Cybersecurity for financial institutions was critical before COVID-19 hit—and likely even more so now. This year’s Deloitte and FS-ISAC survey reveals why firms may need to prioritize and reinvest in cyber protection programs.
Since the financial crisis, Warren Buffett's Berkshire Hathaway has had significant exposure to financial stocks in its portfolio. Q1 2021 hedge fund letters, conferences and more At the end of March this year, Bank of America accounted for nearly 15% of the conglomerate's vast equity portfolio. Until very recently, Wells Fargo was also a prominent Read More
- Survey respondents reported an increase in cybersecurity spending, with identity and access management, cyber monitoring and operations, and endpoint and network security receiving bigger shares of the pie.
- For the last three years, respondents identified rapid IT changes and rising complexities as their No. 1 cybersecurity challenge. To help effectively mitigate emerging cyber risks, companies should consider digitally enabling the cyber function within the broader IT service development process. Adopting “security by design” principles during technology development could also help financial institutions create more secure products.
- Cybersecurity is often included as part of the IT function, and CISOs typically report to the CIO or CTO at their firms, according to most respondents from large financial institutions surveyed. This reflects the need for close integration of cybersecurity and IT.
- At the same time, financial institutions may want to retain a certain level of independence for cybersecurity, which could help ensure risk management decisions are not overshadowed by IT constraints.
- Respondents cited emerging technologies such as cloud, data analytics, and robotic process automation as top cybersecurity investment priorities. Access control, protective technology, and data security were emphasized as rationales.
- As digitization and remote work accelerates, and lines among employees, customers, contractors, and partners/vendors are blurring, many traditional network perimeters and boundaries are obscured. Users, workloads, data, networks, and devices are everywhere. "Zero Trust" has emerged as a concept for enforcing "least privilege" for modern enterprises contending with the ubiquitous nature of these domains.
Time For Financial Institutions To Double Down On Cybersecurity
Most financial institutions have been moving steadily toward digitization for some time now. Operations across companies large or small in all financial sectors have been going digital, driven by the need for efficiency as well as rising customer expectations. Among financial services firms, the pace of adoption has often varied based upon a company’s readiness for change, agility, and size, among other factors.
Over the last few months, the COVID-19 pandemic has forced many companies to accelerate their digitization efforts. As office closures and restricted movement compelled everyone and everything that could go virtual to do so, many institutions had to more fully embrace a digital transformation in operations, distribution, and customer engagement.
This sudden shift, however, has compounded problems for many chief information security officers (CISOs) and cybersecurity teams charged with securing the digital fortress at their firms. Hackers and cyber scammers are trying to take advantage of expanding technology footprints and new attack surfaces, with most employees working remotely. In April, the New York Department of Financial Services highlighted the significant increase in cybercrime related to the COVID-19 outbreak.1
The imperative is clear across the board: Organizations should be digitally enabling the cybersecurity function to keep pace with rapid IT transformation and protect critical assets against increasing levels of cyberthreats and attacks. For the third consecutive year, the Cyber & Strategic Risk Services team at Deloitte & Touche LLP and the Financial Services Information Sharing and Analysis Center (FS-ISAC) surveyed FS-ISAC members on how they are confronting cyber challenges. (The most recent survey was fielded from late 2019 through January 2020, and the results will be referred to as the 2020 survey report. Each year, we identify and present the particular survey results according to their year of publication—2020, 2019, and 2018. (See sidebar, “About the survey,” for further details.)
Our annual survey explores how cybersecurity programs are structured and managed at financial institutions and the different choices made in terms of organization models, spending patterns, outsourcing, and investment priorities, among other important considerations.
Over the past three years, cybersecurity has continued to grow as a priority. Financial firms keep allocating more resources, increasing board involvement, and making investments that are more aligned to IT and business priorities. The report also identifies several key cyber risk management trends at large financial institutions, as well as future implications that may be relevant to firms of all sizes in the wake of COVID-19.
Spending Rises To Meet Increased Demand
One of the most important components of a financial institution’s cyber risk management operation is the level of resources allocated to cybersecurity programs. The average annual cost of cyberattacks has been ballooning for many organizations.2 So, it was not surprising to find that cybersecurity spending rose among the financial institutions surveyed compared to those responding in the prior year (figure 1).
Respondents to our most recent survey spent about 10.9% of their IT budget on cybersecurity on average, up from 10.1% a year earlier. This equaled about 0.48% of company revenue on average, again up from 0.34%. In terms of spending per employee, respondents spent about US$2,700 on average per full-time employee (FTE) on cybersecurity, increasing from about US$2,300 last year.
At the same time, cybersecurity spending by sector has changed significantly across different benchmarks (figure 2).
See the full report here by Deloitte