“Because that’s where the money is” – the classic answer from a bank robber on why he robbed banks. Add “that’s where the data is” to crime risk for the financial industry today, including banks, insurance companies, lenders, investment companies, credit agencies, exchanges and the many third parties that make the money go around.
The financial sector has been a leader in “digital transformation” (in online banking or investing, for instance) but that also raises the size and complexity of the attack surface. Meanwhile, regulators are increasing pressure for proactive disclosure of cyber risk, requiring a sharp eye on risk data.
The new RiskLens Cybersecurity Risk Report for 2023 brings together cyber risk quantification, FAIR risk analysis and our tailored industry data to reveal insights that finance industry risk and security managers, and business leaders need to know to target strategy for cybersecurity in banking and other financial businesses.
Key Points about Cyber Risk in the Financial Industry
Large amounts of PII and PCI data
The digital assets at risk of exfiltration in the finance industry are truly at epic levels as seen in recent data breaches: First American Financial (885 million files), Capital One (100 million), Experian (24 million). As a result, the long tail of costly lawsuits and regulatory actions can entangle an institution for years: Equifax (147 million) only settled last year on 72 lawsuits from its 2017 data breach, paying out $425 million to customers.
According to RiskLens data science research, fines and judgments for data breaches run 80% higher for financial institutions vs. other industries, mostly due to tighter legal penalties.
FFIEC, OCC, FDIC, SEC, CFTC, FinCen, FTC the Federal Reserve, NY DFS and other state bank regulators – it’s a long list of watchdogs for this sector, and they have expanded their purview to include cybersecurity risk management in recent years. A key trend to know that cuts across these agencies: Regulators are demanding faster disclosure of material cyber risks and defensible practices for identifying material risks.
For instance, the SEC has proposed that public companies report a material cyber risk within four business days of discovery and provide updates on previously reported incidents that have become “material in the aggregate.” This trend pushes financial institutions to run ongoing programs of cyber risk quantification with a standard model like FAIR™.
High degree of third-party cyber risk
The financial industry is highly interdependent, to the point that Federal Reserve Chairman Jerome Powell has said he is concerned about systemic risk, such as a cyber attack on a major bank “where you would have a part of the financial system come to a halt, or perhaps even a broad part.”
For example, earlier this year, a cyber attack that knocked out ION Trading Technologies, a small firm that clears trades in the derivatives market, disrupted business at many large financial institutions. “Few (operational risk) rules exist for the tech companies that that run the services, utilities and software that also keep the market humming,” the Wall Street Journal reported. The onus is on financial institutions to quantify cyber risk on a wide range of risk scenarios, in addition to rating the effectiveness of their cybersecurity controls for those scenarios.
Risk themes for the financial industry (detail) from the Cybersecurity Risk Report
Key Findings for the Finance Industry in the RiskLens 2023 Cybersecurity Risk Report Based on Cyber Risk Quantification, FAIR Analysis, and Industry Data
>>Insider Error came in highest among risk themes for average loss exposure (see the explanation note below) at $4.5 million with a 10.4% annual probability, understandable ranking given the large amount of sensitive personal information that employees handle (or mis-handle). Cloud migration opens new vistas for error with misconfigurations.
>>Web Application Attack was the #2 risk theme at $3.6 million (at a 4.4% annual probability). Hackers armed with stolen credentials trying to crack web apps are a constant threat to financial institutions.
>>Overall, the finance industry came in at fourth place among industries for probability of any form of attack in a year with a 4% probability and $2.2 million loss exposure, behind Public Administration, Healthcare and Educational Services.
Get the full details - download the Cybersecurity Risk Report now.
The RiskLens data science team ranks risks by average loss exposure (per risk scenario), summarizing how losses play out probabilistically over 10,000 simulated years, incorporating both the probable cost and probability of occurrence of the events. It’s a measurement in dollars that security and risk teams can use to inform cost-effective spending decisions.
The representative/reference organization used for this simulation study is a mid-sized financial industry organization in North America of 500-1,000 employees and $100M-$1B in revenue with personally identifiable information (PII) records at risk.
RiskLens offers quantitative cyber risk management solutions built on the FAIR™ standard. Leverage RiskLens to understand your cyber risks in financial terms. Contact us to learn more.