The state of cybersecurity at financial institutions

How do financial services firms measure success with cybersecurity? The answer may be difficult to determine in the midst of a constantly changing threat landscape, and at a time when shifting business priorities and exponential technology forces are changing how many organizations approach management of cyber risks.

A Deloitte survey examined how firms developed and deployed best practices. While many approaches are unique to individual firms, institutions are best to scrutinize and learn from their peers’ experiences.

In this report, we explore:

• Board involvement. Almost all board and management committee members at responding companies were keenly interested in their company’s overall cybersecurity strategy, but those from adaptive companies suggest their boards are more likely to delve into the details.
• Shared responsibilities. While more than one-half to three-quarters of respondents had a fully centralized cybersecurity function, respondents from adaptive companies were more likely to favor a hybrid approach. This approach features centralized functions, but with each business unit and/or region given strategy and execution capabilities and coordinating with one another.
• Multiple lines of defense. Most respondents from adaptive firms said their organizations tended to have two separate, independent lines of cyber defense-the first involving security at front line units, and the second being organization-wide cyber risk management operations.
• Resource allocation. One-half of the large FSI companies reported that cyber risk management spending was $20 million or less. Even if these companies invested the most and earned the least revenue within the respective ranges for those categories, this means that one-half are spending one percent or less of revenue on this area.