Today's financial institutions are making massive investments across the enterprise to strengthen their overall resilience. From financial resilience to operations resilience, from organizational to supply chain resilience, these initiatives are designed to help institutions operate in the new normal. As each line of business digitizes, these investments rely increasingly on the institution's cyber resilience to manage the risks associated with the growth of digital financial services.
Maintaining a cyber resilience mindset is always imperative for financial services firms. As more financial institutions embrace hybrid work, they face increasingly sophisticated cyber threats targeting hybrid workers, customers, and third-party suppliers across an expanding attack surface. Cyber resilience is confronting a new world where everyone and everything are connecting.
According to a 2022 report by the Ponemon Institute, the average cost of a cyber breach in the financial services industry is close to$6 million. This is significantly higher than the average cost of a cyber breach across all industries, which is approximate$4 million. The risk to financial institutions is higher than most other industries due to the ancillary impacts from loss of consumer trust, regulatory fines, and regulatory restrictions on their business.
Remediation also carries the burden of closer regulatory inspection which can extend the time it takes to get back to business as usual. In an earlier report, Ponemon found that the average customer churn rate for financial institutions after a data breach is 6.1%. The effects of consumer trust were highlighted by the recent banking crisis in the United States. While not related to cyber security, it demonstrated how quickly a situation can expand to become an existential crisis when confidence is lost.
The Presidential Policy Directive on Critical Infrastructure Security and Resilience -which focused on efforts to strengthen and maintain secure, functioning, and resilient critical infrastructure -recognizes the financial services sector as critical infrastructure. As such, the protocols U.S. financial institutions must follow after a cybersecurity breach have increased and will continue to be scrutinized. Banks must notify their regulator of record "as soon as possible and no later than 36 hours" after they have identified such an incident, per the rule from the FDIC, OCC, and the Fed. Globally, there are indications that regulatory agencies are ramping up expectations in relation to cyber resiliency that can approach the scenarios that are typical in business continuity planning with similar aggressive timeframes being considered for remediation.
Recently, a group of large U.S. financial institutions, along with industry advisory bodies, formed the Cyber Risk Institute as part of an on-going effort to harmonize across various regulations to develop a baseline cybersecurity profile specifically for financial institutions of all sizes. Known as the Cyber Risk Profile, it is based on the NIST Cybersecurity framework and is freely available to institutions globally and at no charge. You can find the profile at www.cyberriskinstitute.org.
At Cisco Live 2023, Cisco introduced new security offerings to assist companies in developing sound security strategies. This comes on the heels of the recently completed RSA security conference and you can take a listen to our keynote, "Threat Response Needs New Thinking. Don't Ignore This Key Resource."
In a complex environment of security solutions and regulatory agencies and requirements, Cisco is here to help make sense of it all. I recently sat down with Steven Heinsius to discuss Driving Security Resilience for Financial Services. We discussed some of the following:
It was fun getting together with Steven on this one!
Check out the on-demand webinar:
Driving Security Resilience for Financial Services