The reputation of any financial services organisation rests squarely on trust, security and professional integrity. Breaches of any of these profoundly damages the belief of markets, investors and customers in the others.  

Every financial services organisation is engaged at some level on modernising itself to remain fit for its twentieth first century purpose.  At the heart of this endeavour is the pervasive switch to digital technologies in every part of the organisation, so creating a fundamentally new dependency on digital systems and processes.  With this new enterprise-wide dependency comes new risk, as well as new opportunity. 

The risks have long been recognised and reflected in modernised business and technical controls,  better integrated governance, risk and compliance management and, critically, in Board-level oversight of the organisation’s performance in containing and mitigating them. 

Despite these responses, some complicating factors have emerged to challenge the sector’s overall management of pervasive digital risk. 

Firstly, new technologies are maturing and converging at a much faster rate and are being delivered through many different channels, particularly third-party Cloud services and mobile devices.

Secondly, the demands placed on the organisation to exploit them have increased steeply, as business leaders demand investment to become more competitive, creating both the emergence of ‘business-led IT’ and greater pressure on IT to bring new technologies rapidly into the organisation.

Thirdly, the level of scrutiny from industry regulators has been overlaid by that of governmental bodies, probing for the reasons why digital risks turn too frequently into digital issues, seen in high profile service outages, system upgrade failures, data corruption and customer losses.

And fourthly, the technical operating environment has become less predictable through the efforts of malign actors, from state-sponsored malign programme to individual cyber hackers, both of which work tirelessly to disrupt the smooth working of public and private sector organisations for personal gain, political advantage or both.

The results of these complicating factors are all too well known; large scale cyber theft enabled by stolen bank account details; cyber-related card fraud, using stolen credit card details to perpetrate Card Not Present fraud; online customer applications and services taken out of service for prolonged periods, creating ill-will, financial disruption to business and personal customers and unwanted attention from regulators and government.

No financial services organisation chooses to leave itself vulnerable to digital risk.  Every forward-looking financial services organisation strives to operate as securely as it can, to safeguard its reputation, delight its customers and so improve its standing with investors, regulators and wider publics. 

This is not just enlightened self-interest.  It is a clear recognition that high performance in security, without exaggeration, is the lifeblood on which the long-term prosperity of the sector now depends. 

The sector is under attack

Financial Services has proved consistently to be the most cyber attacked sector of many developed and developing economies, for the simple reason banks hold vast stores of wealth on behalf of their customers, markets organisations trade billions of securities every day and insurance companies hold huge reserves both to service claims and invest to generate capital returns.

Whilst the specifics of data security performance may vary, the key trends for Financial Services are sobering. 

Data breach recovery costs are going up
The financial services sector globally stands to lose an estimated $701m at risk from cybercrime-derived losses in the period 2019-23 alone; more than Utilities, Energy or Defence; more than Healthcare, Industrial Equipment or Retail¹. 

The direct cost per financial services record lost is increasing, standing at $245, up 23% on its four-year average.   The indirect costs of cyber-derived losses are generally at least as great as the direct costs of technical and business remediation², in major Western economies spread between c. 120% and 180%.

Bigger breaches mean higher costs
The direct and indirect costs of correcting a data breach accelerate in line with the size of the breach, expressed in the number of thousands of lost records.      Data breaches of more than 50,000 records cost on average $6.3m to correct³.              

Customer losses are abnormally high
Abnormal customer attrition following a data breach is higher in financial services globally than any other sector of the economy, averaging 7.5%, exceeding even Healthcare, Services and Technology companies.. Associated lost business costs (increased customer recruitment costs, reputational damage and diminished goodwill) typically cost between $1m and $4m per organisation in major economies.

Malicious or criminal attack most common cause
Data breaches from malicious or criminal attacks are consistently the most common cause of data breaches in major economies, exceeding either system faults or human error and responsible for between 45 – 60% of total breaches³.

Malicious or criminal attack are most costly
Data breaches from malicious or criminal attacks are consistently between 15% to 25% more costly to correct than breaches arising from system faults or human error³.

Time to identify breaches remains stubbornly high
It takes on average between 160 and 214 days globally for an organisation to identify a data breach.  Malicious or criminal attacks taking the longest and human error the shortest time³. 

It costs more to recover from long-unidentified breaches
Recovery costs increase the longer the breach lies undetected, adding 38% on average to total recovery costs³.

The message for Financial Services is clear

Improvement in the identification and remediation of data breaches is a commercial imperative for the Financial Services sector, both when united in cross-industry information-sharing and as individual institutions defending their own businesses and reputations.

Technologies which improve an organisation’s ability to spot and neutralise threats to its systems and their data will:

• drive down the number of breaches suffered
• prevent cyber theft and fraud losses
• avoid the direct costs of escalation, notification and response
• remove the costs and threat of customer attrition
• avoid collateral damage to business reputation
• avoid adverse sentiment from investors
• avoid unwanted attention and censure from the media
• maintain its standing with regulators and government.

Human capital business controls and processes which improve an organisation’s ability to hire, train, retain and instil professional integrity its employees and third-party contractors are also critically important, both to cut the incidence of human error and the possibility of malign action from a disaffected employee or contractor. 

Achieving the shift from an organisation which reacts to incidents, to one which prevents them occurring lies at the heart of each of these imperatives. 

My thanks to the Ponemon Institute, on whose work I have drawn for information and inspiration.