MOST financial institutions have been moving steadily towards digitisation for some time now. Operations across companies large or small in all financial sectors have been going digital, driven by the need for efficiency as well as rising customer expectations. Among financial services firms, the pace of adoption has often varied based upon a company’s readiness for change, agility and size, among other factors.
Over the last few months, the COVID-19 pandemic has forced many companies to accelerate their digitisation efforts. As office closures and restricted movement compelled everyone and everything that could go virtual to do so, many institutions had to more fully embrace a digital transformation in operations, distribution and customer engagement.
This sudden shift, however, has compounded problems for many chief information security officers (CISOs) and cybersecurity teams charged with securing the digital fortress at their firms. Hackers and cyber scammers are trying to take advantage of expanding technology footprints and new attack surfaces, with most employees working remotely. In April, the New York Department of Financial Services highlighted the significant increase in cybercrime related to the COVID-19 outbreak.1
The imperative is clear across the board: Organisations should be digitally enabling the cybersecurity function to keep pace with rapid IT transformation and protect critical assets against increasing levels of cyberthreats and attacks. For the third consecutive year, the Cyber & Strategic Risk Services team at Deloitte & Touche LLP and the Financial Services Information Sharing and Analysis Centre (FS-ISAC) surveyed FS-ISAC members on how they are confronting cyber challenges. (The most recent survey was fielded from late 2019 through January 2020 and the results will be referred to as the 2020 survey report. Each year, we identify and present the particular survey results according to their year of publication—2020, 2019 and 2018. (See sidebar, “About the survey”, for further details.)
Our annual survey explores how cybersecurity programmes are structured and managed at financial institutions and the different choices made in terms of organisation models, spending patterns, outsourcing and investment priorities, among other important considerations.
Over the past three years, cybersecurity has continued to grow as a priority. Financial firms keep allocating more resources, increasing board involvement and making investments that are more aligned to IT and business priorities. The report also identifies several key cyber risk management trends at large financial institutions, as well as future implications that may be relevant to firms of all sizes in the wake of COVID-19.
One of the most crucial elements of a financial institution's cyber risk management operation is the amount of resources devoted to cybersecurity programmes. The average yearly cost of cyberattacks has been increasing for many organisations.2 So, it was not unexpected to find that cybersecurity expenditure rose among the financial institutions surveyed compared to those responding in the preceding year (figure 1).
Respondents to our most recent survey spent about 10.9% of their IT budget on cybersecurity on average, up from 10.1% a year earlier. This equalled about 0.48% of company income on average, again up from 0.34%. In terms of spending per employee, respondents spent about US$2,700 on average per full-time employee (FTE) on cybersecurity, increasing from about US$2,300 last year.
At the same time, cybersecurity spending by sector has changed significantly across different benchmarks (figure 2).
Despite increased expenditure, budget allocations have remained largely consistent over the three years of the survey. Cyber monitoring and operations, endpoint and network security, and identity and access management together received more than 50% of the spending in our latest survey (figure 3).
Another reason for increased cybersecurity spending is increased pressure on boards and executive management teams, which has heightened their interest in cybersecurity at responding financial institutions (figure 4). Based on Deloitte’s interactions with clients, CISOs who were able to continuously refine and articulate cybersecurity’s value propositions to the board tended to be more successful in securing board engagement.
Board engagement was not limited to strategic or operational areas. Security technologies rose from number nine among respondents in our prior survey to number seven in the most recent one, indicating that boards are becoming more interested in understanding the technical aspects of cybersecurity. Similarly, boards were more interested in reviewing roles and responsibilities of the security organisation than in the past. This likely validates the growing emphasis around the notion that cybersecurity is everyone's job and not just the CISO's responsibility.
Survey respondents who rated their cyber programmes as more mature had boards and management committees that were more interested in nearly all areas of cybersecurity than those from organisations with less mature cyber risk management programmes. This underscores the importance of board engagement.
Looking ahead, given the tough macroeconomic conditions arising from the COVID-19 pandemic, many companies will likely be taking a hard look at whether they need to cut expenses across the board. Financial institutions, however, should be particularly judicious before making a reduction in cybersecurity budgets. Given the increased push towards digitisation and the challenges raised by new, often remote work environments, as well as an increase in insider threats, cyber risks confronting most organisations are intensifying.3
Technology is a part of everything that financial institutions do, but adopting new technologies across businesses comes with increased cyber risks. It is therefore likely no surprise that respondents ranked rapid IT changes and rising complexities as the No. 1 challenge in managing cybersecurity (figure 5) for the last three years, while the second biggest challenge was the unavailability of skilled cyber professionals to help secure systems in such a rapidly evolving IT environment.
At the same time, business growth and expansion, a rising challenge according to respondents in our 2019 report, may recede for the time being, as companies have generally shifted focus from growth to pandemic response and recovery.
More and more financial institutions are using emerging technologies to innovate and develop new products, services and digital channels. But these critical enablers could become the target of additional cyberattacks. Thus, embedding cybersecurity into new products and services and new channels remain the top two business issues with security implications at large financial institutions surveyed (figure 6).
