2021

Financial Cyber Survey

In Deloitte’s Financial Cyber Survey, we assess Danish financial businesses’ cyber resiliency and maturity level and shed light on what the current cyber landscape looks like. Read the full report in the sections below.

Editorial

The financial sector is generally known for having a high cybersecurity maturity level, due to having been at risk of cyber-attacks for several decades. However, financial businesses must be careful not to rest on their laurels, and they must continuously test assumptions about their cybersecurity posture and close any gaps between these assumptions and their aspirations as well as regulations.

In this survey, we investigate the Danish financial sector’s ability to respond to cyber threats. The survey provides unique insights into the cybersecurity practices in the sector and reveals some major trends:

The cyber threat has continued its increase. And phishing remains the number one way to penetrate organisations, according to the respondents. The financial sector has been “in the game”, so to speak, for several decades – cyber criminals have always sought a financial gain. Thus, being exposed to cyber threats has been a condition for financial businesses for a long time. The shape of the threat has changed, though. Today, it is not only about stealing money, but sometimes also about doing damage just for the sake of damage.

Businesses might have a false sense of security. The businesses in the sector have quite positive self-images when it comes to how close they are to being ideal cybersecurity organisations. Maybe a bit too positive as only one out of ten businesses have fully implemented what is generally considered baseline cybersecurity measures. While it is good to see that the businesses aspire to have high cyber maturity levels, we strongly recommend testing these assumptions and maturity levels independently and closing any gaps between the self-evaluations and the independent assessments.

Many find it difficult to comply with cyber regulations. No less than one third of the businesses in our survey indicate this. Indeed, compliance can be a complex task. Businesses within the financial sector need to adhere to a multitude of regulations and take into account multiple regulators that are not always aligned. But businesses should be ahead of regulations instead of chasing them. This not only gives them an advantage in terms of cybersecurity but is also far less costly.

In summary, the Danish financial sector continues to believe that it is higher up the cyber maturity ladder compared to other less mature industries. That may be the case. This should, however, not lead to complacency, which could result in these organisations falling behind the curve in the cyber-arms race.

We hope you will find this survey interesting. Please do not hesitate to contact us for further information.

Methodology

The Financial Cyber Survey is based on 68 quantitative CATI interviews with Chief Information Security Officers (CISOs), Chief Information Officers (CIOs) and cybersecurity managers employed with Danish financial businesses. The financial sector encompasses businesses operating within the banking and capital market sector, the insurance sector, or the investment management sector. The quantitative interviews were conducted by Epinion in August 2020 on behalf of Deloitte. Deloitte has concurrently conducted qualitative interviews with Danish financial businesses. These interviews have since been anonymised and appear as quotes throughout the report.

The survey questions were formulated by Deloitte Denmark’s Cyber Risk unit, which also conducted the qualitative interviews. The telephonic survey, as well as some of the qualitative interviews, were originally conducted in Danish and have since been translated into English. The overall purpose of the survey is to examine Danish financial businesses’ cyber resiliency, maturity and risk level in the current cyber landscape.

Contact us

Jay Choi, Partner

Jay Choi, Partner

Hinko van Beek

Partner