Cybersecurity: A High-Stakes Gamble For Firms And Clients
Data breaches happen to companies and organizations all the time. The most recent, a data breach at Capital One, left as many as 100 million customers wondering whether their personal and financial information was compromised.
Data breaches like this one make a serious dent in the credibility and trustworthiness of businesses and firms, even large ones like Capital One. Other financial institutions like J.P. Morgan Chase, Equifax and Scottrade have all been victims of cyberattacks.
So, what can firms in the financial services world do better to protect their businesses and their clients’ personal information? It starts with understanding what’s at stake.
Ramifications To Businesses
The cost of a data breach has risen 12% globally over the past five years and now costs $3.92 million on average, according to a Security Today study. These rising expenses reflect the multiyear financial impact of breaches, increased regulation and the complex process of resolving criminal attacks.
The financial consequences of a data breach can be particularly severe for small-to-midsize businesses. According to the study, companies with fewer than 500 employees suffered losses of more than $2.5 million on average — a potentially crippling amount for small businesses, which typically earn $50 million or less in annual revenue.
Data breaches in the U.S. are particularly expensive, costing companies an average of $8.9 million in 2019 alone. The U.S. has the highest cost globally for data breaches, according to an IBM-Ponemon Institute study.
The study found that lost business was the biggest contributor to data breach costs, accounting for an average of $1.42 million lost. For a small firm or business, numbers like this can be devastating, resulting in layoffs or even closures.
A Kaspersky Lab survey on data breaches found that 32% of data breaches resulted in layoffs.
Take, for example, medical billing company, American Medical Collection Agency who filed for bankruptcy after a data breach and cut its staff from 113 to just 25 employees. The company said “enormous expenses” were to blame for the company’s bankruptcy.
Time Is Money
Not only do data breaches cost an exorbitant amount of money, they also tend to linger, dragging costs out over years.
On average, it takes 279 days for a data breach to be identified. According to IBM, the lifecycle of an attack from breach to containment is an average of 314 days, but it doesn’t stop there.
The residual effects of a data breach can linger for years. In fact, only 67% of costs are incurred in the first year of a data breach. Twenty-two percent arise in the second year after a data breach and 11% occur after two or more years, according to the IBM study.
The Impact On Financial Services
While the health care field has the highest industry average for the most costly data breaches, the financial services industry came in second at an average of $5.86 million. For financial services, the average cost per record breached is $210.
J.P. Morgan Chase understands the potential costs of having a data breach. In 2014, the company was hacked, compromising the data of millions of customers. In his annual letter to shareholders, CEO Jamie Dimon said the company spent almost $600 million on cyber defenses in 2018.
While the costs to be proactive can be steep, it pays to keep your clients’ information safe, the IBM study concluded. The global average of customer turnover rate was 3.9%; in financial services that number climbs to 5.9%, well above the global average.
Dimon, who previously referred to cybersecurity as an “arms race,” said that “the threat of cyber security may very well be the biggest threat to the U.S. financial system.”
FINRA And The SEC
Private and government agencies are not sitting this one out, either. In the last decade, numerous financial agencies have stepped up their cybersecurity procedures and have even created groups whose sole focus is on cybersecurity.
Stephanie Avakian and Steven Peikin are co-directors of enforcement at the Securities and Exchange Commission. Since coming into that role, Avakian and Peikin have made cybersecurity a major enforcement priority.
“The greatest threat to our markets right now is the cyber threat,” Peikin said. “That crosses not just this building, but all over the country.”
The SEC has seen an increase in investigations involving cybercrime, Avakian said, and as a result, has been steadily gathering statistics about cybercrimes to identify larger, market-wide concerns.
“I think we will see the cyber threat continue to emerge,” Avakian said.
SEC Chairman Jay Clayton agreed with Avakian, saying in a statement, “The Commission is focused on identifying and managing cybersecurity risks and ensuring that market participants — including issuers, intermediaries, investors and government authorities — are actively and effectively engaged in this effort and are appropriately informing investors and other market participants of these risks.”
Clayton, who had previously told the Senate Banking Committee that “companies should be disclosing more” and that there should be “better disclosure about their risk portfolios and sooner disclosures about intrusions,” created the SEC’s Cyber Unit within the commission’s Enforcement Division.
The Cyber Unit is tasked with “targeting cyber-related misconduct.” Since the Cyber Unit’s inception, the SEC has brought two enforcement actions against victims of breaches. Not long after, the agency issued a substantial report suggesting future enforcement against victims of breaches that are not in compliance with certain safeguards.
In April 2018, the SEC issued its first enforcement against a company for failing to disclose a breach, exemplifying the commission’s position and urging firms and companies to be in compliance with SEC safeguards.
The SEC is not the only agency concerned about cybersecurity in the financial industry.
In 2015, the Financial Industry Regulatory Authority identified where firms are most likely to be vulnerable and recommended some proactive steps to make their firms cyber safe.
1. Identify vulnerable areas.
Assess where the firm is vulnerable and outline ways to fix gaps in security. Knowing where a data breach is mostly likely to occur can give firms a good place to start when implementing new cybersecurity plans.
2. Have an incident response team.
Create an incident response team to help minimize costs of a potential data breach and test the data breach response plan. Having a team ready to act when an incident occurs gives firms the ability to contain the fallout from the breach quickly and establishes protocol for resolving breaches efficiently in a simulated scenario.
3. Invest in technology that can detect/contain a data breach.
The faster a data breach is identified and contained, the lower the cost of fixing the damage. Security automation is a good way to gain visibility and improve operations where needed.
4. Invest in governance, risk management and compliance programs.
Having an internal framework for evaluating risk across the company, tracking compliance and making recommendations for improvement is a proactive approach to dealing with cyber security.
5. Minimize complexity of IT and security environments.
System complexity, compliance failures and cloud migration can all contribute to third-party data breaches.