Cybersecurity for Banks Report

A SPECIAL REPORT FROM THE EDITORS AT CYBERSECURITY VENTURES

Q3 2015

The Cybersecurity for Banks Report provides trends, statistics, best practices, and resources for bank chief information security officers (CISOs) and IT security staff.

BANKING

Banking and financial services is fastest growing non-government cybersecurity market

  • According to the “Banking & Financial Services Cybersecurity: U.S. Market 2015-2020 Report”, published by Homeland Security Research Corp. (HSRC), the 2015 U.S. financial services cybersecurity market will reach $9.5 billion, making it the largest non-government cybersecurity market. In addition, the report concludes that this market will be the fastest growing non-government cybersecurity market, exceeding $77 billion in cumulative 2015-2020 revenues.
  • Consulting firm PwC stated that financial services companies will increase their cybersecurity spending by $2 billion over the next two years. PwC surveyed 758 banks, insurers, and other financial services companies, and stated they collectively spent $4.1 billion on cybersecurity in 2014.
  • In a recent live on-air interview from Davos Switzerland on Bloomberg’s Market Makers, Bank of America Corp. CEO Brian Moynihan said the nation’s second largest lender will spend $400 million on cybersecurity this year… and it is the first time in 20 years of corporate budgeting he has overseen a business unit with no budget. Moynihan said the only place in the company that doesn’t have a budget constraint is cybersecurity.
  • The Wall Street Journal recently reported that J.P. Morgan Chase & Co. is going to accelerate its timeline for a cybersecurity spending boost – and the bank expects cybersecurity spending to double to $500 million in 2016. In an earlier article, WSJ reported that Citigroup Inc.’s annual cybersecurity budget has risen to more than $300 million, and Wells Fargo spends roughly $250 million annually on cybersecurity.
  • A recent article in Infosecurity Magazine stated that financial services firms are hit by security incidents a staggering 300 times more frequently than businesses in other industries.
  • Deloitte states that the financial services sector faces the greatest economic risk related to cybersecurity. In the “Deloitte 2015 Banking Outlook”, they say to improve cybersecurity in 2015, banks will be forced to devote greater resources to enhancing the security, vigilance, and resilience of their cybersecurity model and should consider: Adopting new methods, such as war gaming, attracting specialized talent, and increasing collaboration with other members of the ecosystem; Beefing up their intelligence apparatus to detect new threats in a timely manner; Expanding the role of the CISO to include clear and prompt communications with the board.
  • The Wall Street Journal reported that in his testimony at a congressional hearing recently, Frank Cilluffo, Director of the Center for Cyber and Homeland Security at George Washington University, cited figures that he said were provided to him recently by a major, unnamed U.S. bank. He said that in just the last week (at that time), this firm had faced 30,000 cyberattacks. “This amounts to an attack every 34 seconds, each and every day,” Mr. Cilluffo said. He added that about 22,000 of them came from criminal organizations and about 400 from nation-states.
  • The biggest security threats to banks last year were web app tampering, distributed denial-of-service attacks, and the increased use of payment card skimmers, according to “Verizon’s Data Breach Investigations Report”. These three categories of attacks made up three-quarters of security incidents targeting banks.
  • According to the “Semiannual Risk Perspective from the National Risk Committee”, published in Spring 2015 by the Office of the Comptroller of the Currency (OCC) in Washington, D.C., operational risk is high as banks adapt business models, transform technology and operating processes, and respond to increasing cyber threats. Banks may not incorporate resiliency considerations, including recovery from cyber events, into their overall governance, risk management, or strategic planning processes, increasing their vulnerability (to cyber-attacks). Banks and their employees, customers, and third-party service providers continue to be vulnerable to cyber attacks that can compromise data or systems or allow criminals to illegally obtain personally identifiable information.
  • According to the “2015 Travelers Business Risk Index”, published by The Travelers Companies, Inc.: Cyber risks are the top concern in the banking and financial services sector; 80 percent of these business leaders say they are worried about this risk; This is far ahead of the 58 percent average across all other sectors; The industry has addressed risks with written business continuity plans (78 percent), data security review procedures (68 percent), and data breach response plans (63 percent).
  • The Depository Trust & Clearing Corporation (DTCC) recently announced that almost half of the respondents (46 percent) in its most recent “Systemic Risk Barometer Study” cited cyber security as their top concern and 80 percent of respondents rated it as a top 5 risk overall. The cyber security rating has almost doubled in just one year as security incidents continue to rise across the financial markets, with specific respondent feedback citing the growth in the “frequency and sophistication of cyber attacks”.
  • The Federal Financial Institutions Examination Council (FFIEC), on behalf of its members, has issued a Cybersecurity Assessment Tool that institutions may use to evaluate their risks and cybersecurity preparedness. The Office of the Comptroller of the Currency (OCC) examiners will gradually incorporate the Assessment into examinations of national banks, federal savings associations, and federal branches and agencies (collectively, banks) of all sizes. The Assessment helps banks and examiners determine a bank’s inherent risk profile and level of cybersecurity preparedness.
  • JD Supra recently reported that with data breaches and cyber crime on the rise, the FFIEC has made cybersecurity a top priority. The Cybersecurity Self-Assessment Tool is just one piece of the cybersecurity puzzle being considered by the FFIEC in the wake of a survey conducted last year on more than 500 institutions to assess their current data security practices. Based on those findings, the FFIEC and its member regulators are also working on incident analysis, crisis management, training and policy development with respect to cybersecurity preparedness, as well as improvements in the area of collaborations with other agencies to communicate the importance of and best practices for cybersecurity.
grayfooterline

stevemorgan31CYBERSECURITY VENTURES

Steven C. Morgan, Editor-In-Chief

    Steve Morgan is Founder and CEO at Cybersecurity Ventures, and Editor-In-Chief of the Cybersecurity Market Report and the Cybersecurity 500 list of the world’s hottest and most innovative cybersecurity companies. Steve writes the weekly Cybersecurity Business Report for IDG’s CSO, and he is a contributing writer for several business, technology, and cybersecurity media properties.
    © 2015 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.

25c8b07