, the incident did not affect Capital One’s rating as S&P analysts felt the direct costs associated with it were manageable and the release of key customer data was limited. Capital One did, however, receive an $80m fine from the US Office of the Comptroller of the Currency over the incident.
“On day one, cyber attacks can harm financial institutions reputationally and money could be stolen,” said Velieva. “Over a prolonged period of time, if the bank is constantly attacked, it could impact customer loyalty and franchise stability.”
Quick Fire Q&A
Stay up to date with up-and-coming disrupters. Each week we ask a fast-growing fintech to introduce themselves and explain what makes them stand out in a crowded industry. This week we spoke to Vivek Madlani of Multiply, a fintech backed by the co-founders of TransferWise and Habito, which wants to use AI to help the millions of people who currently miss out on financial advice.
When were you founded? 2016
Where are you based? London
Who is your founder? Myself (Vivek Madlani) and Mike Curtis
What do you sell, and who do you sell it to? Multiply provides a personal finance app and investment platform that helps people save for their first home deposit.
How did you get started? We met on an accelerator program called Entrepreneur First — essentially YCombinator but for Europe.
How much money have you raised so far? £4.8m
What’s your most recent valuation? Undisclosed
Who are your major shareholders? Octopus Ventures, Portage Ventures and various angels such as Nutmeg founder Nick Hungerford and Wise chair Taavet Hinrikus
There are lots of fintechs out there — what makes you so special? We’ve automated holistic advice to provide recommendations across savings, investments and insurance products, helping people achieve positive financial futures.
More stories from the industry that caught our eye this week . . .
Klarna tries IPO carrot to fight regulators’ stick As Europe’s most valuable private start-up, buy-now-pay-later lender Klarna is being courted by stock exchanges and governments across the world. And chief executive Sebastian Siemiatkowski knows his company is in demand. In an interview with Quartz last week, he said the company was leaning toward a US listing. But when he spoke to Europe-based journalists at the FT a few days later, he noted that Brexit makes the UK an attractive target. It seems unlikely to be a coincidence that Klarna would dangle the prospect of a blockbuster London IPO just as regulators at the FCA are considering how hard to clamp down on the sector, a tension FT deputy editor Patrick Jenkins highlighted in this column.
Regulator warns fintechs not to pretend to be bank E-money institutions — firms which can provide some banklike services but can’t lend out customer deposits — have become another front in the battle between prioritising growth and safety in the UK fintech industry. We highlighted the tension back in March when several senior executives warned that new rules threatened to stifle start-ups. This week, however, the FCA suggested it had little sympathy, writing to the chief executive of every e-money firm to warn them against misleadingly comparing themselves to fully-licensed banks.
Goldman Sachs invests in regtech ComplyAdvantage One company hoping to benefit from increased regulatory scrutiny of fintechs is ComplyAdvantage, the anti-money laundering specialist led by MarketFinance co-founder Charlie Delingpole. This week the seven year-old company announced a $20m investment from Wall Street giant Goldman Sachs. Delingpole described the deal as a “huge endorsement” for the start-up, and said he hoped Goldman’s reputation and scale could help drive its growth. For Goldman, $20m would be a bargain if the partnership helps improve its own anti-money laundering processes, compared with the $2.9bn settlement it had to pay for its involvement in the 1MDB scandal last year . ..
Crypto corner A crackdown by Chinese regulators was the catalyst for a whirlwind week in the world of cryptocurrencies. The People’s Bank of China’s warning that crypto “is not a real currency” prompted a flash crash and sharp rebound, highlighting systemic issues facing digital currencies. China’s renewed opposition to private cryptocurrencies comes as it works on its own digital renminbi; the desire to discourage rivals to a new state-backed digital currency has led to similar crackdowns in India. The trend for central bank digital currencies (CBDC) looks likely to spread further, with Jay Powell saying on Thursday that the Federal Reserve would issue a discussion paper on the topic over the summer. He suggested an American CBDC would be “a complement to” existing digital currencies, but nonetheless warned that so-called stablecoins “may also carry potential risks” to users and “the broader financial system”.