The UK's biggest banks are making good progress rebuilding balances shattered during the economic shock of 2008, but might the next crisis be digital rather than financial?
According to KPMG's half-year Road to Recovery? What the Future Holds for UK Banks report, the country's biggest firms have dragged their economic model back into the black despite having to cope with unprecedented regulatory pressure.
That said, banks will probably never return to the sort of pre-2008 returns, and have to put up with returns of half or less than the gargantuan profits made during the good times. But to borrow a phrase from the report, is worrying about future the size or reserves and future profitability a case of banks fighting the wrong war?
"Traditionally, banks have been leaders in IT security, at the cutting edge of innovation, but their ability to combat future security threats is increasingly debatable. After years of improvement, UK banks suffered a 12 percent increase in online account fraud last year," said KPMG.
"Furthermore, the motivation for cyber assaults is shifting, from financial crime to political and ideological attacks, with the number of state-sponsored hacking and 'hacktivist' revenge incidents growing."
The authors sketch over which form of cyber-incident might constitute a serious shock for banks - a huge data breach or mega-DDoS? - but noted growing worries about the potential trouble that might lie ahead. It was only a small pull-out box in a much larger report but a number of commentators seized on it.
"KPMG is right to highlight the imminent cyber threat that is currently hanging over UK banks. This has been building over the past year and if financial institutions haven't already made security their top priority, they should do so immediately," said McAfee EMEA CTO, Raj Samani.
"Where Europe has been the primary target for financial fraud rings - such as Operation High Roller - in the past, McAfee's research has found thefts are spreading outside Europe, including the United States and South America."
Others have argued that by working on the assumption that an attack was bound to succeed eventually, banks might be less likely to experience it as a mortal shock.
"By accepting that it is a case of when, not if, a breach will occur, financial organisations can focus on protecting data at its core, rather than on layers of perimeter security which are no longer up to the job of offering adequate defence," said SafeNet vice president EMEA, Gary Clark.
At the very least, the growing threats from cyber-risk were likely to raise costs for the industry at a time of relative weakness, said Marc Lee of risk management firm, Courion.
Sign up for Computerworld eNewsletters.