View all newsletters
Receive our newsletter – data, insights and analysis delivered to you
  1. Analysis
April 5, 2019

Just how much are financial institutions spending on cybersecurity and is it working?

By Briony Richter

As cybersecurity threats continue to evolve, the financial sector’s response must mature rapidly. Recognising the changing landscape of security and investing in sophisticated tools will ultimately reduce fraudulent activity and data breaches. Briony Richter reports

Some of the most valuable customer data resides within the financial sector making it a goldmine for hackers. Banks across the world are constantly having to ensure their security procedures are able to protect the sensitive information they have been charged with.

Losing that data will significantly impact a bank’s brand reputation and the trust they have with their customers.

According to a new report by Deloitte, banks and other financial organisations spend as much as $3,000 per employee to defend their data and information from cybercriminals.

‘Pursuing Cybersecurity Maturity at Financial Institutions,’ revealed that respondents from banks, insurers, investment management firms and other financial services companies spend anywhere from 6% to 14% of their information technology budget on cybersecurity, averaging 10%.

For financial organisations, developing an in-depth understanding of where and how they could encounter cyber risk in this new digital landscape is extremely critical.

However, the challenge comes while trying to balance both security and other changes affecting the landscape. Security measures must always innovate to meet customer needs while fulfilling regulatory compliance.

Speaking on the report, Julie Bernard, a principal with Deloitte Risk and Financial Advisory’s cyber risk services, Deloitte & Touche LLP, commented:

“Of course, money alone is not the answer — as we found in the study, higher cybersecurity spending doesn’t necessarily translate into a higher cybersecurity maturity level.”

“While everyone is looking for an efficiency ratio for their cyber costs, how a security programme is planned, executed and governed is as important, if not more.”

The report analysed a number of different components of a financial organization’s cybersecurity operations.

The most successful organisations revealed several key traits, including:

  • Setting a tone at the top of an organisation, with both executives and the board. Lack of management support and/or inadequate funding was cited in the report as a CISO’s top challenge in managing cyber by companies with a lower level of risk management maturity. Successful organisations were more interested in nearly all areas of cybersecurity.
  • Raising cybersecurity’s profile beyond the IT. The most mature institutions were more likely to elevate the cybersecurity function by completely segregating cybersecurity from IT.
  • Aligning cybersecurity efforts with the company’s business strategy. Not underestimating the importance of having cyber embedded in organisational strategy and planning To this, Bernard, states “Cyber deserves organisational alignment, prioritisation and reporting structures. Embedding cyber professionals into the businesses can enable the cyber organisation, and its leaders, to be more strategic and better manage cyber risk across the enterprise.”



Continued innovation

There are a vast number of factors that go beyond how mature a company is when examining their cybersecurity strategy.

A financial organisation’s cybersecurity strategy has to consider the size, wealth and scalability to be able to facilitate what it can manage.

Highlighting the importance of flexibility, CEO of FS-ISAC, Steven Silberstein, says: “Agile organisations are constantly adapting their cybersecurity programme to deal with the evolving threat landscape.”

“Sharing of industry standard best practices in governance, intelligence, resiliency and prevention are integral to the protection of the sector.”

No matter how a financial organisation stacks up against its competitors, cybersecurity will remain a work in progress. At the moment, banks and financial organisations have a reasonable grip on handling cyber threats and consumer trust in banks is still high. However, instead of being able to react to attacks when they happen, the whole financial industry must learn to better predict how and when an attack may occur.

Cybersecurity awareness and accountability should be part of every department within every financial services firm.

Cyberattacks continue to be more sophisticated which challenges financial organisations to respond in the same manner. Due to how quickly the landscape changes, cybersecurity will likely remain an ongoing journey for the financial sector.

NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. A weekly roundup of the latest news and analysis, sent every Wednesday.
I consent to GlobalData UK Limited collecting my details provided via this form in accordance with the Privacy Policy