As financial institutions pivot to growth, building in cyber security is imperative

QuickLook Blog

We are hearing from many of our clients that leadership is focused on innovation and a return to a growth agenda after many years of focus and resources devoted to risk management and compliance. Not that those priorities are going away—far from it—but growth is being pursued with renewed energy for the first time in a while.

August 22, 2018

A blog post by Julie Bernard, Advisory principal, Deloitte & Touche LLP and Jim Eckenrode, managing director, Deloitte Services LP

How to safely drive growth, though? Even as financial institutions are looking to innovate, so too are those that would seek to exploit vulnerabilities to access personally identifiable information or cause operational disruption. To better understand this dynamic, we collaborated with the Financial Services Information Sharing and Analysis Center (FS-ISAC) to explore the state of cyber risk management today. We found some interesting preliminary insights from the small sample of responses we received from a membership survey. Responses came mostly from banks, with a few insurance and investment management firms as well. As with the general population (at least here in the US), firms skewed toward the small- to mid-sized end of the spectrum.

The headline here was that one size does not fit all with regard to management of cyber risks in today’s financial services industry. Whether dealing with cyber risk management functional organization, reporting lines, or resource allocation, there were clear differences among firms based on both size and maturity level based on the National Institute of Standards and Technology (NIST) maturity framework. With that said, we felt there were some interesting data points about how firms are balancing innovation and risk.

The state of cybersecurity at financial institutions

Read the report

Balancing innovation and risk

Insights from industry chief information security officers (CISOs) FS-ISAC members suggest that they have a role to play in innovation and growth as well. They reported that priorities for technology investment and innovation were centered (in some order, depending on size) around data and analytics, mobile solutions, and cloud services. Further, they saw that there were important security implications associated with their firms’ efforts to provide new client solutions and drive improved experience through digital customer engagement. Respondents felt that embedding security from the start into both new products and services as well as new digital channels was an important factor in helping their firms to grow, but grow while managing cyber risk.

To that point, another theme was around the role that senior leaders and board members have to play in driving a better secure, vigilant, and resilient industry. We know from previous risk management and governance research that bank board charters are more often specifically requiring risk committees to oversee management’s handling of cybersecurity risks1. And when we interviewed Chief Information Security Officers for their thoughts on the challenges they face, they report having spent a good amount of time educating their boards about their firm’s cyber risk management program. And while they felt that board members were a good deal more knowledgeable, and asked good questions, they also struggled with the “right” metrics to use to report on progress.

Nevertheless, our survey found that board members at financial institutions confirmed that they are connected to their firm’s cyber risk management programs. Specifically, boards are interested in knowing the overall cyber risk management strategy as well as a review of the current threat landscape. Larger firms reported that their board members also want to know about the progress that’s being made to combat emerging threats, as well as the degree to which their firms are vulnerable in cases where a public breach elsewhere has been reported.

There’s much more to be found in our report, including respondent’s views on the level of third-party support that’s used by their firms, the use of cyber risk insurance, and resource allocations for specific cyber risk management activities like endpoint and network security or identity and access management. Moving forward, we hope to build on these preliminary results in the next iteration of this benchmark later this year.

If you are interested in discussing the results of the research or how your firm compares to peers, please do let us know.

Julie Bernard
Advisory principal
Deloitte & Touche LLP

Jim Eckenrode
Managing director
Deloitte Services LP

What do you think about the state of cyber risk management in your firm?

Do these results line up with your experience? Are their objectives or priorities that were not covered that you feel are important to address as part of a comprehensive cyber risk management program? Join the conversation on Twitter: @DeloitteFinSvcs.

Val Srinivas, Stephen Fromhart, Urval Goradia, “What’s next for bank board risk governance? Recalibrating to tackle new risk oversight expectations,” Deloitte Insights, 2017.
2 Sam Friedman, “Taking cyber risk management to the next level: Lessons learned from the front lines at financial institutions, “ Deloitte University Press, 2016.

QuickLook is a weekly blog from the Deloitte Center for Financial Services about technology, innovation, growth, regulation, and other challenges facing the industry. The views expressed in this blog are those of the blogger and not official statements by Deloitte or any of its affiliates or member firms.

Site-within-site Navigation. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?