Skip to main content Skip to Footer


Building a bank that is cyber resilient

With cyber risk on the rise and attacks becoming inevitable, how can banks take incursions in stride?

Digital technologies bring speed and accuracy—and they delight customers with their capacity for personalization and enrichment. But for banks and financial services providers, digital also opens the door to cyber risk.

Cyber attacks are on the rise, with five of every six large companies breached in 2014. 1 For financial services firms, the average cost—annually, and per company—of successful cyber attacks was a whopping $20.8 million in 2014. 2

317m: Pieces of malware created in 2014

Making matters worse, banks cannot always protect against an attack. Threats are too frequent and too varied, and cyber criminals possess a remarkable ability to morph and adapt to new security measures. In fact, it may be time for banks to adjust their thinking to “when,” not “if” a cyber attack will be launched against them.

Given this challenging climate, what can a bank do?

If 100 percent protection is rapidly becoming a myth, cyber resilience is becoming the new reality. Cyber resilience is a bank’s ability to maintain constant operations in both normal and adverse circumstances. The resilient bank is often quick to identify, detect and respond to a threat or incursion. The resilient bank can recover rapidly, minimizing reputational damage, financial loss and harm to customers.

Cyber resilience revolves around three pillars:

  1. IT systems and infrastructure risks, often “ground zero” for a cyber attack

  2. Operational risks, including reputational risk, business process failure or technology infrastructure failure

  3. Fraud and financial crime, perpetrated by external hackers, cyber terrorists or disgruntled workers

Clearly, a cyber resilient approach reaches beyond just the CIO’s desk, and beyond just the CRO’s desk. Marketing, HR and other functions should team together to develop a holistic, responsive approach to cyber risk. In fact, continuing to operate in siloes is one of the biggest roadblocks to performing a cyber resilient strategy. Other roadblocks include insufficient business involvement, too much reliance on training and communications, and talent shortages--particularly skilled tech-savvy professionals.

What’s the answer, then?

There are four key steps in protecting the entry points and angles where threats could creep in:

  1. Identification

  2. Prevention

  3. Detection

  4. Response

Building walls and locking doors will only provide a certain level of protection in today’s cyber-insecure world. More and more, an ability to respond with resilience will help banks survive and thrive.

1“Internet Security Threat Report,” Symantec, April 2015, Volume 20. Access at: Access at:

2“Cyber Attacks on U.S. Companies in 2014,” The Heritage Foundation, October 27, 2014. Access at: