Financial services institutions lead the pack in regards to the average cost of cybercrimes incurred by companies in a particular industry. In 2015, that figure reached $28.3 million. With cyberattacks only increasing, many firms are devoting more money and technology tools to support cyber risk management. But even with making cyber risk a priority, firms are still struggling to keep up with the moving target.
Deloitte published an in-depth analysis about how security leaders at financial services firms are handling cyberattacks and how firms can stay ahead of these issues. The paper analyzes interviews Deloitte conducted with senior cybersecurity, technology and risk management specialists from across the financial services industry about obstacles, frustrations and progress they have made. While not all those interviewed always shared the same challenges, there were a number of key areas of consensus.
The broad themes were:
- Money is no object for creating a cybersecurity budget.
- It is hard to juggle multiple proprieties or address vulnerabilities in their current systems while still being innovative with new technology.
- Chief information security officers are striving to innovate in a multitude of ways but find it hard to integrate new security tools.
- There is a lack of cybersecurity talent, creating staffing challenges.
- 54% of firms stated that it takes them between 3-6 months to fill a cybersecurity/ information security position.
- 60% of firms said that 0-50% of their applications are qualified upon hire.
- 75% of applicants for these positions lack the ability to understand the financial services industry.
- Cyber risk metrics as reporting responsibilities overwhelm chief information security officers, due to a lack of widely accepted, impactful measurements, and industry-wide standards to meet increasingly redundant oversight demands.
- Chief information security officers face issues such as legal ambiguity or regulatory hurdles when trying to share information within and beyond the industry.
The paper also provides suggestions for how firms can handle these common obstacles.
- When firms create a cybersecurity budget, they should take into account the cost of keeping their proposed solutions alive and effective.
- Firms should budget for programs and tools that help create a cyber-risk aware culture amongst their employees and clients.
- Firms need to conduct various assorted types of cyber exercises throughout the year that include C-suite participation, level of business specific exercises and others focused on certain scenarios.
- Firms should ensure all employees understand the firm’s protocols for responding to a cyber breach. All employees should know who they need to notify within and outside the firm, when to contact law enforcement and other similar responses.
- Firms should try and keep cyber initiatives digestible by rolling out 18-24 month strategies with clear ownership for execution.
- Firms should think about creating an oversight committee that includes the chief information officer, chief operating officer, chief risk officer, line-of-business officials, legal representation and other relevant stakeholders, to ensure all business aspects are properly represented when determining cyber risk management policies.
- To respond to the shortage of cybersecurity talent, firms should broaden their search outside the financial services industry. But firms should also remember to account for the time it will take those individuals to understand and learn about the industry.
- Firms should think about forming “circles of trust” to bolster intelligence sharing, these can be created though their peers, partners, clients, and vendors.
The report provides a lot of great suggestions firms could incorporate into their cyber risk management plan. FSI wants to help firms with their cyber risk management and are looking for more members to join the Cybersecurity Task Force. Recently the Task Force created FSI’s NIST Cybersecurity Framework Adoption for Broker-Dealers and is hoping to create additional helpful guides. If you are interested in joining please contact Natalie Wengroff, Regulatory Affairs Counsel, at firstname.lastname@example.org or (202) 803-5144.