Financial services firms today are under almost constant cyber threat. According to a University of Maryland report, computer networks are being attacked every 39 seconds. Given that the average cost of a cyber-related data breach in 2018 was $7.5 million per incident — up from $4.9 million in 2017 — the urgency to close compliance gaps is high.
Benchmarking your firm’s cybersecurity program against those of your peers is a smart way to identify the compliance gaps your firm should address. ACA Aponix recently partnered with the National Society of Compliance Professionals (NSCP) to conduct the 2018 NSCP / ACA Aponix Cybersecurity Compliance Programs Survey. The goal of the survey, which received over 200 responses, is to provide financial services firms the opportunity to gain insight into cybersecurity compliance programs across the industry.
During a recent webcast, I spoke with Steve Blossom, Senior Principal Consultant at ACA Aponix, about the key findings from the survey. ACA also put together a report that contains in-depth results and analysis from the survey. You can download the full report here.
Below are some highlights from the survey.
Cybersecurity is a Serious Risk to All Firms
Not surprisingly, 80% of the survey’s respondents strongly agree that cybersecurity concerns are a serious risk, regardless of the firm’s size. This is up by about 10% from last year’s survey. Compliance is particularly important in the financial services industry given it is the most targeted industry for security incidents according to IBM’s 2018 Report.
Assessing Vendor Risk is a Challenge
Third-party risk management is nascent for many firms, and the number of vendors they assess varies with firm size, as expected. Among survey respondents, 57% conduct diligence on key vendors annually. In addition, 79% of firms rely on external audit reports or on questionnaires for diligence. On-site data center visits are declining as more firms are migrating to cloud storage solutions and leveraging audit reports/questionnaires.
Cybersecurity Risk Assessments Remain a Top Budget Priority
In our 2017 cybersecurity compliance programs survey, respondents anticipated cybersecurity testing/assessments would be their biggest security spend in 2018, which also proved to be true in our 2018 survey.
Respondents also expect to more than double their spending on vendor management efforts over the next 12 months. In addition, respondents predict they will spend less this year on core IT controls such as email spam filtering, anti-virus software, and wireless network security. Why? Likely because they have already upgraded these tools over the past 12-24 months.
Firm Size Correlates to Data Loss Controls
A significant number of small firms responded that they do not block any of the three primary data loss/malware vulnerabilities: personal email, file sharing, and social media. However, 50% of all firms block at least one of the three and firms with 500-1000 employees indicated they block all three. Regarding full-disk encryption on laptops, 88% of all firms claim to be in compliance.
Cyber Insurance Adoption – and Coverage – Rates are on the Rise
The number of firms indicating they have purchased cyber insurance inched up slightly in 2018 to 54%. However, the amount of coverage being purchased increased significantly – 39% of firms indicated they maintain more than $5 million in coverage, while most firms indicated they maintained $1-3 million in 2017. Many smaller firms are choosing not to purchase insurance.
Incidents/Breaches Are Common, as are Regulatory Cyber Exams
23% indicated they had suffered an outage or breach due to a cyber incident, with 37% of those incidents being “serious” (an outage lasting more than- one hour or resulting in financial harm, e.g., a ransom paid). Not surprisingly, the number of SEC, NFA, and FINRA cyber exams firms reported increased by double-digit percentages.
Full Survey Report
In our report, The State of Cybersecurity for Financial Services Firms: Results and Analysis from the 2018 NSCP/ACA Aponix Cybersecurity Compliance Programs Survey, we dive deeper into results, analysis, and actional guidance from the survey. The report covers a variety of cybersecurity themes including attitudes, staffing, spending, testing, regulatory audits, preparation, vendors, cloud usage, and more.
- Webcast: Discussion of Results: 2018 NSCP / ACA Aponix Cyber Survey
- Report: The State of Cybersecurity for Financial Services Firms: Results and Analysis from the 2018 NSCP/ACA Aponix Cybersecurity Compliance Programs Survey
If you have any questions, please contact your ACA Aponix consultant or email us at email@example.com.
How ACA Can Help
ACA Aponix offers the following solutions that can help protect your firm from vulnerabilities and related cybersecurity risk, including:
- Cybersecurity and technology risk assessments
- Vendor diligence and management
- Penetration testing and vulnerability assessments
- Policies, procedures, and governance
- Threat intelligence
- Mock regulatory cybersecurity exams
About the Author
Raj Bakhru, CISSP, is a Partner at ACA Aponix, the cybersecurity and IT risk division of ACA Compliance Group. ACA Aponix provides cybersecurity and technology risk assessments, vendor and M&A diligence services, network testing, and advisory services. Prior to ACA’s acquisition of the firm, Raj was Chief Executive Officer of Aponix Financial Technologists, which he cofounded. Before that, he led firm-wide software development and was part of the founding team at Kepos Capital, now a $2 billion global macro quantitative asset manager. Prior to Kepos, Raj served as a Vice President at Highbridge Capital, where he led the team building the firm’s proprietary order and execution management system. In addition, he previously worked on research and cross-asset-class algorithmic trading algorithms and software systems at Goldman Sachs Asset Management’s quantitative hedge funds.
Raj earned his BS in Computer Engineering from Columbia University and has received his CFA charter and his CISSP designation. In the course of his career, he has been frequently quoted in Ignites, HFMWeek, MarketWatch, The Cybersecurity Law Report, and other industry-leading publications on information security in financial services.