Taking cyber risk management to the next level
Lessons learned from the front lines at financial institutions
An in-depth analysis of how security leaders at financial services firms are handling the rising tide of cyberattacks—and suggestions on how to close the gaps in cyber risk management to stay ahead.
Rising to the cyber risk challenge
Banks, investment companies, and insurers are prime targets for cybercriminals looking to steal money or information, disrupt operations, destroy critical infrastructure, or otherwise compromise data-rich financial services institutions (FSIs). Indeed, FSIs lead the pack in terms of the average cost of cybercrime incurred by companies in a particular industry, counting both internal activities and external consequences. That figure reached $28.3 million in 2015—which is significantly higher than the six-year average for FSIs of $19.4 million annually (see figure 1).1
View the infographic
Explore the interactive infographic
Learn more about Deloitte’s Center for Financial Services
There’s no shortage of money or technological tools being devoted to support cyber risk management at FSIs, as such threats are high on the agendas of senior management and board members. Cyber exposures rank second only to regulatory/compliance concerns as the types of risks FSIs believe will increase the most in importance to their companies.2 At the same time, only 42 percent of those responding to the most recent Global Risk Management Survey by Deloitte & Touche LLP feel that their organization is “extremely effective” or “very effective” in managing cyber exposures.3
Yet despite having had several years to bolster cybersecurity capabilities, our latest research found that many FSIs are still struggling to keep up with a moving target. Basic blocking and tackling strategies to lock down devices, systems, and platforms remain a work in progress at many companies because of the pace of attacks, the growing sophistication of threat actors, as well as multiplying, often conflicting demands facing chief information security officers (CISOs).
CISOs cite wide range of challenges, investments
While this report is focused on areas of consensus among those we interviewed from major financial institutions as to the current and future state of cyber risk management in the industry, it’s worth mentioning they did not always march in lock-step. That’s not surprising, given the varying levels of maturity and industry sector dynamics among our relatively small but representative group of CISOs.
For example, when asked about the most important challenge they feel their organizations are facing, the responses largely reflect the main points covered in the body of this report, with some interesting exceptions, as shown in figure 2.
When it comes to return on investment (ROI) and future initiatives, our interviewees once again expressed a range of priorities. Banking CISOs maintained that improving their firm’s resilience in the event of an attack is a future investment priority. In contrast, insurance CISOs cited network monitoring and identity management as priorities. Similarly, investment in “basic blocking and tackling” to remediate legacy systems was identified as an area that has paid off for bankers in particular, while other sectors were less consistent, mentioning talent, application consolidation, or data protection as high-return areas for their specific institution.
Clearly, the diversity of responses reflects the fact that even though financial services has been a main target of threat actors for many years, companies within the industry are still focusing on their own “next challenge”—building capabilities they hadn’t prioritized before.
Adding to the sense of urgency surrounding cybersecurity is the massive technological transformation underway in financial services driven by fintech, regtech, mobile applications, cloud adoption, and other emerging developments. CISOs and the business executives they work with are being challenged to become more agile and provide a frictionless customer experience. Beyond facilitating technology upgrades, they must balance the needs of cybersecurity with other forces, such as cost reduction, globalization of the workforce, and regulatory compliance.
Cyber exposures rank second only to regulatory/compliance concerns as the types of risks FSIs believe will increase the most in importance to their companies.
To get to the bottom of these challenges, the Deloitte Center for Financial Services conferred with cyber risk experts from Deloitte Advisory about the state of security, vigilance, and resilience efforts at banks, insurers, and investment companies. We then interviewed senior cybersecurity, technology, and risk management specialists from across the industry to learn more about their first-hand experience and strategies. Those interviewed shared cyber war stories from the front lines, citing a wide variety of obstacles and frustrations, as well as the progress they’ve made and plans to transform their thinking, approaches, and organizational culture going forward.
Our interviewees did not always echo one another in terms of their number-one challenge, which cybersecurity investments had paid the biggest dividends, or even their future priorities, mainly due to their varying levels of risk management maturity and differences in the FSI sub-sectors they inhabit (see “CISOs cite wide range of challenges, investments”). However, there were a number of key areas of consensus among those who took part in the research. Several broad themes emerged, which we’ll explore in more detail:
- Money is no object for those we interviewed, with cybersecurity budgets rising dramatically over the last few years. However, most agreed that the pace of such increases is not likely to be sustainable over the long run, meaning some hard choices will soon have to be made in terms of priorities.
- The majority feel stuck between a rock and a hard place as they juggle multiple priorities. They are being challenged to address vulnerabilities within a plethora of legacy systems. They are expected to innovate via the cloud, fintech, digital identity, and additional breakthroughs even as they struggle to keep basic systems up and running. All the while, they are trying to align cybersecurity policies and efforts with the business, operational, and technology strategies of their companies.
- CISOs are striving to innovate in a multitude of ways, but often have a hard time assessing and integrating a flood of new security tools at their disposal, while reinventing their organizations to make cybersecurity a core consideration enterprise-wide.
- FSIs are starving for cybersecurity talent, with staffing challenges the biggest problem faced by many of those we interviewed. While companies may have more than enough funding, they often complained about the lack of “triple threats”—those with the technical skills, business know-how, and strategic thinking capabilities to implement cyber risk management initiatives quickly and effectively.
- Cyber risk metrics remain a veritable Tower of Babel as reporting responsibilities overwhelm CISOs, thanks to a lack of widely accepted, impactful measurements and industry-wide standards to meet increasingly redundant oversight demands.
- CISOs need help connecting the dots. Many cite legal ambiguity or regulatory hurdles as obstacles to information sharing within and beyond the industry and even their home countries, while most yearn for ways to better automate intelligence to make it more relevant, actionable, and available in real time.
Overall, we found that while some FSIs have become leaders in cyber risk management, there is a wide variance on the cybersecurity maturity curve. The bar needs to be raised for many individual companies and the industry as a whole. Our interviews with leading players and experience in serving clients across financial services provide a number of key insights into how these challenges might be overcome, whether by sharing leading practices or through continuous innovation, just as the threat actors themselves have done.