A study the Ponemon Institute and Hewlett Packard Enterprise conducted in 2015 found that for the average cost of cyber crime companies have suffered in any particular industry, financial services topped globally. Last year, the annualized average cost of cyber crime in the financial sector was $13.5 million, followed by the utilities and energy sector ($12.8 million).
Banks, investment companies, and insurers are prime targets for cyber criminals because of the money and information they hold. In a global risk survey, Deloitte found that cyber exposures rank second only to regulatory/compliance concerns as the types of risk that FSIs believe will increase the most in importance for their companies. Many FSIs are struggling to keep up with this growing threat.
In order to get a better understanding of the challenges FSIs face when dealing with cyber threats, the Deloitte Center for Financial Services talked to cyber risk experts and technology and risk management specialists from across this industry. In its report “Taking cyber risk management to the next level: Lessons learned from the front lines at financial institutions,” Deloitte shares the insights gleaned from the interviews which could help other institutions get a better handle on their cyber security challenges and strategies.
While the interviewees did not always agree on their main challenge, there are key areas of consensus.
Money is no object, with cyber security budgets rising dramatically over the past few years. One of the respondents said his cyber security budget had gone up 75 percent over the last three years, while another said his budget doubled after a competitor suffered a major breach. Here in the Philippines, banks also scrambled to review and fine-tune their internal controls, no doubt boosting security budgets in some cases, after the biggest money laundering operation hit newspaper headlines. Money is not a problem. The challenge for chief information security officers (CISOs) is executing their strategies and communicating the return on investment (ROI) of their risk management programs.
Many of the CISOs Deloitte spoke with said while they have the budget to deploy new tools and systems as needed, they often lack people with the necessary skills and capabilities to execute and manage these solutions.
We see a similar challenge here in the Philippines. One of the speakers at The Manila Times’ business forum last month said that in the entire combined personnel of the country’s two agencies tasked to deal with cyber crime—the police and the bureau of investigation—even 2 percent of them may not have adequate knowledge of how to handle cyber crime investigation.
Now, while budgets are still flexible—a number of those interviewed admitted that the current pace of cyber security budget increases is not sustainable—CISOs should invest in talent development as well as in a true cyber security game plan that is aligned with their company’s business and technology strategies. CISO teams should see what works and what doesn’t before adding or substituting new security technologies as they are introduced to market.
In tandem with talent development, companies have to invest in creating a cyber-risk-aware culture; but in this effort, pure web-based instruction is not enough. Another speaker at The Manila Times’ forum recommended subjecting employees to phishing tests, i.e., deliberately sending phishing e-mails to some employees to check if they know how to safely handle such scams. This training process should also include education of third parties, such as business partners and vendors that could, unwittingly, compromise an FSI’s systems.
Majority of CISOs feel they are juggling too many responsibilities and priorities. With the shortage of skilled talent to handle cyber threats, it’s no surprise CISOs report feeling overwhelmed by the enormity of their responsibility. One executive of a major FSI said his company faces between 5,000 and 6,000 attempted intrusions a day, estimating that about 1 out of every 20 people who access their systems is trying to steal something.
For CISOs, there is never enough time to address everything they are expected to accomplish. And many complain about the time they devote to basic legacy system remediation and compliance work, time they could use for addressing broader, longer-term challenges such as developing advanced analytics to better anticipate attacks.
This challenge may be something CISOs will have to learn to live with: they will be continually called upon to up their game as cyber threats grow in number and sophistication. But they don’t have to defend their companies on their own.
Having a cyber security plan that is integrated across the overall enterprise means having an accountability model where multiple departments play a key role as part of the first line of cyber defense. An oversight committee comprising the chief information officer, chief operating officer, chief risk officer, line-of-business (LOB) officials, legal representation, and other relevant stakeholders could undertake this responsibility.
CISOs are striving to innovate in multitude ways. Another issue that has overwhelmed CISOs is, ironically enough, the number of tools available to them to defend their companies. Between 2012 and 2015, 1,430 deals totaling $11.46 billion were struck globally to fund cyber security companies. Yet it seems the solutions available in the market are not adequate. One respondent said the more sophisticated his security detection program becomes, he discovers more vulnerabilities that need to be resolved. A number of respondents also reported having to work with vendors to create new products because what they want “just doesn’t seem to exist.”
In this environment, it is becoming increasingly difficult for CISOs to decide which products they really need. They also complained of lack of accountability and resources to introduce already available threat intelligence.
With 104 new cyber security companies receiving financing in the first quarter of 2016, it seems product proliferation is another thing CISOs will just have to accept.
Some CISOs Deloitte spoke with said they have taken the initiative to go on field trips to Silicon Valley and other creative hubs to stimulate their thinking on cyber security innovation. At least one FSI has set up an innovation lab in Israel, described by one executive as “the Promised Land” for risk management because of its ecosystem of cyber start-ups and a deep talent pool drawn from military intelligence operations.
The key for these security and risk management experts is to focus their resources on solutions that matter specifically to their organizations and to initiate their own innovation activities for staying ahead of the innovation curve. To avoid drowning in the sea of cyber security products, Deloitte also advises CISOs to focus on product integration and lifecycle management: make sure that before taking on a new security software you need to understand your organization’s integration challenges. Besides, do not introduce a product without the talent to support it.
There are more insights in the Deloitte report than I have space for, but based on what I’ve discussed so far, it’s clear that CISOs in FSIs, in particular, face big challenges in their roles as cyber risk managers. They are constantly parrying attacks and the weapons available to them, while many, may not always be exactly what they need.
On the upside, Deloitte has found that senior leadership and board members are well aware of the seriousness of the exposures their institutions face and have been very supportive of efforts to make FSIs more secure. Here in the Philippines, a major banking industry group is considering creating an anti-financial crime committee that would craft a comprehensive strategy for the entire banking community to avoid a repeat of the money-laundering scandal that came to light a few months back.
As one respondent in the Deloitte study said, “The reality is, cyber security risk management is an ongoing journey, never a destination.” For FSIs, having everyone—from top management to rank-and-file—on board for that journey is key to maintaining the integrity of their institutions.
The author is the Enterprise Risk Services Leader of Navarro Amper & Co.,the local member firm of Deloitte Southeast Asia Ltd., a member firm of Deloitte Touche Tohmatsu Limited –comprising Deloitte practices operating in Brunei, Cambodia, Guam, Indonesia, Lao PDR, Malaysia, Myanmar, Philippines, Singapore, Thailand, and Vietnam.