Banks, capital market firms and insurers are struggling with a per-firm average of $18.5 million annually to combat cybercrime – over 40% more than the average cost across other industries. Malware, phishing, social engineering, botnets and malicious code are still the biggest malicious offenders, but web-based attacks are on the increase, rising 8% from 2017 to 2018.
The Ponemon Institute states that malicious attacks are the most expensive for financial services companies to tackle at $243,000 per attack, with an average resolution time of around 55 days. This is far higher than ransomware, which takes an average of 34 days and web-based attacks 26 days.
The biggest impact of cyberattacks on financial services companies are primary business disruption and data loss, which together make up 87% of the cost to respond to cybercrime incidents. Revenue loss only accounts for 13%.
According to UK finance, which represents members across the industry, financial services companies in the UK alone are fighting off an unprecedented number of attacks, many of them highly sophisticated. Despite financial companies managing to stop more than £1.6 billion in fraud, cybercriminals still managed to steal £1.2 billion in fraud scams during 2018.
Financial institutions are investing heavily in threat protection. According to a survey by Deloitte and the Financial Services Information Sharing and Analysis Center (FS-ISAC), respondents said they are spending 6-14% of their annual IT budget on cybersecurity. But worryingly, they are not exploiting new technologies that have shown their ability to fight cybercrime.
A bigger budget, however, doesn’t translate into a higher cybersecurity maturity status. “While everyone is looking for an efficiency ratio for their cyber costs, how a security program is planned, executed and governed is as important, if not more,” says Julie Bernard, Principal with Deloitte Risk and Financial Advisory and Insurance Sector Leader for Cyber Risk Services at Deloitte and Touche.
According to the Ponemon Institute, just 34% of financial services companies are using automation, artificial intelligence (AI) and machine learning to help combat cyber threats, yet these technologies have been proven to offer up the largest cost savings in overall security efforts.
In addition, only 24% of financial services companies are deploying cyber analytics and user behavior analytics, and many find it difficult to keep up with advancing technologies.
Laurent Lacroix, Business Development Director, Cyberdefense at Orange Business, however, believes that there is a substantial change in perspective: “The trend right is now moving from protection to detection and response. This is where technologies like AI, for example, help manage big data so that only the most relevant information goes to analysts. This alone can significantly speed up processes to combat fraud and data breaches – now two of the industry’s biggest challenges.”
Moving to the next level
Chief information security officers (CISOs) need to move to the next level in their security maturity and prioritize security investments that will both be effective and reduce costs. Investments in security intelligence feeds and threat knowledge sharing technologies, for example, have an estimated annual return of 22.5% on investment, according to research by the Ponemon Institute.
Orange Cyberdefense works with a large European bank that provides a portfolio of services to private retail and corporate clients. It has a robust security infrastructure but found it couldn’t protect against the growing number of advanced persistent threats (APTs) that it was being hit by. These threats use sophisticated tactics that run over an extended period of time and often infiltrate systems and remain unnoticed.
The bank identified threat management as an answer. After discussions with Orange Cyberdefense, it opted for Orange DNS and website monitoring services. The real-time (DNS) monitoring solution detects deviations in, for example, registered domain names or DNS usage, which can indicate a security breach via malware. The solution has successfully filled the bank’s vulnerability holes. Over a six-month period, over 100 phishing websites, which were actively attempting to defraud the bank’s customers, were identified.
This business case highlights how filling a value gap can have a quick and positive outcome for financial institutions who invest in putting robust end-to-end security in place. “Security analyst profiles are scarce worldwide, and everyone is fighting to find and retain them. That’s why it is essential to partner and be part of an ecosystem of intelligence sharing,” explains Lacroix.
Opportunities to improve cybersecurity
As the financial services industry landscape grows with new smaller start-ups entering the foray alongside large, long-established institutions and the whole becomes more connected, cyberattacks will only increase.
Financial services companies that can address these growing challenges through advanced data intelligence, innovative tools, collaboration, dynamic incident response and a security-focused culture will improve their security posture, and ultimately the trust and loyalty of their customers.
I've been writing about technology for nearly 20 years, including editing industry magazines Connect and Communications International. In 2002 I co-founded Futurity Media with Anthony Plewes. My focus in Futurity Media is in emerging technologies, social media and future gazing. As a graduate of philosophy & science, I have studied futurology & foresight to the post-grad level.