Financial services firms today are under almost constant cyber threat. According to a University of Maryland report, computer networks are being attacked every 39 seconds. Given that the average cost of a cyber-related data breach in 2018 was $7.5 million per incident — up from $4.9 million in 2017 — the urgency to close compliance gaps is high.
Benchmarking your firm’s cybersecurity program against those of your peers is a smart way to identify the compliance gaps your firm should address. ACA Aponix recently partnered with the National Society of Compliance Professionals (NSCP) to conduct the 2018 NSCP / ACA Aponix Cybersecurity Compliance Programs Survey. The goal of the survey, which received over 200 responses, is to provide financial services firms the opportunity to gain insight into cybersecurity compliance programs across the industry.
During a recent webcast, I spoke with Steve Blossom, Senior Principal Consultant at ACA Aponix, about the key findings from the survey. ACA also put together a report that contains in-depth results and analysis from the survey. You can download the full report here.
Below are some highlights from the survey.
Cybersecurity is a Serious Risk to All Firms
Not surprisingly, 80% of the survey’s respondents strongly agree that cybersecurity concerns are a serious risk, regardless of the firm’s size. This is up by about 10% from last year’s survey. Compliance is particularly important in the financial services industry given it is the most targeted industry for security incidents according to IBM’s 2018 Report.
Assessing Vendor Risk is a Challenge
Third-party risk management is nascent for many firms, and the number of vendors they assess varies with firm size, as expected. Among survey respondents, 57% conduct diligence on key vendors annually. In addition, 79% of firms rely on external audit reports or on questionnaires for diligence. On-site data center visits are declining as more firms are migrating to cloud storage solutions and leveraging audit reports/questionnaires.
Cybersecurity Risk Assessments Remain a Top Budget Priority
In our 2017 cybersecurity compliance programs survey, respondents anticipated cybersecurity testing/assessments would be their biggest security spend in 2018, which also proved to be true in our 2018 survey.
Respondents also expect to more than double their spending on vendor management efforts over the next 12 months.In addition,respondents predict they will spend less this year on core IT controls such as email spam filtering, anti-virus software, and wireless network security. Why? Likely because they have already upgraded these tools over the past 12-24 months.
Firm Size Correlates to Data Loss Controls
A significant number of small firms responded that they do not block any of the three primary data loss/malware vulnerabilities: personal email, file sharing, and social media. However, 50% of all firms block at least one of the three and firms with 500-1000 employees indicated they block all three. Regarding full-disk encryption on laptops, 88% of all firms claim to be in compliance.
Cyber Insurance Adoption – and Coverage – Rates are on the Rise
The number of firms indicating they have purchased cyber insurance inched up slightly in 2018 to 54%. However, the amount of coverage being purchased increased significantly –39% of firms indicated they maintain more than $5 million in coverage, while most firms indicated they maintained $1-3 million in 2017. Many smaller firms are choosing not to purchase insurance.
Incidents/Breaches Are Common, as are Regulatory Cyber Exams
23% indicated they had suffered an outage or breach due to a cyber incident, with 37% of those incidents being “serious” (an outage lasting more than- one hour or resulting in financial harm, e.g., a ransom paid). Not surprisingly, the number of SEC, NFA, and FINRA cyber exams firms reported increased by double-digit percentages.
In our report, The State of Cybersecurity for Financial Services Firms: Results and Analysis from the 2018 NSCP/ACA Aponix Cybersecurity Compliance Programs Survey, we dive deeper into results, analysis, and actional guidance from the survey. The report covers a variety of cybersecurity themes including attitudes, staffing, spending, testing, regulatory audits, preparation, vendors, cloud usage, and more.
Button: Download the report
If you have any questions, please contact your ACA Aponix consultant or email us at firstname.lastname@example.org.
How ACA Can Help
ACA Aponix offers the following solutions that can help protect your firm from vulnerabilities and related cybersecurity risk, including: