November 23, 2020

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

The financial services sector has generally been acknowledged as being ahead of the curve in deploying cybersecurity to counter emerging threat vectors and ensure business continuity. Surveys regularly place the sector as the one spending the most on cybersecurity. In fact, the combined budget of just two financial institutions is larger than the entire cybersecurity budget for the Department of Homelands security.

However, despite the sector’s best efforts, cybersecurity-linked costs and losses are rising. A 2019 report from Accenture found that “the average annualized cost of cybercrime for financial services companies globally has increased to US $18.5 million — the highest of all industries in fact more than 40% higher than the average cost of US$13 million per firm across all industries.”  Similarly, an often-cited estimate suggests that for every dollar of fraud, an institution loses nearly three dollars, once associated costs are added to the fraud loss itself. 

Verizon’s 2020 Data Breach Investigations Report found that 81% of cyber-attacks were financially motivated. A recent report by the Boston Consulting Group found that financial services firms are “300 times” as likely as other companies to be targeted by a cyberattack.  

Many presume that since the financial services sector is spending so much, they would naturally be among the most successful in actually achieving security.  However, as we have seen previously with respect to the healthcare and defense sectors the economics of cybersecurity are less obvious than one might assume. 

A 2020 study by ESIThoughtLab found that the heavily regulated financial services industry based on the data was empirically not the consensus industry leader as might have been expected. In fact, among the 13 industry sectors analyzed financial services led only in terms of plans to boost spending (followed closely by the largely unregulated technology sector in second place). Financial services came out middle of the road in terms of losses compared to revenues, and vastly underestimated the likelihood of a cyber breach – possibly because of the false sense of security generated by being in compliance with the numerous regulatory mandates that the financial services sector lives with.

Overall, the ESI study found heavily regulated sectors like finance and health regularly ranked often below generally unregulated sectors like tech, general automotive, and manufacturing sectors in several critical cybersecurity measures.

This consistent disconnect between time, money and effort – areas where the financial services sector is an industry leader – and the effectiveness of all this is arguably located in how the resources, time and money, are spent.

Historically, regulation in the financial services sector has been reactive rather than proactive – most often coming in response to financial crises or downturns. The cumulative result of this trend over time is an overly complex and inefficient regulatory environment for financial sector constituents. In fact, a 2016 report by the Government Accountability Office (GAO) identified three types of issues that result from this approach. Regulatory fragmentation results where more than one federal agency is involved in the same broad area of national need and opportunities exist to improve service delivery. Overlap results when multiple agencies or programs have similar goals, engage in similar activities, or target similar beneficiaries. And duplication results when two or more agencies or programs are engaged in the same activities or provide the same services to the same beneficiaries.

In no sphere are these issues more prominent than regulation relating to cybersecurity – widely recognized as the most significant single issue currently confronting global financial services. Today, cybersecurity regulation in the sector consists of a web of inconsistent standards and frameworks applied by an increasing number of regulators at federal and state levels.

In practice, this translates to disproportionate amounts of cybersecurity budgets and time being spent on compliance rather than security. An oft-cited study estimates that some cybersecurity functions within the financial sector spend as much as 40% of their time on compliance. And the problem does not look to be going away any time soon. A 2017 survey by the Financial Stability Board found that 72% of its 25 member jurisdictions were planning to issue additional cybersecurity regulations in the near future. Added to the emergence of privacy frameworks such as the CCPA and GDPR (EU), there is an urgent need to review current approaches to regulation in the sector.

ISA will be arguing strenuously in subsequent posts that we need to vastly increase our spending on cybersecurity.  However, it is just as important to develop a sophisticated strategy – not just a (seemingly endless) series of technical controls – to spend in a cost-effective manner.