How financial services boards are addressing top cyber risks

Directors understand their firms are under attack from a proliferating range of threats and recognize high stakes related to consumer trust.

In brief

• More sophisticated risks and expanding attack surfaces necessitate more robust protections.
• “Trust-by-design” principles and “zero-trust” access management are more important than ever.
• Even as regulatory scrutiny increases, boards are focused on empowering cybersecurity leaders and promoting engagement with the business.

For board directors at banks, insurers, and wealth and asset managers, cybersecurity is a top strategic and tactical priority. They are challenging themselves to think differently about cybersecurity, in line with market disruptions and with business objectives.

At our recent event, the major points of discussion included:

• The financial services industry is a leader in cybersecurity, but remains a top target for “bad actors” of all types.
• Intensifying regulatory oversight is centered on data privacy, consumer protections, planned responses to incidents like ransomware and more extensive reporting about breaches.
• Chief information security officers (CISOs) and other cybersecurity leaders are under intense pressure to identify and manage threats, but they often struggle to engage with business leaders as strategic advisors.
• Trust-by-design principles and zero-trust access management are among the leading practices being adopted across the industry.
• The ability to quantify risk and track the progress is critical for companies that want to stay ahead of the latest threats.

Cybersecurity tops the board and C-suite agenda

In the EY CEO Imperative Survey 2019, national and corporate cybersecurity represented the top global challenge to business growth and the global economy.¹ The COVID-19 pandemic only intensified the threats. In one of our cyber forum in-session surveys, a full 85% of participating directors said their organizations were prepared for breaches. A similar proportion of directors, 81%, said they are either very confident (16%) or somewhat confident (65%) that their board has the necessary understanding to fully evaluate the cyber risks facing their organization and the measures it is taking to defend itself.

State of cybersecurity:

• 59% of companies have experienced a significant or material breach in the last 12 months²
• $3.8 million is the average estimated cost per data breach for an organization in 2020³
• $10.5 trillion in damage related to cybercrime is projected to hit annually by 2025⁴
• 6 months is the average length of time it takes companies to detect data breaches, even major ones⁵

Directors clearly see the increasing sophistication of attacks as the biggest challenge to cybersecurity risk management. Nearly two-thirds of respondents to our cyber forum in-session survey cited sophisticated attacks as the top challenge. And as more companies adopt advanced technology, they need more advanced capabilities to manage the unique risks.

More regulatory and political change is coming

Boards also need to be aware of, and prepare for, continued political and regulatory changes. The Biden Administration, the Federal Reserve, the New York Department of Financial Services and other authorities all have passed guidelines or conducted enforcement actions to drive increased accountability and governance of cyber risk. Beyond more extensive data privacy requirements, regulators are interested in where and how CISOs fit into the three lines of defense and the board’s responsibilities when cyber events occur.

Empowering CISOs and cybersecurity teams

Based on increased regulatory conversation around CISOs, boards are paying closer attention to the role of the CISO and the cybersecurity function as a whole. The fundamental question is whether CISOs should function as security guards or strategic advisors who can contribute to innovation and growth.

For their part, CISOs and other cyber leaders are asking how they can modernize cybersecurity practices and techniques to meet risk appetites. However, the formidable challenges faced by many CISOs are not well recognized across organizations or boardrooms. Given the pressures, it’s no wonder the average tenure for CISOs is estimated at 18 to 26 months.⁶

For CISOs to be viewed as business enablers, they must collaborate early and often with development and innovation teams to embed strong security principles with new applications and enhanced experiences. The most effective CISOs handle the business-oriented and tech-driven parts of their jobs equally well, a particularly important balance in financial services.

More data and knowledge on — and available to — the board

While boards recognize the need to be more informed, our cyber forum in-session survey showed only 33% of board members are very satisfied with the cyber reporting they receive. Additionally, board members consider improved reporting their top priority in enhancing the oversight of cybersecurity.

When it comes to board reporting, defining the right objective metrics and delivering them on a sufficiently frequent basis are challenges. It is important to use a variety of techniques to quantify cyber risk and calculate the risk exposure and how it can be reduced through targeted investments.