Despite financial services being a highly regulated industry, 59% of financial services organizations surveyed for a study by Frost & Sullivan have either experienced a security incident (26%) or are not sure if they have had a security incident as they have not checked (27%).
The study further reveals that over the last year, each cyber attack has cost large financial services companies in Asia Pacific an average of US$7.9 million in direct and indirect economic loss, and three out of five organizations have also experienced job losses resulting from cybersecurity incidents. For mid-sized financial services companies, the average economic loss due to a cybersecurity incident was US$32,000 per organization.
To calculate the cost of cyber attacks, Frost & Sullivan created an economic loss model based on insights shared by the survey respondents. This model factors in two kinds of losses which could result from a cybersecurity breach:
- Direct: Financial losses associated with a cybersecurity incident – this includes loss of productivity, fines, remediation cost, etc; and
- Indirect: The opportunity cost to the organization such as customer churn due to reputational damage.
“Trust is foundational for all business decision-making. This is especially true when it comes to the financial services industry as they are protecting not only their own businesses, but also their customers’ data and financial assets,” explained Kenny Yeo, Industry Principal, Cyber Security, Frost & Sullivan. “For banks and other financial services organizations, the potential loss of trust and the consequent reputation damage is a far greater threat than the economic impact of a cybercrime.”
The study found that for financial services companies, remote code execution, online brand impersonation, ransomware and data exfiltration are the biggest concerns as they have the highest impact to the business and they often result in the slowest recovery time.
- Online brand impersonation is a rather unique threat that financial services companies faced as they become increasingly digital. Cybercriminals are leveraging phishing techniques to create spoofed websites to steal customers’ identities and passwords to access financial accounts.
- The study uncovered that data exfiltration has the most severe impact on financial services companies as cybercriminals infiltrate the organizations’ digital environment to steal proprietary intellectual property as well as customers’ personal information and financial data to sell in the underground economy.
Despite seeing competitive advantage in offering advanced digital services to their customers, the study revealed that cybersecurity concerns and approaches are impeding their digital transformation journey:
- Cybersecurity concerns thwart digital transformation plans: 63% of the business and IT leaders in the financial services sector have indicated that the fear of cyberattacks has derailed their organizations’ digital transformation plans, thus undermining the organizations’ ability to capture opportunities and diminishing their competitive advantage in the burgeoning digital economy.
- Despite the fact that cybersecurity will likely be enhanced through the digital transformation process, 40% of respondents from financial services industry saw their cybersecurity strategy as merely a means to safeguard their organizations against cyberattacks. Only 25% sees cybersecurity as a business advantage and an enabler for digital transformation.
- Security as an afterthought: If financial services companies do not view cybersecurity as one of the cornerstones of digital transformation, it will hinder their ability to deliver a “secure-by-design” digital project, thereby leading to products and services with security vulnerabilities.
The study reveals that only 28% of financial services companies that had fallen victim to a cyberattack considered building a cybersecurity strategy before the start of a digital transformation project, as compared to more than one out of three (35%) organizations that have not encountered any cyberattack.
The remaining respondents stated that they either considered cybersecurity after their projects have started, or they did not take cybersecurity into consideration when designing their digital transformation projects.
Having too many security solutions may lead to longer recovery time: The survey uncovered that financial services companies with fewer than 10 cybersecurity solutions were quicker to recover from cyber incidents than those having 26 to 50 cybersecurity solutions.
This debunks a popular misconception that deploying a large portfolio of cybersecurity solutions will render stronger protection. The reality is that the complexity of managing a large portfolio of cybersecurity solutions may lead to a longer recovery time for cyberattacks.