Financial Services: Top Target of Cyber-Criminals

Eighty-eight percent of the cyber-security attacks launched against financial services companies are successful in less than a day. But only 21 percent of these attacks are discovered within a day, and only 40 percent of the companies involved are able to restore their business within that one-day time frame, according to a new report from the Deloitte Center for Financial Services.

The consulting firm’s study, “Transforming Cybersecurity: New Approaches for an Evolving Threat Landscape,” points out that the growth in cyber-crime has continued, if not accelerated, in the financial services industry.

U.S. financial services companies lost an average of $23.6 million from cyber-security breaches in 2013—the highest average loss across the 26 industries that cyber-criminals target most often, according to the Deloitte report. It is also 44 percent higher than in 2012, when the industry was ranked third, after the defense and utilities and energy industries.

The report notes that these losses are sometimes not as damaging as cyber-crime’s potentially greater impact on customer and investor confidence, reputational risk and regulatory impact.  When put together, the damage caused can add up to substantial risks for financial services companies.

A recent global survey of corporate C-level executives and board members by Ponemon Institute showed that cyber-risk was the world’s third corporate-risk priority in 2013, the Deloitte reports notes. The same survey from 2011 ranked cyber-security as only the twelfth highest priority.

How can financial services firms establish programs to be more secure and resilient, and transform their cyber-risk management programs?

Deloitte recommends that companies develop “actionable threat intelligence.” Financial services executives “recognize that becoming a learning organization where intelligence drives actions is likely to be increasingly important for success across multiple dimensions,” the report says. “The realm of cyber-security is no different, as real-time threat intelligence can play a crucial role in enabling security, vigilance and resilience.”

By intelligence, the firm means not only the collection of raw data about known threat indicators, as provided by many vendors in the form of threat-intelligence feeds. “Threat intelligence is also the derivation of meaningful insights about adversaries from a wide range of sources, both internal and external, through automated means, and through direct human involvement,” Deloitte points out.

To be actionable, threat data should be looked at in a context that’s meaningful to the organization. As a financial services firm develops greater maturity in its data gathering and processing capabilities, it can leverage automation to better filter and highlight information that is directly relevant to important risk areas.

“In this way, threat intelligence becomes the foundation on which a firm builds its secure, vigilant and resilient capabilities,” the report states.

Another tool is experience-based learning. Just as cyber-attackers play on their target’s weak spots, so can financial services firms develop a better understanding of the attackers and identify their weaknesses.

“Financial services companies can attempt to learn from past intrusions within both the individual firm and at the industry level,” according to the report. “Many financial services companies can also borrow lessons from other industries, like aerospace and defense, to implement new techniques, playbooks and controls.”