Security and business reputation: a relationship in transition
The reputation of any financial services organization rests squarely on trust, security and professional integrity. Breaches of any of these profoundly damages the belief of markets, investors and customers in the others.
Every financial services organization is engaged at some level on modernizing itself to remain fit for its twentieth first century purpose. At the heart of this endeavor is the pervasive switch to digital technologies in every part of the organization, so creating a fundamentally new dependency on digital systems and processes. With this new enterprise-wide dependency comes new risk, as well as new opportunity.
The risks have long been recognized and reflected in modernized business and technical controls, better integrated governance, risk and compliance management and, critically, in Board-level oversight of the organization’s performance in containing and mitigating them.
Despite these responses, some complicating factors have emerged to challenge the sector’s overall management of pervasive digital risk:
- New technologies are maturing and converging at a much faster rate and are being delivered through many different channels, particularly third-party Cloud services and mobile devices.
- The demands placed on the organization to exploit them have increased steeply, as business leaders demand investment to become more competitive, creating both the emergence of ‘business-led IT’ and greater pressure on IT to bring new technologies rapidly into the organization.
- The level of scrutiny from industry regulators has been overlaid by that of governmental bodies, probing for the reasons why digital risks turn too frequently into digital issues, seen in high profile service outages, system upgrade failures, data corruption and customer losses.
- The technical operating environment has become less predictable through the efforts of malign actors, from state-sponsored malign program to individual cyber hackers, both of which work tirelessly to disrupt the smooth working of public and private sector organizations for personal gain, political advantage or both.
The results of these complicating factors are all too well known
Large scale cyber theft enabled by stolen bank account details; cyber-related card fraud, using stolen credit card details to perpetrate Card Not Present fraud; online customer applications and services taken out of service for prolonged periods, creating ill-will, financial disruption to business and personal customers and unwanted attention from regulators and government.
No financial services organization chooses to leave itself vulnerable to digital risk. Every forward-looking financial services organization strives to operate as securely as it can, to safeguard its reputation, delight its customers and so improve its standing with investors, regulators and wider publics.
This is not just enlightened self-interest. It is a clear recognition that high performance in security, without exaggeration, is the lifeblood on which the long-term prosperity of the sector now depends.
The sector is under attack
Financial Services has proved consistently to be the most cyber attacked sector of many developed and developing economies, for the simple reason banks hold vast stores of wealth on behalf of their customers, markets organizations trade billions of securities every day and insurance companies hold huge reserves both to service claims and invest to generate capital returns.
Whilst the specifics of data security performance may vary, the key trends for Financial Services are sobering:
- Data breach recovery costs are going up The financial services sector globally stands to lose an estimated $701m at risk from cybercrime-derived losses in the period 2019-23 alone; more than Utilities, Energy or Defense; more than Healthcare, Industrial Equipment or Retail. The direct cost per financial services record lost is increasing, standing at $245, up 23% on its four-year average. The indirect costs of cyber-derived losses are generally at least as great as the direct costs of technical and business remediation, in major Western economies spread between c. 120% and 180%.
- Bigger breaches mean higher costs The direct and indirect costs of correcting a data breach accelerate in line with the size of the breach, expressed in the number of thousands of lost records. Data breaches of more than 50,000 records cost on average $6.3m to correct.
- Customer losses are abnormally high Abnormal customer attrition following a data breach is higher in financial services globally than any other sector of the economy, averaging 7.5%, exceeding even Healthcare, Services and Technology companies. Associated lost business costs (increased customer recruitment costs, reputational damage and diminished goodwill) typically cost between $1m and $4m per organization in major economies.
- Malicious or criminal attack most common cause Data breaches from malicious or criminal attacks are consistently the most common cause of data breaches in major economies, exceeding either system faults or human error and responsible for between 45 – 60% of total breaches.
- Malicious or criminal attack are most costly Data breaches from malicious or criminal attacks are consistently between 15% to 25% more costly to correct than breaches arising from system faults or human error.
- Time to identify breaches remains stubbornly high It takes on average between 160 and 214 days globally for an organization to identify a data breach. Malicious or criminal attacks taking the longest and human error the shortest time. It costs more to recover from long-unidentified breaches. Recovery costs increase the longer the breach lies undetected, adding 38% on average to total recovery costs.
The message for Financial Services is clear
Improvement in the identification and remediation of data breaches is a commercial imperative for the Financial Services sector, both when united in cross-industry information-sharing and as individual institutions defending their own businesses and reputations.
Technologies which improve an organization’s ability to spot and neutralize threats to its systems and their data will:
- drive down the number of breaches suffered
- prevent cyber theft and fraud losses
- avoid the direct costs of escalation, notification and response
- remove the costs and threat of customer attrition
- avoid collateral damage to business reputation
- avoid adverse sentiment from investors
- avoid unwanted attention and censure from the media
- maintain its standing with regulators and government.
Human capital business controls and processes which improve an organization’s ability to hire, train, retain and instill professional integrity in its employees and third-party contractors are also critically important, both to cut the incidence of human error and the possibility of malign action from a disaffected employee or contractor.
Achieving the shift from an organization which reacts to incidents, to one which prevents them occurring lies at the heart of each of these imperatives.
My thanks to the Ponemon Institute for which this blog has drawn information and inspiration.