The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything.

Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection.

Here’s the most sobering stat: 87% of respondents said they’d refuse to do business with any company that they perceived as having weak security practices.

When banking and finance data breaches occur — and they do happen often — they don’t always stem from a bad actor. Often, breaches come from poorly secured third-party apps or a lack of proper user authentication protocols.

Banking and Finance Data Breaches

Several data breaches struck these industries over the last year. What can we learn from them?

In January of 2021, attackers breached the accounts of three million Morgan Stanley corporate customers. The breach, reported in July, involved a third-party vendor. Attackers could access client names and addresses, social security numbers, date of birth and company names. The bank reported that attackers successfully exploited a vulnerability in the vendor’s server. Although the vulnerability was quickly patched, attackers still managed to obtain a decryption key for the encrypted files.

In December of 2021, crypto exchange Bitmart suffered a large-scale security breach. Attackers made away with $200 million worth of cryptocurrency. And all the bad actors had to do? Steal a single private key.

In November of 2021, online trading platform Robinhood announced a data security incident that affected millions of its customers. The company divulged that an “unauthorized third party” was able to obtain the email addresses of five million people and the full names of two million others. For 310 users, “additional personal information” was stolen. The attackers allegedly demanded a ransom payment following the breach.

How Much Does a Financial Breach Cost in 2022?

According to the 2022 IBM Cost of a Data Breach Report, the finance industry had the second highest average cost per breach, trailing only health care. While the average health care breach costs hit a new record high of $10.10 million (an increase of almost 42% since the 2020 report), financial organizations averaged $5.97 million per breach.

On a positive note, the Cost of a Data Breach report revealed that the average number of days to identify and contain a data breach fell from 287 in 2021 to 277 in 2022, a reduction of 10 days or 3.5%. The average number of days to contain a breach also fell in 2022 — from 75 days in 2021 to 70 days in 2022.

Read the Report

Risks and Challenges for Banking and Finance

Costly data breaches are only one side of the coin.

First, the industry must keep up with evolving digital transformation and technology innovations. Digital services, cloud computing and artificial intelligence (AI) play a key role. To meet customer demand, financial institutions must leverage more new applications, devices and infrastructure components. These, in turn, only increase their attack surface.

Next, banking and finance are subject to more complex regulations with each passing year. Data protection and privacy standards constantly change, and fines for non-compliance increase.

Third-party risk management is critical for any industry. However, banking and finance must be extra vigilant in ensuring vendors and third-party suppliers are secure. Third-party breaches underscore the financial services sector’s potential vulnerability to cyberattacks. After all, it increasingly relies on suppliers and vendors who cannot guarantee cybersecurity.

Finally, as the hybrid workplace gains popularity, so does an organization’s risk. Remote and hybrid work presents a more daunting challenge for industries with more critical data to protect.

Lowering Data Breach Costs

Although the threat landscape is expanding and breaches happen, proactive security measures work. The Cost of a Data Breach report shows how current security strategies can lower the average cost of a breach.

Security AI and Automation

Organizations that employ security automation like AI, machine learning, analytics and automated security orchestration saved on average $3.05 million per breach compared to firms using no security AI and automation.

Extended Detection and Response

2022 is the first time the report examined the effects of Extended Detection and Response (XDR) technologies on the cost of a data breach. Notably, organizations that deployed advanced threat detection and response tools averaged a savings of 9.2% per breach. While these savings may not seem significant, the true impact is realized in the reduction of breach duration — nearly one month.

Incident Response

Companies that have dedicated incident response (IR) teams and test their IR plan significantly reduced the average cost of a data breach by $2.66 million per breach compared to those with no IR team or no IR testing in place.

Risk Quantification

Risk quantification can highlight financial loss types by impact, loss of productivity, cost of response or recovery, reputation impact and fines and judgments. Companies using risk quantification saved $2.10 million per breach on average versus those that don’t.

Zero Trust

The zero trust approach assumes that user identities or the network itself may already be compromised. Instead, it relies on AI and analytics to continuously validate connections between users, data and resources. Not surprisingly, zero trust has a net positive impact on data breach costs, saving companies with a mature zero trust deployment $1.51 million on average per breach versus those with early adoption of zero trust.

These statistics provide the dose of optimism the industry needs. As more organizations invest in proactive security strategies and better cloud management practices, the impact and risk of a data breach can be reduced.

More from Banking & Finance

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

BlotchyQuasar: X-Force Hive0129 targeting financial institutions in LATAM with a custom banking trojan

16 min read - In late April through May 2023, IBM Security X-Force found several phishing emails leading to packed executable files delivering malware we have named BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments. Similar operations conducted in late 2022 have also been noted delivering an earlier variant of this modified QuasarRAT by likely Spanish-speaking actors. BlotchyQuasar, which X-Force describes as…