Financial companies suffer the greatest loss after a cyber-attack
From Jesse James to modern-day hackers, criminals have always set their sights on financial businesses because, after all, that’s where the money is. Unfortunately, cybercrime has ramped up the speed and consequences of these malicious actions, resulting in alarming monetary and reputational losses for the financial industry.
The average U.S. company suffers losses that approach $7.35 million after a data breach, according to the Ponemon Institute’s 2017 Cost of Data Breach Study. That number soars even higher in the heavily-regulated financial services sector, where average costs per lost or stolen record reach $245, compared to the average of $141 across all industries. Accenture’s 2017 Cost of Cyber Crime Study estimates annualized average costs of $18.28 million per financial services company – significantly greater than any other industry.
Reputation is everything
In an industry where reputation is everything, the long-term, indirect costs can climb even higher. A loss of customer loyalty impacts financial services companies more than any other sector after a significant data breach, as customers lose trust in the organization’s ability to protect their most sensitive information. The CreditUnionTimes reports that nearly 60 percent of consumers said they would stop using a bank after an online breach. More than 90 percent said they would consider taking legal action.
Ponemon found that cyber-attacks prompted the highest customer churn in the financial sector, with rates that ran nearly 6 percent higher than normal. By comparison, the retail industry, which has also been heavily hit by cybercrime, only experienced customer attrition that was 2 percent higher than usual after a breach.
To put that in perspective, losing less than 1 percent of customers costs businesses $2.6 million, according to the Ponemon report. Businesses that lose 4 percent or more of their customers after a breach suffer average costs of $5.1 million.
That’s an especially high price to pay for smaller companies, who could lose a critical mass of customers after only one breach. Sixty percent of businesses suffer losses so great they are forced to close their doors after a successful cyber-attack.
The loss of goodwill caused by angry, fleeing customers is likely to shake investor confidence as well. Equifax’s stock market value shrunk by $6 billion within 10 days of its announcement that the personal data on more than 143 million American consumers had been compromised.
It’s easy to understand why cybercriminals find financial services companies so appealing: they cut out the intermediary step between these hackers and the monetary rewards they desire. Hackers may be able to obtain mountains of data in attacks on health care organizations, for example, but more work is needed to turn that information into dollar signs.
Credit card details, password information, bank account data, trading partners – that’s just the tip of the proverbial iceberg of private data that’s stored and regularly accessed by financial services companies on private and public networks. This valuable information is the biggest target of cybercrime – the financial services industry is attacked 65 percent more often than any other sector, according to IBM’s latest Security Trends in the Financial Services Sector report.
More than 200 million records were breached in 2016, a staggering 937 percent increase over the previous year, the report found.
Cybercriminals are striking at the heart of U.S. finance, with significant breaches impacting major institutions such as JPMorgan Chase, Equifax, and even the Securities and Exchange Commission. To consumers, the consequences of these breaches are frightening: a recent PricewaterhouseCoopers report found that the number of financial fraud incidents has increased by 130 percent during the past year.
The kinds of attacks launched against financial institutions run the cybercrime gamut, from Distributed Denial of Service (DDoS) to malware and ransomware. Financial companies worldwide fell victim to the recent Petya and WannaCry ransomware attacks, where hackers seized control of company computers and threatened to destroy data unless payment was made. Although the actual ransom amounts paid have been modest, global and economic losses are expected to reach $4 billion from the WannaCry attack alone due to lost productivity, the cost of forensic investigations, and restoring lost data.
Bot attacks have also heavily targeted the financial sector, with 45 million attacks against financial organizations in just the last three months of 2015. Although originally developed by individual hackers, they now mostly originate from widely connected, automated systems that are difficult to shut down. A bot attack has the capability to paralyze a large bank for several days by bypassing security and mimicking the behavior of legitimate customers.
Even when the best cybersecurity defense is mounted, the IBM report found that the greatest vulnerability in the financial sector is human error. Nearly 60 percent of cyber attacks on financial services companies are started by inside sources – a higher rate than any other industry, the IBM report states. Most employees don’t even realize they are causing harm, as clever hackers launch 53 percent of these attacks through sneaky tactics such as phishing or Business Email Compromise scams.
Faced with these alarming statistics, federal and state lawmakers are cracking down on cybersecurity in the financial sector, adding to the costs companies incur after a breach by slapping hefty fines on businesses they believe ignored red flags or failed to take proper precautions.
It’s no surprise that 23 NYCRR 500, New York’s first-in-the-nation cybersecurity law, targets financial services. The new law, which is expected to serve as a model for national cybersecurity regulations, requires any company that reports to the state’s Department of Financial Services to meet robust cybersecurity requirements.
It places the burden squarely on the shoulders of each organization to regularly assess its risks and implement extensive cybersecurity systems. It also demands that companies enforce similar processes at their third-party service providers, and mandates that they report any cybersecurity events within 72 hours of discovery.
Federal laws impose mandates as well – the Gramm-Leach-Billey Act, for example, requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. In 2016, Morgan Stanley had to pay a $1 million fine to settle civil charges brought by the Securities and Exchange Commission that security lapses at the bank enabled a rogue employee to steal data related to hundreds of thousands of customer accounts.
Data breaches can lead to other unexpected costs. A recent Deloitte advisory study said that it is not uncommon for companies to face premium increases of 200 percent for the same cybersecurity insurance after a breach, or to be denied coverage until they can demonstrate to the insurer that they have strengthened their cyber defenses. Data breaches also can cause companies to fight lawsuits, have greater difficulty borrowing funds due to a drop in credit rating, and experience contract cancellations or greater difficulty negotiating new contracts.
But despite the potential for a catastrophic hit to their bottom lines, a recent MediaPro survey of the financial services sector said only 20 percent of respondents demonstrated strong knowledge of security and privacy best practices. The other 80 percent were classified as “risks,” meaning their actions could lead to a serious cyber incident or data breach.
With so many sophisticated and ever-changing attacks, best cybersecurity practices cannot prevent every breach – but they can reduce costs by as much as $19 a record via containing them and shutting them down faster, according to the Ponemon report. Connecting with a trusted cybersecurity company can go a long way toward helping financial services companies bolster their cybersecurity arsenal and prove to their customers that they are doing everything they can to protect their private information.
CyberGuard360’s clients across four states and 40 industries are guided safely through the threat landscape. Our wide array of services includes system security suites, risk assessment, education, and training and disaster recovery, and we specialize in helping New York companies comply with 23 NYCRR 500. If you’d like us to put our expertise to work for you, we’d be happy to help. Call us at 844-315-9882 or use our contact form for a free consultation.