The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything.

Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection.

Here’s the most sobering stat: 87% of respondents said they’d refuse to do business with any company that they perceived as having weak security practices.

When banking and finance data breaches occur — and they do happen often — they don’t always stem from a bad actor. Often, breaches come from poorly secured third-party apps or a lack of proper user authentication protocols.

Banking and finance data breaches

Several data breaches struck these industries over the last year. What can we learn from them?

In January of 2021, attackers breached the accounts of three million Morgan Stanley corporate customers. The breach, reported in July, involved a third-party vendor. Attackers could access client names and addresses, social security numbers, date of birth and company names. The bank reported that attackers successfully exploited a vulnerability in the vendor’s server. Although the vulnerability was quickly patched, attackers still managed to obtain a decryption key for the encrypted files.

In December of 2021, crypto exchange Bitmart suffered a large-scale security breach. Attackers made away with $200 million worth of cryptocurrency. And all the bad actors had to do? Steal a single private key.

In November of 2021, online trading platform Robinhood announced a data security incident that affected millions of its customers. The company divulged that an “unauthorized third party” was able to obtain the email addresses of five million people and the full names of two million others. For 310 users, “additional personal information” was stolen. The attackers allegedly demanded a ransom payment following the breach.

How much does a financial breach cost in 2022?

According to the 2022 IBM Cost of a Data Breach Report, the finance industry had the second highest average cost per breach, trailing only health care. While the average health care breach costs hit a new record high of $10.10 million (an increase of almost 42% since the 2020 report), financial organizations averaged $5.97 million per breach.

On a positive note, the Cost of a Data Breach report revealed that the average number of days to identify and contain a data breach fell from 287 in 2021 to 277 in 2022, a reduction of 10 days or 3.5%. The average number of days to contain a breach also fell in 2022 — from 75 days in 2021 to 70 days in 2022.

Read the Report

Risks and challenges for banking and finance

Costly data breaches are only one side of the coin.

First, the industry must keep up with evolving digital transformation and technology innovations. Digital services, cloud computing and artificial intelligence (AI) play a key role. To meet customer demand, financial institutions must leverage more new applications, devices and infrastructure components. These, in turn, only increase their attack surface.

Next, banking and finance are subject to more complex regulations with each passing year. Data protection and privacy standards constantly change, and fines for non-compliance increase.

Third-party risk management is critical for any industry. However, banking and finance must be extra vigilant in ensuring vendors and third-party suppliers are secure. Third-party breaches underscore the financial services sector’s potential vulnerability to cyberattacks. After all, it increasingly relies on suppliers and vendors who cannot guarantee cybersecurity.

Finally, as the hybrid workplace gains popularity, so does an organization’s risk. Remote and hybrid work presents a more daunting challenge for industries with more critical data to protect.

Lowering data breach costs

Although the threat landscape is expanding and breaches happen, proactive security measures work. The Cost of a Data Breach report shows how current security strategies can lower the average cost of a breach.

Security AI and automation

Organizations that employ security automation like AI, machine learning, analytics and automated security orchestration saved on average $3.05 million per breach compared to firms using no security AI and automation.

Extended detection and response

2022 is the first time the report examined the effects of Extended Detection and Response (XDR) technologies on the cost of a data breach. Notably, organizations that deployed advanced threat detection and response tools averaged a savings of 9.2% per breach. While these savings may not seem significant, the true impact is realized in the reduction of breach duration — nearly one month.

Incident response

Companies that have dedicated incident response (IR) teams and test their IR plan significantly reduced the average cost of a data breach by $2.66 million per breach compared to those with no IR team or no IR testing in place.

Risk quantification

Risk quantification can highlight financial loss types by impact, loss of productivity, cost of response or recovery, reputation impact and fines and judgments. Companies using risk quantification saved $2.10 million per breach on average versus those that don’t.

Zero trust

The zero trust approach assumes that user identities or the network itself may already be compromised. Instead, it relies on AI and analytics to continuously validate connections between users, data and resources. Not surprisingly, zero trust has a net positive impact on data breach costs, saving companies with a mature zero trust deployment $1.51 million on average per breach versus those with early adoption of zero trust.

These statistics provide the dose of optimism the industry needs. As more organizations invest in proactive security strategies and better cloud management practices, the impact and risk of a data breach can be reduced.

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today