New products and services: Financial institutions today are often competing as well as collaborating with fintechs on product and service innovation. As companies strive to be first to market, these innovations often require speed and flexibility to be successful. However, companies should ensure that enough precautions are taken in designing, building and utilising new innovations, as new cybersecurity threats could emerge during any of these stages. The challenge for an organisation's cybersecurity function is to create controls commensurate with the additional risk being taken on, without being perceived as a roadblock to innovation.
New channels: Companies often seek newer, easier ways to do business with customers, but newer channels may come with their own set of cyber vulnerabilities.
Take augmented or virtual reality (AR/VR), for example. Even as financial institutions experiment with using AR/VR to interact with clients, hackers have devised sophisticated cyberattacks to compromise AR/VR applications and devices, which could potentially cause serious physical or financial damage. Traditional cybersecurity controls might not be well-suited to protect against these attacks.
Cybersecurity functions should assess the need to digitise and enhance their controls to adapt to and protect these new digital channels. Companies should also consider adopting “security-by-design” principles, where customised security controls are developed and embedded into the core structure of new channels as they are established and operationalised.
Cost reduction was already much on the minds of respondents, ranking third in each of the past two surveys, even before the fallout from COVID-19 became an additional concern.
However, going forward, cost reduction is likely to become more important in the post-COVID-19 world. Many companies will be under pressure to reduce expenses in a recovering economy, which could mean taking measures such as workforce restructuring, office space reductions due to the continuation of remote work for many employees, as well as increased use of automation or cloud capabilities, among other technology options.
However, actions taken to reduce operational costs should be evaluated carefully for their cybersecurity implications. Companies should consider corrective measures to ensure that cost-reduction initiatives do not expose them to additional cyber risks, such as insider threats.
CISOs will also likely be called upon to come up with recommendations to manage costs. They could consider using selective outsourcing or increasing automation, while supporting cost-reduction initiatives across the organisation (for example, by enabling a secure migration of data and/or systems to the cloud).
For the past three years, cloud was consistently the No. 1 emerging technology in which respondents from large financial institutions said they wanted to invest (figure 7). Many of these companies already have a significant portion of their IT infrastructure in the cloud, with the next round of adoption being driven by the migration of core business applications. Many are also developing and deploying new apps for the digital world directly on the cloud.
At the same time, cloud service providers are augmenting their offerings through analytics-as-a-service and automation-as-a-service. Survey responses were in queue with this trend: Most large firms expected to increase adoption of software-as-a-service and platform-as-a-service capabilities. However, with more data and applications moving outside the traditional security perimeter, the risk of cyberattacks increases.4
Data and analytics was the second emerging technology priority identified by large respondents. Since financial institutions have access to sensitive personal information, data breaches could have significant reputational implications. At the same time, many rely on insights from proprietary data and integration with third-party data vendors. Protecting data can be paramount to satisfying client data security and privacy expectations as well as meeting regulatory requirements.
Meanwhile, regulators have taken note of the large amounts of personal data captured and stored by companies, as well as their resiliency and data integrity. They have formed data protection standards, such as Europe’s General Data Protection Regulation (GDPR),5 and in the United States the Federal Financial Institutions Examination Council’s Cybersecurity Profile6 as well as the California Consumer Privacy Act.7 These developments have made data protection an important focus area for cybersecurity.
With artificial intelligence/cognitive coming in third place and robotic process automation in fourth, it’s clear that advanced automation and machine learning technologies present a new set of solutions that can help financial institutions transform operations and achieve cost reductions. While companies are likely taking precautions during development and training, these technologies are still evolving, with users slowly getting accustomed to working with robotic solutions (better known as bots). These bots have user privileges and can access sensitive company data and automated processing systems. This means hackers have a whole new attack surface that can be leveraged to penetrate an organisation’s systems. Automation technology, despite its enormous potential, thus can add to a company’s vulnerabilities during both development and training, as well as usage. Financial firms should address all of these potential issues.
Indeed, the increased focus of cybersecurity teams in protecting against vulnerabilities tied to emerging technology could be seen in the investment priorities of large financial institutions (figure 8).
People working in security have talked about identity and access management since the introduction of shared computing and mainframes. These remain a priority, albeit typically for different reasons. In an increasingly cloud-native and API-connected world, access control is once again a priority since these technologies expand identity and device proliferation, which creates additional identity types and new authentication requirements.8 In an increasingly automated environment, this capability is also critical and more complicated, in securing an organisation.
In a similar vein, data security and protective technology can play a vital role in preventing data corruption and denial of service attacks.
The rate of digitisation is likely to increase further as the industry progresses and so should remain a key factor in influencing and prioritising cybersecurity investments and capabilities. It is a leading practise to fully integrate cybersecurity functions into a company’s digitisation journey and to embed cybersecurity as a core consideration in transformation projects.
Financial companies manage and operate cybersecurity programmes in different ways, from how they are structured, to reporting lines, to establishing focus areas for cybersecurity spending. Many have adopted a mix-and-match approach based on their company’s objectives.
