An EU report has highlighted the risks created by finance firms cutting IT budgets as the financial services sector becomes increasingly reliant of IT.
The report said underinvestment in IT creates significant operational risk for finance firms through potential cyber attacks or accidental IT failures.
The EU Joint Committee Report on Risks and Vulnerabilities in the EU Financial System said IT supports almost all financial services processes and the risks associated with the inability to control systems.
The report said there are increasing concerns “over the increasing persistence, intensity and sophistication of information technology related operational risks, including risks of cyber incidents and/or malicious attacks, as well as accidental failures of IT systems.”
“The importance of information and communications technologies (ICT) for financial institutions has grown substantially over the past years with IT supporting nearly all processes or making such processes possible in the first place,” said the report.
“As further advances in IT are made, IT systems are becoming increasingly complex and the volume of data and the degree of specialisation are growing. That in turn has significantly increased the risk of no longer being able to safely control these systems.”
The report said budgets for IT systems and related internal controls should be protected. "Even the maintenance of existing infrastructures is not sufficiently addressed in some cases, and needs to rapidly adapt to new threats are not always fully provisioned within existent budgets."
It said the pressure to get products to markets, particularly in the mobile space, is a risk as time to test before go-live dates is squeezed.
It added that outsourced IT services or usage of dependency-on-cloud computing services needs to be assessed.
A senior IT professional in the UK banking industry said there is always a conflict between cost cutting and risk: “The competing factors of cost and risk are often in tension but the problem is that cost is a certainty whereas as risk is only a possibility.
"Therefore cost efficiency usually wins at a macro level when the two are pitched against each other. Risk management then steps in to minimise the risks associated with execution of the strategic decisions.”
He said banks need to be forced to protect IT budgets if major problems are to be avoided. “External influencers such as regulators are going to have to protect IT budgets or the banks will find ways to make cuts. Banks will overstep the mark and this will only be noticed when there is a problem and it will be too late.”
"The combination of budget cuts, offshore outsourcing, use of the cloud and mobile devices is brewing the perfect financial services security storm," he added. "Best to work that out now and protect the system before something big happens. The bad guys are sophisticated and global and looking for any weakness. The industry is helping create those weaknesses on a macro scale and I think it will require external intervention to stop that."