A Frost & Sullivan study commissioned by Microsoft reveals that despite financial services being a highly regulated industry, more than half (56%) of the organizations surveyed have either experienced a security incident (27%) or are not sure if they have had a security incident (29%).
The study further reveals that over the last year, each cyberattack has cost large financial services companies in Asia Pacific an average of US$7.9 million in direct and indirect economic loss, and three out of five organizations have also experienced job losses resulting from cybersecurity incidents. For mid-sized financial services companies, the average economic loss due to a cybersecurity incident was US$32,000 per organization.
These findings are part of the “Understanding the Cybersecurity Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World” study which was launched in May 2018. It aims to provide business and IT decision makers in the financial services sector with insights on the economic cost of cybersecurity breaches and to help identify gaps in their cybersecurity strategies. The initial study involved a survey of 1,300 business and IT decision makers ranging from mid-sized organizations (250 to 499 employees) to large-sized organizations (>than 500 employees), and 12% of these respondents are from the financial services industry.
Frost & Sullivan created an economic loss model based on insights shared by the survey respondents. This model factors in two kinds of losses:
- Direct: Financial losses associated with a cybersecurity incident – this includes loss of productivity, fines, remediation cost, etc; and
- Indirect: The opportunity cost to the organization such as customer churn due to reputational damage.
“Trust is foundational for all business decision-making. This is especially true when it comes to the financial services industry as they are protecting not only their own businesses, but also their customers’ data and financial assets,” said Kenny Yeo, Industry Principal, Cyber Security, Frost & Sullivan. “For banks and other financial services organizations, the potential loss of trust and the consequent reputation damage is a far greater threat than the economic impact of a cybercrime.”
The study found that for financial services companies, remote code execution, online brand impersonation, ransomware and data exfiltration are the biggest concerns. They have the highest impact to the business and they often result in the slowest recovery time.
- Online brand impersonation is a rather unique threat that financial services companies faced as they become increasingly digital. Cybercriminals are leveraging phishing techniques to create spoofed websites to steal customers’ identities and passwords to access financial accounts.
- The study uncovered that data exfiltration has the most severe impact on financial services companies as cybercriminals infiltrate the organizations’ digital environment to steal proprietary intellectual property as well as customers’ personal information and financial data to sell in the underground economy.
Furthermore, it revealed that cybersecurity concerns and approaches are impeding their digital transformation journey. More than 63% of the business and IT leaders in the financial services sector indicated the fear of cyberattacks has derailed their organizations’ digital transformation plans, thus undermining the organizations’ ability to capture opportunities and diminishing their competitive advantage in the burgeoning digital economy.
Despite the fact that cybersecurity will likely be enhanced through the digital transformation process, the majority of respondents (40%) from financial services industry saw their cybersecurity strategy as merely a means to safeguard their organizations against cyberattacks. Only one out of four (25%) sees cybersecurity as a business advantage and an enabler for digital transformation.
- Security as an afterthought: If financial services companies do not view cybersecurity as one of the cornerstones of digital transformation, it will hinder their ability to deliver a “secure-by-design” digital project, thereby leading to products and services with security vulnerabilities.
28% of financial services companies that had fallen victim to a cyberattack considered building a cybersecurity strategy before the start of a digital transformation project, as compared to 35% organizations that have not encountered any cyberattack.
The remaining respondents stated that they either considered cybersecurity after their projects have started, or they did not take cybersecurity into consideration when designing their digital transformation projects.
- Having too many security solutions may lead to longer recovery time: The survey uncovered that financial services companies with fewer than 10 cybersecurity solutions were quicker to recover from cyber incidents than those having 26 to 50 cybersecurity solutions.
This debunks a popular misconception that deploying a large portfolio of cybersecurity solutions will render stronger protection. The reality is that the complexity of managing a large portfolio of cybersecurity solutions may lead to a longer recovery time for cyberattacks.
Cybersecurity concerns thwart digital transformation plans: More than three out of five (63%) of the business and IT leaders in the financial services sector have indicated that the fear of cyberattacks has derailed their organizations’ digital transformation plans, thus undermining the organizations’ ability to capture opportunities and diminishing their competitive advantage in the burgeoning digital economy.
“Cybersecurity is one of the most pressing issues of our time and there are no silver bullets,” said Connie Leung, Senior Director, Financial Services Business Lead – Asia, Microsoft. “The financial services sector is subjected to many laws and regulations relating to cybersecurity. These can be far-ranging and complex. In addition, financial services companies are working to enhance customer experience while applying the required controls. Global digitization combined with unprecedented changes to the financial services business model is mandating transformation. To get there, financial services companies must embrace new digital business models that combine agility and security, with trust at the center.”
Today, Artificial Intelligence (AI) is a weapon of choice for financial services companies to reduce cybersecurity risks. The study reveals that four in five (81%) financial services companies in the region have either adopted or are considering an AI-based approach to complement their cybersecurity strategy.
By rapidly analyzing vast quantities of data and providing actionable insights for cybersecurity professionals, AI-driven cybersecurity architecture enables organizations to accomplish tasks, such as identifying cyberattacks and removing persistent threats like data exfiltration malware, faster than any humans, thus making it an increasingly vital element of any organization’s cybersecurity strategy.