In this dynamic environment, many financial firms are now closely linking cybersecurity programmes to technology initiatives to effectively mitigate emerging cyber risks. This was reflected in the way cyber risk management was organised at large financial institutions participating in the survey. Indeed, a majority of respondents cited cybersecurity as a part of their IT organisation (figure 9).
The close alignment between cybersecurity and IT objectives was also reflected in the reporting structure for survey respondents. Among CISOs surveyed from large financial firms, 62% reported either to the chief information officer (CIO) or the chief technology officer (CTO), a substantial increase from 38% the year before and only 20% the year before that (figure 10).
By closely aligning cybersecurity with the IT function, financial institutions can be better positioned to deal with emerging cyber risks in a faster and more effective manner, helping their IT partners become more agile.
While the first queue of defence in cybersecurity is often aligned closely to technology functions through common lines of reporting, security personnel usually have clearly segregated roles and responsibilities. In second lines of defence, however, cybersecurity is often a part of the technology or risk functions without clearly delineated requirements, roles, or responsibilities.
Companies should therefore clearly delineate cybersecurity from technology or risk functions across both the first and second lines of defence by providing clear separation of roles and responsibilities.
Cyberthreats and attacks are no longer just a technology risk, but a business risk as well.9 That’s why the cybersecurity function should have sufficient independence and prominence. This can help ensure that decisions related to risk management are given due consideration and are not influenced or overshadowed by other IT considerations or constraints.
If cybersecurity is part of IT, it may not have enough visibility and ties to actual lines of business. At the same time, with CISOs reporting to CIOs, other stakeholder relationships may matter even more to balance risk and business priorities.
Companies should therefore consider specific measures to create linkages among lines of business, risk partners and cybersecurity. This can be accomplished by creating steering committees, hiring business information security officers (BISOs) and other options. These actions could also help align cybersecurity with future business plans (figure 11).
Finally, companies should work on ensuring that boards and management committees place cybersecurity high on their agendas. As noted earlier, having an engaged board can help the entire organisation focus on the challenge of managing cyber risk while assuring that adequate resources are allocated. And board oversight should be ongoing, rather than only at the initial stages or when there is a cyber incident.
The COVID-19 pandemic has significantly disrupted financial institutions and the ways they operate globally. Remote work has increased significantly and—as a result—the use of videoconferencing and team collaboration applications has skyrocketed. And these changes may not disappear as firms recover. Indeed, a recent Deloitte report found that many financial institutions are evaluating permanent remote work for at least part of their workforce. Based on conversations with industry leaders, some companies are considering remote work for 30% or more of their employees on a more permanent basis.10
Cybersecurity organisations will need to quickly adapt to this new operating environment by implementing enhanced controls and endpoint protection technologies to exert greater control over end-user devices. Companies should consider increasing training and awareness activities, focusing on remote etiquette for work-from-home environments.
At the same time, with lines blurring among employees, customers, contractors and partners/vendors in general, firms should consider implementing “zero trust” principles for access since the organisation's perimeter is essentially gone. This means every transaction involving flow of data, whether it be through networks, applications, users, devices, or workloads, is controlled for least privileged access.
Companies should also digitally enable their cyber function to improve agility and automation. Weaving security-by-design principles into IT service development and embedding cybersecurity requirements into the architecture and design stages of the software development life cycle could help companies get ahead of evolving threats.
That said, CISOs should not take their eyes off longer-term goals, which likely include aligning with the company’s strategic priorities, managing talent challenges and addressing external issues such as regulation. Such broad engagement can highlight the value cybersecurity adds to the business (figure 12). To execute on this well, stakeholder engagement will likely become critical, regardless of the operating model used.
Effective cybersecurity programmes should demonstrate business value. To help ensure the value of cybersecurity is fully realised and appreciated by top management, CISOs can focus on several actions, including:
While the challenges presented by the current operating environment are vast, CISOs should stay focussed on broader, longer-term organisational objectives and plans. This can help ensure cybersecurity is prepared to keep up with the transformative changes that lie ahead.
This article is based on surveys fielded in each of the last three years by the Financial Services Information Sharing and Analysis Centre (FS-ISAC) of its members, all Chief Information Security Officers (CISOs) or their equivalents, in conjunction with the Cyber & Strategic Risk Services practise of Deloitte & Touche LLP. The most recent survey was launched in late 2019 and concluded on 27 January 2020. The survey results are identified and presented according to the year of their publication—2020 for the most recent, preceded by 2019 and 2018.
The study looked at various components of a financial institution’s cybersecurity operation, including how it is organised and governed, who the CISO reports to, budgets, the level of board interest in the CISO’s work, as well as which cybersecurity capability areas were prioritised in terms of spending (figure 13).
This report provides an analysis of responses across all three years the survey was conducted to spot cyber risk trends across the industry.
Fifty-three companies participated, with representation across multiple income levels (figure 14) and all sectors (figure 15, adding up to more than 53 because some respondents represented multiple categories). In addition, some or all of the respondents may have been different for each of the surveys.
Cyber is enterprisewide. So are our services. With human insight, technological innovation and enterprisewide cyber solutions, Deloitte Cyber will work alongside you to help you find answers and solve for the complexity of each challenge, from the boardroom to the factory floor.