Accenture, working with Ponemon Institute, recently released an important global report on cyber security. Entitled, “Cost of Cyber Crime Study,” it doesn’t just talk about the threats. It also details the price companies around the world are paying for security breaches and where they should invest to make it better.
Understanding both the costs and responses to cyber crime can potentially help executives bridge the gap between their own defenses and the escalating number (and creativity) of threat actors.
In this blog series, I want to do a deep dive into the survey results for the financial services (FS) industry.
On the one hand, not so good
Financial services companies are leading the pack, but not in a good way in every case. For example:1
Cyber attacks cost financial services firms more to address and contain than in any other industry.
The average number of breaches per company has more than tripled over the past five years, from 40 in 2012 to 125 in 2017.
The average annualized cost of cyber crime for FS companies globally has increased by more than 40 percent over the past three years—from $12.97 million per firm in 2014 to $18.28 million2 in 2017. This number is significantly higher than the average cost of $11.7 million per company across all industries included in the study.
Just in one year (2016 to 2017), spending on security breaches was up almost 10 percent.
These numbers suggest that criminals are outpacing banks’ efforts, at least for now. This is probably due to attackers’ advantage: They only need to spend money and effort on one attack; the bank has to defend against all of them.
On the other hand, pretty good
At the same time, the FS industry appears to be less affected by more common forms of cyberattacks than other sectors. For example, malware was a persistent problem in 2017, including the WannaCry and Petya attacks, which cost several global firms hundreds of millions of dollars in lost revenues. However, malware attacks were among the least costly types of cyberattacks for FS companies.
However, banks and other financial services firms have implemented advanced solutions for malware, reducing the susceptibility to such attacks. So, the cyber crimes banks are currently grappling with are largely different from those affecting other industries.
Currently, the costliest types of attacks for banks and insurers are:
Denial of service
Let’s look in more detail at a couple of those:
Distributed Denial of Service (DDOS) attacks have been used as retaliation by nation states, showing the importance of the banking network and its perceived value as a strategic asset.3 DDOS has also been used to distract security professionals from fraud that’s happening elsewhere in the company. Some criminals have become relentless with these denial of service attacks, which sometimes lead to cyber extortion: demanding payment in return for not publishing information and/or for returning the firm to normal operations. The banks cannot defend against these attacks alone, which are typically delivered from massive botnets of zombie computers or Internet of Things (IoT) devices. So, the banks rely on rapidly sharing information among themselves through organizations such as FS-ISAC4 and the ability of their Internet Service Provider to handle and redirect massive quantities of traffic.
Malicious insiders have always been an issue for banks, who have relied on dual counting of cash, two keys for the vault and two people to update entries in the general ledger. That strict control of money has not, however, extended to new understandings of the value of data. Data such as the customer database has not traditionally required such tight controls for read access. This has allowed malicious insiders to leak information or assist thieves with items that are monetizable. An important facet of the cyber crime discussion is therefore identifying bad actors within your own organization and figuring out the right combination of human effort and technologies to combat that threat.
As the costs of cyber crime increase, one thing is certain: FS firms can’t hire their way out of the battle. There simply aren’t enough talented cyber professionals out there. For that reason, managed security services are being considered by many as a potential solution to the problem.
In my next blog, I’ll look at the investments that can really make a difference in the financial services industry.
For more information, take a look at our presentation summarizing the economic impact of cyber attacks in financial services.
Cost of Cyber Crime Study, Accenture and Ponemon Institute, February 2018.
This figure is an annualized cost based on the first four weeks after the breach and does not include remediation. See the full study for details. These figures are reliable to calculate and measure year over year.
For example, the alleged retaliation by Iran for the Stuxnet attacks. See https://www.bankinfosecurity.com/7-iranians-indicted-for-ddos-attacks-against-us-banks-a-8989).
Financial Services – Information Sharing and Analysis Center