Cybercrime is expensive—particularly for financial services firms—and it isn’t getting any cheaper.
Our Ninth Annual Cost of Cybercrime Study, conducted jointly with the Ponemon Institute, LLC shows no let-up for financial businesses. As a group, banks, capital market firms and insurers grapple with a per-firm average of $18.5 million annually to combat cybercrime, over 40 percent more than the average cost ($13 million per firm) across all industries surveyed.
Across the board, cybercrime is worsening for financial providers surveyed:
- Malware, phishing and social engineering, botnets, and malicious code are among the major culprits, but web-based attacks increased the most, with an 8 percent rise from 2017 to 2018.
- While the cost of resolving some attacks has declined (for example, the cost to resolve denial of service challenges decreased 41 percent), other attacks have become more costly (resolving malicious insider attacks rose 44 percent).
- The time needed to resolve crimes is rising for phishing and social engineering (22 percent more time needed to resolve a crime), malware (89 percent) and ransomware (30 percent).
2019 Financial Services Cost of Cyber Crime Study
The picture painted by our cybercrime study is troublesome. One of the biggest concerns for financial providers may be the potential loss in value resulting from a cyberattack.
Globally, across all industries, our study estimates $5.2 trillion in value lost over the next five years from expected cost savings and additional revenue because of cybercrime. Banks stand to lose $347 billion, insurers $305 billion and capital markets $47 billion.
Isn’t that too much value to lose?
Assessing financial services spend
Providers can take steps to mitigate their exposure to cybercrime. Evaluating what they already are doing is a good starting point.
Our study reveals financial firms are investing in discovery, investigation, containment and recovery to defend against attacks. But spend is not even across these activities.
Financial firms as a group spent the most, 29 percent, of their security budgets on discovery, 25 percent on investigation and 28 percent on containment activities. But only 18 percent of spend goes to recovery efforts. Might there be a gap in coverage when it comes to bouncing back from an attack?
Providers may be able to reduce costs overall if they can deploy security technologies that address the whole protection cycle, from discovery to recovery.
Is it time to automate?
How else can financial services firms make their crime prevention dollars more efficient? Our survey finds providers heavily investing in security intelligence and threat sharing technologies (79 percent of financial firms invested in these). Also popular are advanced perimeter controls (62 percent); and advanced technology and access governance (53 percent).
On the other hand, few financial firms have invested in automation, artificial intelligence (A)I and machine learning (34 percent); or cyber analytics and user behavior analytics (24 percent). Yet, when fully deployed, these technologies deliver the most bang for the buck. Automation, AI and machine learning saved over $4 million in 2018. Cyber and user behavior analytics tools saved $2.7 million.
What does this tell us? We believe financial services risk leaders should be prudent in their technology investments and prioritize innovative technologies such as AI, automation and analytics. Additionally, we recommend they:
- Put more emphasis on protecting people against phishing, ransomware and malicious insider attacks.
- Focus on preventing data loss and business disruption, particularly considering regulations such as the General Data Protection Regulation (GDPR).
- Reduce their discovery costs by investing more in automation and advanced analytics.
Cybercrime represents a costly conundrum for financial firms. By investing wisely in advanced technologies and at the appropriate levels, firms can reduce their costs, improve their overall cybersecurity resilience and position themselves to make more of their crime prevention investment.