The threat of data breaches continues to increase, with the number of U.S. cybersecurity incidents tracked in 2017 hitting a new record high of 1,579% – a 48% increase over 2016. 8.5% of the data breaches reported in 2017 involved the financial sector, impacting organizations such as banks, credit unions and credit card companies. The global financial sector has always been a primary target for cyberattacks because of the tremendous value of the information to which these organizations often have access. In fact, financial services firms are hit by cyberattacks a staggering 300 times more frequently than businesses in other industries.
Certain attacks impacting the financial sector, including Distributed Denial of Service (DDoS) attacks, continue to increase in size and frequency. Social engineering, including spearphishing, is another form of attack increasingly used by cybercriminals to infiltrate financial organizations. In 2016 and 2017, cybercriminals targeted 100 banks in 30 countries via a spearphishing campaign dubbed “Carbanak,” stealing roughly $1.3 billion over an 18-month period. This campaign, which encouraged high-level employees to download malware that infiltrated bank networks, underscores the critical threat posed to the financial sector by spearphishing and other forms of social engineering attack.
High cost of cybersecurity incidents
A recent report from the Ponemon Institute and IBM found that the average total cost of a data breach in the U.S. reached a record high of $7.35 million in 2017 across all industries, up 5% from 2016. While that figure is already alarming, the cost of breaches in the financial sector can be exponentially higher. For example, while the average cost to U.S. businesses per record lost or stolen in a breach was $225 across all industries in 2017, the cost for financial organizations was $336 – an increase of 49%.
The specific types of attacks frequently used to target financial entities likely contribute to these higher costs. For example, malware attacks cost financial organizations an average of approximately $825,000 to resolve. For DDoS attacks, which specifically target online banking services, the cost skyrockets to an average of approximately $1.8 million. Even worse, DDoS attacks impact the customer-facing resources of financial organizations more severely than in other sectors.
These costs can be even more significant when cybersecurity incidents impact brand loyalty and trust, which can in turn lead to customer churn. Companies that experience less than 1% customer churn had an average total data breach cost of $5.3 million, while those that experience churn greater than 4% had an average total cost of $10.1 million, according to the Ponemon Institute and IBM. This should be especially concerning for financial organizations, as they experience the highest rate of customer churn following a data breach of any industry. As a result, one out of every five financial institutions cited damaged brand trust or reputation as their top concern pertaining to data breaches.
Real danger of losing customers
A 2016 survey of identity theft and fraud victims found that 12.3% of respondents left their credit unions, 28% left their banks, and 22.4% left their credit card companies as a result of unauthorized activity on their accounts. The danger of customer churn for financial organizations that experience a cybersecurity incident is very real, and protection against cyber threats should therefore be a top priority – as it should be for companies in all industries.
Strategies for taking care of cybersecurity incidents
As the number and severity of cyberthreats increase on a daily basis, raising awareness of these risks among financial institutions has fortunately proven largely successful. Some financial organizations have reported that simply hearing about cyber incidents impacting other entities in the sector has influenced them to invest more in their own security. Other top reasons cited for increased cybersecurity investment include upper management wanting to improve defenses, experiencing a cyberattack and customer demand.
While there is no one-size-fits all approach to improving cybersecurity for financial organizations, any company can follow general best practices that can be tailored to fit its unique needs. Wider implementation of these practices is needed, as 75% of surveyed businesses in 2016 indicated that they did not have a formal cybersecurity incident response plan at their organization. Additionally, 66% of respondents noted that they were not confident in their organization’s ability to recover from an attack. These numbers are alarming, and frankly there is no excuse for any company not to have a data breach response plan in place, regardless of the sector in which it operates. In addition to data breach response implementation, many institutions are now exploring cyber risk insurance or cyber liability insurance, which help to mitigate risk exposure by offsetting costs associated with recovery after a cybersecurity incident.
Financial companies should also implement strategies to mitigate customer fallout after a breach. For example, offering customers resources to help resolve issues stemming from a cyberattack, such as an identity protection offering that includes resolution services. Return on investment for these types of offerings can be significant, as they should preserve customer trust while reducing customer churn. Moreover, a recent consumer survey found that 50% of respondents would prefer to purchase identity protection services from a financial institution with which they partner, as they often already trust these organizations with their sensitive information. Some identity protection providers allow their platforms to be white labeled, enabling financial organizations offering these services to increase positive brand perception while protecting their customers and employees against fraud.
Don’t forget that employees may be the weakest link
While financial organizations are beginning to implement better cybersecurity best practices pertaining to their technology systems or other resources, they often fail to invest equally in their employee base, which potentially poses the greatest cyberthreat of all. Hacking, skimming and phishing attacks account for more than half of all data breaches impacting financial entities, and many of these are a direct result of spearphishing efforts targeting management teams. The Internal Revenue Service witnessed a 400% increase in this type of fraud in 2016 alone. Other top data breach causes include accidental email or Internet exposure, as well as employee error.
Financial institutions should address cyber threats posed by their own employees by providing sufficient education about procedures for identifying and responding to risks, while adhering to applicable regulatory and compliance policies. Return on investment for employee education programs can be substantial. For example, the Ponemon Institute calculated the effectiveness of anti-phishing training programs and found that the average program resulted in a 37-fold return on investment, even when taking lost productivity into account.
As with their customers, financial organizations can promote cybersecurity awareness and foster a culture of best practice by offering employees access to security resources, or even identity protection services, as employee benefits. Investing in cybersecurity comprehensively is critical, and certain well-known financial institutions are leading the charge. For example, Bank of America Merrill Lynch has taken a “blank check approach”; in other words, it has removed budgetary restrictions from its cybersecurity spending, as the company recognizes the importance of protecting against cyber threats.
Invest in customers and employees for comprehensive approach
The only guarantee in today’s cyber landscape is that nefarious parties will continue to find new ways to infiltrate networks at financial institutions, and indeed at organizations of all types. Therefore, financial companies must implement best practices to protect against data breaches, as well as to resolve all possible issues that can arise should a cyberattack occur. Technology solutions such as multifactor authentication or biometric credentials are critical, but just as important are investments in resources for both customers and employees. This comprehensive approach is the only way to effectively combat today’s cyber threats.
