Top 10 op risks: AI fears drive cyber risk to record high

External fraud re-enters top 10; change management now a top five concern

cyber risk

Costly ransomware attacks coupled with fears over the potential for artificial intelligence to turn everyday criminals into sophisticated fraudsters are among the risk drivers cementing cyber risk at the top of this year’s Top 10 operational risks poll. 

Of the more than 80 major banks and financial services firms that took part in this year’s poll – the most since the survey’s inception – 22 cited cyber-led information security risk as their top concern and 16 as their second-top, driving it to first place by a record margin. 

Despite concerns over the threat that AI might pose for information security at banks, many of last year’s most damaging breaches employed well-established methods. Notably, Ion Group, the world’s largest provider of trading connectivity, and the US clearing arm of Industrial and Commercial Bank of China, the world’s largest bank by assets, were hit by ransomware demands in February and October respectively. The heists were part of a string of 71 attacks claimed by the same group of criminal hackers, LockBit, last year alone.

Striking at firms such as clearing banks or technology vendors, which play a crucial role in the functioning of markets, heightens the fear factor of attacks. It also greatly increases their disruptive power, senior op risk managers note, furthering the feedback loop between cyber-led IT disruption – second in this year’s top 10 – and third-party risk, ranked third. 

 

“The ICBC Financial Services ransomware attack was a reminder of the interconnectedness and impact that third parties – not just vendors, but also clients – can have on the wider ecosystem,” says the head of op risk at one US systemic bank.

Many firms that cleared US Treasury bonds through ICBC FS had to reroute trades, while the Ion outage forced users into manual workarounds to process lengthy backlogs of trades. Similarly, January’s attack on EquiLend, the dominant securities lending platform, disrupted trade reporting for firms, leading regulators to temporarily relax obligations. Regulatory compliance ranked fourth in this year’s poll.

As the chief risk officer of one US financial market infrastructure says: “One firm’s cyber attack is everybody else’s third-party problem.”

External fraud also re-enters the top 10 this year, after a majority of survey respondents cited fears of the power of generative AI to expand the tools and methods that fraudsters use. Notable incidents have magnified this fear: in February, a multinational firm in Hong Kong suffered a $25 million fraud when scammers used deepfake technology to impersonate a senior officer and trick a staff member to transfer funds. Cyber theft also polled more strongly in 2024 than in recent years, ranking at 14. 

Although the technology to create deepfakes has existed – and been successfully exploited – for a while, several large banks privately cite increasingly sophisticated attempts at penetrating their defences from hitherto smaller-dollar criminals. 

“The tools that are out there for perpetrators to commit attacks are ever-changing, and advancing,” says a senior op risk manager at one US super-regional. “Our infrastructure has to find a way to stay ahead of it, or at least have robust mechanisms to be able to act when that activity occurs.”

Watchdogs are also trying to keep pace by crafting new rules on the risk management and governance of AI – but duplication and overlaps with existing rules around information security and model governance threaten new compliance headaches for banks, as well as the potential for regulatory competition on standards. 

Rounding out the top five is the amorphous category of change management. Follow-up surveys run by Risk.net sister service Op Risk Benchmarking last year revealed that many firms were starting to incorporate change risk into frameworks as a bona fide op risk in its own right, with some setting key risk indicators and reporting metrics to keep tabs on key migration and transformation projects. 

The Top 10 survey was conducted during the first quarter of 2024. Fifteen global systemically important banks and 34 regional and domestic banks took part, making up more than half of the sample – although a greater number of asset managers, insurers and market infrastructure firms took part than previously, giving a diversified response base. Individual top 10s for each cohort are provided.

Full analysis of the top 10, along with forward-looking indicators built from responses, will shortly be published on Risk.net.

Editing by Alex Krohn

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact info@risk.net to find out more.

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here