Cybersecurity: 2022 Banking Industry Survey

The downside of digitization in an unstable geopolitical environment.

The 2022 KPMG State of Banking Survey features insights from 100 senior executives. This article shares the findings related to the cybersecurity risks facing banks.

Cyber risk: The downside of digitization in an unstable geopolitical environment

As digital banking increases so does a bank’s exposure to cybersecurity threats. Now, with tensions rising due to the Russia-Ukraine war and economic sanctions adding to strains, 81 percent of bankers in the survey said they expect to see an increase in cybersecurity threats, yet 34 percent indicate their bank is not investing enough in cybersecurity protection.

Vulnerabilities are apparent.

While 43 percent admitted their banks may be ill-equipped to protect customer data, privacy, and assets in the event of a cyberattack, only 47 percent said their bank is investing more heavily in cybersecurity as a result of the Russia-Ukraine war.

Expect increased cybersecurity threats


Said banks may be ill-equipped to protect customer data, privacy, and assets during a cyberattack 

In an increasingly digitized world, it's more vital than ever that businesses develop effective internal controls to identify and mitigate cyber risks. Cyberattacks show no signs of slowing. A separate KPMG survey of senior risk executives found that 84 percent say cybersecurity risks will grow in 2022, and 74 percent expect compliance risks to rise in tandem.

Investors, regulators, and other stakeholders increasingly demand transparency about how companies are managing evolving cyber risks to better understand the factors that could materially impact a company financially. Audit committees, which often oversee the entity’s cybersecurity risks, can play a proactive role in helping organizations understand the impact on their financial reporting and in reevaluating their privacy and security standards.

Questions that may be considered:

  • Does the institution have a data governance framework that makes clear how and what data is being collected, stored, managed, and used?
  • Which business leaders are responsible for cybersecurity and privacy across the enterprise?
  • How does the board confirm assignment, coordination, and accountability for the company’s cybersecurity and data privacy policies?
  • Does the institution have a plan for responding to a data breach, and what does it include? If a ransomware attack occurs, is the company willing to pay ransom? Does it know how to locate and prioritize data for recovery? Does it detail responsibilities for partner, customer, and regulator notification?

Action steps

Matt Miller, a KPMG principal specializing in cyber security risk issues, said “weak access management, along with insufficient authentication controls continue to give cyber attackers access to the same resources and data that legitimate users are accessing.’’ For that reason alone it is essential that banks take immediate steps to tighten up “customer and enterprise identity and access management programs.’’ Without immediate action banks will not be able to “ensure appropriate preventions against the latest account-takeover threats.’’

Contact us

Matthew P. Miller

Matthew P. Miller

Principal, Advisory, Cyber Security Services, KPMG US