Other parts of this series:
Those who have been tracking Accenture’s annual “Cost of Cybercrime” study over the years may not be overly surprised at several of the high-level findings from our 2019 report about cyberattacks in the financial services industry (which includes banking, capital markets and insurance). Still, the persistence of these issues is important to note:
- The cost of cybercrime is up again: The average cost of cybercrime per firm is $18.5 million, up from $18.28 million in 2017. This number is the highest of all types of companies included in the study and more than 40% higher than the average cost of $13 million per company across all industries.
- The time required to resolve an incident has increased dramatically: Malware, up 89% in time needed to resolve; denial of service, up 63%; phishing and social engineering attacks, up 22%.
- Revenue is at risk: Accenture estimates that, between 2019 and 2023, the average revenue opportunity at risk in banking and capital markets from cybercrime is $394 billion. For insurance, that number is $305 billion.
- The frequency of many types of attacks is higher than last year. Web-based attacks—for example, attacks where websites are breached and data is stolen—are up 8%, a substantial increase. Also of concern are malware (+3%), botnets (+3%), malicious code (+4%) and ransomware (+5%).
Other details from the report are also quite noteworthy for financial services firms wanting to control security costs and keep themselves—and their customers—safe from cyberattacks.
What’s a “cyberattack”?
We define cyberattacks as malicious activity conducted against an organization through the IT infrastructure via the internal or external networks or the Internet. Cyberattacks also include attacks against industrial control systems (ICS).
Malicious insider attacks are now the most expensive to resolve
Threats from inside your firewall are among the most dangerous. The cost of malicious insider attacks is up; the U.S. is especially high, with a 44% rise since last year (at $243,000 per incident). Those attacks required 55 days, on average, to resolve.
Why are insiders a rising threat? Another finding from our study provides an additional clue: In banking and capital markets, only 18% of Chief Information Security Officers say that employees in their organizations are held accountable for cybersecurity today. Traditionally, technology infrastructure was built to keep money safe, even from insiders, but the additional expense was not incurred to prevent insiders accessing sensitive, private or confidential data. Now that a market for that data has emerged on the dark Internet, data is being stolen and sold by malicious employees.
Figure 1: Malicious insider attacks are the most expensive to resolve
Recovery investments are inadequate
The spending percentages of several types of security investments for financial services firms are quite similar: discovery (29%); investigation (25%); and containment (28%). But when it comes to actual recovery from a cyber event, spending drops to 18% (down from 30% last year), increasing the risk of business disruption. (See Figure 2.)
Figure 2: Companies are spending the least of their cybersecurity investment on recovery activities.
Advanced technologies are still not being adequately used for cybersecurity
This has been a major theme of our research for several years. Only about one-third (34%) of firms are deploying advanced technologies like automation, artificial intelligence (AI) and machine learning to help combat cyber threats. Similarly, just 24% of firms are making extensive use of cyber analytics and user behavior analytics (UBA), down from 31% in last year’s study.
Such trends are discouraging, in part because the current study found that, when fully deployed, these technologies deliver the biggest cost savings for an organization’s security efforts. This suggests financial services firms are struggling to keep up with the rapid pace of new technologies and, as a result, are not making the appropriate investments to increase operational efficiency and reduce risk.
In the area of cybercrime, financial services firms should be paying attention to several areas in particular:
- Increase defenses against web-based attacks. Such attacks showed the largest increase from last year—8%—and are second only to malware in frequency.
- Focus on reducing ransomware occurrences. Numbers of these attacks are exceptionally high, up 5% from last year.
- Invest to prevent business disruption, which is now the most expensive consequence of cybercrime according to our study.
- Improve deployment of technologies with high ROI—namely, security intelligence and threat sharing; advanced identity and access governance; automation, AI and machine learning; and the extensive use of cryptographic analytics.
- Manage the use of less-effective technologies (those with lower ROIs), such as enterprise governance, risk and compliance; advanced perimeter control; and the extensive use of data loss prevention.
Conclusion: Spend wisely
The threats of cyberattacks are ongoing, and the cost of cybercrime continues to grow in the financial services industry. In fact, in this year’s study, financial services incurred the highest cybercrime costs among all industries studied. Wiser and more focused technology investments at the right spending levels could actually reduce costs while improving banks’ and insurers’ overall cybersecurity resilience.
About Accenture’s “Cost of Cybercrime” study
Accenture’s “Cost of Cybercrime” study, conducted by the Ponemon Institute, LLC on behalf of Accenture, analyzes a variety of costs associated with cyberattacks to IT infrastructure, economic cyber espionage, business disruption, ex-filtration of intellectual property and revenue losses. Data was collected from 2,647 interviews conducted over a seven-month period from a benchmark sample of 355 organizations in 11 countries. The financial services industry data was collected from 537 interviews from a benchmark sample of 72 financial services companies in Australia, Brazil, Canada, France, Germany, Italy, Japan, Singapore, Spain, the UK and the U.S.