The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. 

Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection.

Here’s the most sobering stat: 87% of respondents said they’d refuse to do business with any company that they perceived as having weak security practices.

When banking and finance data breaches occur — and they do happen often — they don’t always stem from a bad actor. Often, breaches come from poorly secured third-party apps or a lack of proper user authentication protocols.

Banking and Finance Data Breaches

Several data breaches struck these industries over the last year. What can we learn from them?

In January of 2021, attackers breached the accounts of three million Morgan Stanley corporate customers. The breach, reported in July, involved a third-party vendor. Attackers could access client names and addresses, social security numbers, date of birth and company names. The bank reported that attackers successfully exploited a vulnerability in the vendor’s server. Although the vulnerability was quickly patched, attackers still managed to obtain a decryption key for the encrypted files.

In December of 2021, crypto exchange Bitmart suffered a large-scale security breach. Attackers made away with $200 million worth of cryptocurrency. And all the bad actors had to do? Steal a single private key. 

In November of 2021, online trading platform Robinhood announced a data security incident that affected millions of its customers. The company divulged that an “unauthorized third party” was able to obtain the email addresses of five million people and the full names of two million others. For 310 users, “additional personal information” was stolen. The attackers allegedly demanded a ransom payment following the breach.

How Much Does a Financial Breach Cost in 2022?

According to the 2022 IBM Cost of a Data Breach Report, the finance industry had the second highest average cost per breach, trailing only health care. While the average health care breach costs hit a new record high of $10.10 million (an increase of almost 42% since the 2020 report), financial organizations averaged $5.97 million per breach.

On a positive note, the Cost of a Data Breach report revealed that the average number of days to identify and contain a data breach fell from 287 in 2021 to 277 in 2022, a reduction of 10 days or 3.5%. The average number of days to contain a breach also fell in 2022 — from 75 days in 2021 to 70 days in 2022.

Explore the report

Risks and Challenges for Banking and Finance

Costly data breaches are only one side of the coin.

First, the industry must keep up with evolving digital transformation and technology innovations. Digital services, cloud computing and artificial intelligence (AI) play a key role. To meet customer demand, financial institutions must leverage more new applications, devices and infrastructure components. These, in turn, only increase their attack surface.

Next, banking and finance are subject to more complex regulations with each passing year. Data protection and privacy standards constantly change, and fines for non-compliance increase.

Third-party risk management is critical for any industry. However, banking and finance must be extra vigilant in ensuring vendors and third-party suppliers are secure. Third-party breaches underscore the financial services sector’s potential vulnerability to cyberattacks. After all, it increasingly relies on suppliers and vendors who cannot guarantee cybersecurity.

Finally, as the hybrid workplace gains popularity, so does an organization’s risk. Remote and hybrid work presents a more daunting challenge for industries with more critical data to protect.

Lowering Data Breach Costs 

Although the threat landscape is expanding and breaches happen, proactive security measures work. The Cost of a Data Breach report shows how current security strategies can lower the average cost of a breach. 

Security AI and Automation

Organizations that employ security automation like AI, machine learning, analytics and automated security orchestration saved on average $3.05 million per breach compared to firms using no security AI and automation.

Extended Detection and Response 

2022 is the first time the report examined the effects of Extended Detection and Response (XDR) technologies on the cost of a data breach. Notably, organizations that deployed advanced threat detection and response tools averaged a savings of 9.2% per breach. While these savings may not seem significant, the true impact is realized in the reduction of breach duration — nearly one month.

Incident Response

Companies that have dedicated incident response (IR) teams and test their IR plan significantly reduced the average cost of a data breach by $2.66 million per breach compared to those with no IR team or no IR testing in place.

Risk Quantification

Risk quantification can highlight financial loss types by impact, loss of productivity, cost of response or recovery, reputation impact and fines and judgments. Companies using risk quantification saved $2.10 million per breach on average versus those that don’t.

Zero Trust 

The zero trust approach assumes that user identities or the network itself may already be compromised. Instead, it relies on AI and analytics to continuously validate connections between users, data and resources. Not surprisingly, zero trust has a net positive impact on data breach costs, saving companies with a mature zero trust deployment $1.51 million on average per breach versus those with early adoption of zero trust.

These statistics provide the dose of optimism the industry needs. As more organizations invest in proactive security strategies and better cloud management practices, the impact and risk of a data breach can be reduced. 

more from Banking & Finance

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 –…

SEC Proposes New Cybersecurity Rules for Financial Services

Proposed new policies from the Securities and Exchange Commission (SEC) could spell changes for how financial services firms handle cybersecurity. On Feb. 9, the SEC voted to propose cybersecurity risk management policies for registered investment advisers, registered investment companies and business development companies (funds). Next, the proposal will go through a public comment period until May 9.  The Importance of…