Cybersecurity

The Soaring Risks of Financial Services Cybercrime: By the Numbers

Financial services cyber-security must be a top priority for leaders. After all, while no industry has been immune to the increasing threat of cybercrime, financial institutions are particularly and perniciously vulnerable. According to one report, financial services firms are 300 times as likely as other companies to be targeted by a cyberattack.

Let’s take a look at the key numbers behind the risk posed by financial services cyber attacks.

 

Top Cyber threats for Financial Services

 

Consider these major factors that constitute threats to cyber security in financial services markets:

  • Unencrypted data: As a matter of oversight rather than malicious intent, companies regularly expose their data inadvertently.
  • Malware and ransomware: According to the Department of Home Affairs, cyberattacks cost the Australian economy $29 billion annually, with one in three Australian adults impacted in 2019.
  • Unsecure third-party services: Lapses in vendor security can create the same adverse outcomes – e.g. exposure, damage to reputation – as internal errors or attacks. Organisations are increasingly held responsible for third-party vendors through legislation and industry actions such as the General Data Protection Regulation (GDPR) and the Online Trust Alliance (OTA).
  • Phishing threats: One group found that phishing attacks are on the rise with the increase of remote working. While phishing has traditionally targeted unknowing recipients through email, social media is another area of risk.

Financial Services Cyber-security Regulations in Australia

Globally, governments are enacting regulations and publishing guidance to secure their data and industries against malicious attacks as well as human error. New and revised regulations are increasing in frequency. They have complicated the cyber-security field for private businesses, which must account for laws in their own jurisdictions and others in which they may do business.

Cyber-security Laws

Australia has several laws that relate to cyber-security, including the Privacy Act 1988 (Cth), the Crimes Act 1914 (Cth), the Security of Critical Infrastructure Act 2018 (Cth), and the Telecommunications (Interception and Access) Act 1979 (Cth).

Mandatory Reporting

If the Privacy Act 1988 covers a business, organisation or agency, it is subject to the Notifiable Data Breaches (NDB) scheme. The scheme stipulates that these organisations must notify the Office of the Australian Information Commissioner (OAIC) if they suffer a data breach that is likely to result in serious harm to individuals whose personal information has been compromised.

 

Financial Impact of Security Breaches

 

The costs of security breaches and attempts at preventing them are bracing. According to Microsoft, cyber-security incidents cost Australian businesses $29 billion in 2018. For large organisations (more than 500 employees), the average cost per breach was $35.9 million.

Overlooked data permissions can become expensive vulnerabilities, and making sensitive data available to employees who don’t explicitly need it raises the risk. The average financial services employee, for example, has access to 11 million files – a number that increases to 20 million for employees of large financial organisations, according to a global study by Varonis.

 

The Enormous Costs of Cyber-security Threats

Take a look at the numbers associated with three types of cybercrime:

Data breaches. IBM’s 2020 Cost of Data Breach Report cited $3.86 million as the global average total cost of a data breach in 2020. But financial services are hit harder, with an average cost of $5.85 million.

Ransomware. A 2020 survey found that the average cost of remediating a ransomware attack is $761,106, while organizations that don’t pay the ransom spent approximately $732,520 to recover their systems.

Phishing. CSO Online reported that phishing attacks caused 80% of reported security incidents. Another report indicates that users open 30% of sent phishing messages.

 

The Massive Spend on Cyber-security

 

It’s no surprise that cybersecurity prevention has become a significant budget line item. Forbes reports that the global cyber-security market in 2020 was worth US$173 billion, and that number is only increasing. In IDG’s 2020 State of the CIO research, 34% of CIOs saw security and risk management as the primary drivers of IT spending.

 

Top Targets and Sources of Cyberattacks

 

When identifying the biggest risks of cyberattacks, look toward the top of the organisational chart. According to GBHackers of Security, C-suite leaders are 12 times more likely than other employees to fall victim, and 40% of respondents cite C-suite employees, including the CEO, as their company’s highest cyber-security risk.

 

According to Verizon, while 63% of attacks are perpetrated by financially motivated external actors, 27% have internal sources — either employees acting intentionally for financial motivation or simply making errors.

 

Why Boards Should Prioritise Cyber-security in the Post-COVID World

 

As governments worldwide enact or revise legislation and guidance related to cybersecurity, organisational leadership also is responding by making security a top priority.

A vast majority —92% —of boards are involved in cyber-security direction and strategy, Diligent Institute found in research for its report What Directors Think: Navigating a Pivotal Year. In the same report, 37% of directors responding noted that cyber-security is the most challenging issue to oversee, after new technologies and innovation (42%) and culture (40%).

The research into customer attitudes supports an aggressive response and clear cybersecurity strategy. According to a PwC survey, “only 25% of consumers believe companies handle their personal information responsibly and 87% will take their business to a competitor if they don’t trust a company to handle their data responsibly. ”

Customers take trust very seriously – and so should boards.

 

How To Mitigate a Cyber Attack Within Your Financial Services Organisation

So, what can you do? Diligent has assembled actionable best practices for your organisation. The upshot: like so many strategic efforts, the key is an informed and involved leadership team supported by the right tools.

Ensure board members understand the scope of the risk and rapidly changing regulations globally. Incorporate cybercrime risk prevention into top-level business strategy. Replace personal email for collaboration with encrypted communication tools. Steps such as these and others will reduce the target your organisation presents to external and internal errors and attacks.

While it may not be possible to prevent all cyberattacks in financial services organisations, thoughtful steps to mitigating risk and a plan to address attacks when they happen will ensure leaders are stewarding their companies effectively through the years to come. Through its modern governance platform and expertise with the concerns of financial services, Diligent continues to support organizations like yours as they navigate today’s risks. Read more in Diligent’s New Cyber Risk Scorecard.

Assess your Cyber Risk Score.

 

Featured Blog