Andrew Tyrie, the MP who chairs the parliamentary treasury select committee is demanding action on the state of banks’ IT systems, firstly calling for regulators to improve both security and resilience following a string of system failures.
Tyrie has written to the heads of both the Financial Conduct Authority and the Bank of England’s Prudential Regulation Authority in the wake of high-street banks suffering IT failures over the past seven months.
In a letter to Andrew Bailey, Bank of England deputy governor for prudential regulation, Mr Tyrie wrote: “Every few months we have yet another IT failure at a major bank. These IT blunders and weaknesses are exposing millions of people to uncertainty, disruption and sometimes distress. Businesses suffer, too. We can’t carry on like this.”
Mr Tyrie wants the regulator to ensure banks have a designated board member who will take responsibility at lenders for IT risks. In his view this role shouldn’t just comprise of modernising IT systems but also improving cybersecurity.
The Bank of England has already clarified the need for tough controls against cyber attacks among the banks that they oversee, and conducts “close to mandatory” penetration testing of their systems.
The Royal Bank of Scotland, HSBC and Barclays all suffered failures in 2015. A system issue at HSBC earlier this month resulted in online customers being blocked from their accounts for two days, with some incorrectly being charged overdraft fees. In this case, the bank ruled out a cyber attack as a cause.
Banks around the world are estimated to spend about $200bn a year on their IT. Their systems are often described as “spaghetti factories” of old systems patched together in a piecemeal way following acquisitions and product launches. Overhauling a whole system would be costly and time-consuming and a network would be likely to have to be temporarily shut down. While the unique patchwork of each bank’s systems means cyber specialists cannot work on commoditised solutions. IT security specialists among the regulators, meanwhile, are also thin on the ground.
So this issue clearly isn’t just about external threats but is also closely connected to how IT systems are managed and controlled. These capabilities must be deemed as important if banks are to be able to identify the causes of major system issues and be able to respond them before they impact their customers and the businesses that rely on them.