Last week, PricewaterhouseCoopers (PwC) released a preview of its Global State of Information Security Survey (GSISS) 2015, which revealed that financial service companies plan to spend more — much more — on cybersecurity over the next two years. The full report is now available for download, and it’s time to take a closer look at the findings.
The Big Picture
Pulling back the lens, PwC found that cybersecurity “is no longer an issue that concerns only information technology and security professionals; the impact has extended to the C-suite and boardroom.” Financial cybercrime targets now extend beyond banks and credit unions, with the survey noting that more than half of stock exchanges worldwide have been victimized. In fact, the threat is so dire that the U.S. Securities and Exchange Commission plans to evaluate the cybersecurity preparedness of more than 50 large broker-dealers and investment advisers. Meanwhile, Asian companies that do not comply with Singapore’s Personal Data Protection Act are subject to fines of over $780,000.
Digging into the PwC data on financial service companies, it is clear that risks are on the rise. The survey, which asked 758 financial institutions about the number of detected security incidents, reported that the total number of adverse incidents that threaten “some aspect of computer security” rose 8 percent compared to 2013. The costs of these breaches also grew by 24 percent, with big losses leading the way. The number of firms reporting losses between $10 million and $19.9 million increased by 141 percent compared to last year.
However, the survey also found that cybersecurity spending hasn’t kept pace. While PwC’s 2014 Annual CEO Survey noted that 48 percent of CEOs worldwide are now concerned with cyberthreats, the new report discovered global information security budgets have stalled for the past five years. Overall, the GSISS found that as security incidents rise, spending tends to fall; one theory is that more targeted security practices have “enabled organizations to strategically optimize spending.” The idea here is to replace scattershot security measures with strategic investments “that are most relevant to today’s advanced attacks,” including tools that predict, prevent and detect attacks to minimize overall impact.
The Bottom Line for Financial Service Companies
For financial service companies, however, more spending remains an integral part of the security equation. As noted by a recent IP Watch article, pure spending is just one part of an effective defense. To combat advanced security threats, companies also require buy-in from top leadership, policies for handling sensitive information and input from all business divisions.
PwC found that 71 percent of financial services respondents said incident-management response processes were important components of any cybersecurity strategy. Meanwhile, 69 percent said classifying business value data was essential, and 59 percent wanted better risk assessments on internal systems.
Ultimately, PwC recommends that financial service companies — from stock markets to big banks and small investment firms — focus on linking security and risk. This means companies should ask themselves the following five questions:
- How much revenue would be lost in a cyberattack?
- Are there capabilities in place to deal with this kind of attack?
- Have critical assets been identified?
- Is the business resilient enough to handle an attack?
- Where do cybersecurity investments have the biggest impact?
While it is impossible to prevent every cyberattack, PwC found that businesses with better-than-average security awareness report significantly lower average costs. For financial service companies, this awareness comes from a combination of increased spending, intelligent investments and the evolution of cybersecurity best practices.
Image Source: Wikimedia Commons