Top Cyberthreats for Financial Services
- Unencrypted data. As a matter of oversight rather than malicious intent, companies regularly expose their data inadvertently.
- Malware and ransomware. According to FBI data, more than 4,000 ransomware attacks have occurred daily since 2016.
- Unsecure third-party services. Vendor security lapses can create the same negative outcomes — exposure, damage to reputation —as internal errors or attacks. Organizations are increasingly held responsible for third-party vendors through legislative and industry actions such as the General Data Protection Regulation, California's new privacy laws, the Payment Card Industry Data Security Standard and more.
- Phishing threats. One group found that phishing attacks are on the rise with the increase of remote working. While phishing has traditionally targeted unknowing recipients through email, social media is another area of risk.
Financial Services Cybersecurity Regulations in the USGlobally, governments are enacting regulations and publishing guidance to secure their data and industries against malicious attacks as well as human error. New and revised regulations are increasing in frequency. They have complicated the cybersecurity field for private businesses, which must account for laws in their own jurisdictions and others in which they may do business.
Cybersecurity Requirements for Financial Services CompaniesLed by California and Virginia, many US state legislatures are considering their own actions — which may spark the development of federal regulations. In the meantime, US banks are regulated by the Gramm-Leach-Bliley Act Safeguards Rule. It is one of the regulations in addition to those noted above being enacted worldwide that hold institutions responsible for the security of their vendors.
Proposed Cybersecurity Requirements for Financial Services CompaniesAs increasing threats inspire new cybersecurity regulations, financial services leaders should be aware of oncoming changes in how they do business. In one example, a proposed US rule would require banks to notify their primary federal regulators within 36 hours of a notification-worthy computer-security incident.
Financial Impact of Security Breaches
The costs of security breaches and attempts at preventing them are bracing, particularly for the financial sector. According to Accenture, the financial services industry faces the highest average cost —$18 million —of cybercrime per company.
Overlooked data permissions can become expensive vulnerabilities, and making sensitive data available to employees who don't explicitly need it raises the risk. The average financial services employee, for example, has access to 11 million files, a number that increases to 20 million for employees of large financial organizations, according to Varonis.
The Enormous Costs of Cybersecurity Threats
Take a look at the numbers associated with three types of cybercrime:
Data breaches. IBM's 2020 Cost of Data Breach Report cited $3.86 million as the global average total cost of a data breach in 2020. But financial services are hit harder, with an average cost of $5.85 million.
Ransomware. A 2020 survey found that the average cost of remediating a ransomware attack is $761,106, while organizations that don't pay the ransom spent approximately $732,520 to recover their systems.
Phishing. CSO Online reported that phishing attacks caused 80% of reported security incidents. Another report indicates that users open 30% of sent phishing messages.
The Massive Spend on Cybersecurity
Top Targets and Sources of Cyberattacks
When identifying the top risks of cyberattacks, look toward the top of the organizational chart. C-suite leaders are 12 times more likely than other employees to fall victim, and 40% of respondents cite C-suite employees, including the CEO, as their company's highest cybersecurity risk (GBhackers).
According to Verizon, while 63% of attacks are perpetrated by financially motivated external actors, 27% have internal sources — either employees acting intentionally for financial motivation or simply making errors.
Why Boards Should Prioritize Cybersecurity in the Post-COVID World
As governments worldwide enact or revise legislation and guidance related to cybersecurity, organizational leadership also is responding by making security a top priority.
A vast majority —92% —of boards are involved in cybersecurity direction and strategy, Diligent Institute found in research for its report What Directors Think: Navigating a Pivotal Year. In the same report, 37% of directors responding noted that cybersecurity is the most challenging issue to oversee, after new technologies and innovation (42%) and culture (40%).
Read more about Diligent's work supporting financial services
How To Mitigate a Cyber Attack Within Your Financial Services Organization
So —what can you do? Diligent has assembled actionable best practices for your organization. The upshot: Like so many strategic efforts, the key is an informed and involved leadership team supported by the right tools. Ensure board members understand the scope of the risk and rapidly changing regulations globally. Incorporate cybercrime risk prevention into top-level business strategy. Replace personal email for collaboration with encrypted communication tools. Steps such as these and others will reduce the target your organization presents to external and internal errors and attacks.
While it may not be possible to prevent all cyberattacks in financial services organizations, thoughtful steps to mitigating risk and a plan to address attacks when they happen will ensure leaders are stewarding their companies effectively through the years to come. Through its modern governance platform and expertise with the concerns of financial services, Diligent continues to support organizations like yours as they navigate today's risks. Read more in Diligent's New Cyber Risk Scorecard.
Discover Your Cyber Risk Score