Cybersecurity is becoming a costly endeavor for insurers and other financial institutions, but plan design and implementation can matter even more, according to a report released recently by Deloitte and the Financial Services Information Sharing and Analysis Center (FS-ISAC).
Financial institutions spend approximately $2,300 on average per full-time employee for cybersecurity each year, says the report, “Pursuing Cybersecurity Maturity at Financial Institutions.”
Deloitte, based on responses from banks, insurers, investment management firms and other financial services companies, found that these enterprises spend 6-14 percent of their information technology budget on cybersecurity, with an average of around 10 percent. Broken down further, this translates to 0.2 percent to just under 1 percent of company revenue, or $1,300 to $3,000 on cybersecurity per full-time or equivalent employee.
Larger firms spent nearly 1/5th of their cybersecurity budget on identity and access management—nearly twice the percentage of midsize and smaller companies. Those smaller firms tended to spend more on endpoint and network security, according to the survey.
Not Just Money
Julie Bernard, a principal with Deloitte Risk and Financial Advisory’s cyber risk services, Deloitte & Touche LLP, noted simply spending more on higher cybersecurity spending doesn’t make an environment more secure – one of the main survey findings.
“While everyone is looking for an efficiency ratio for their cyber costs, how a security program is planned, executed and governed is as important, if not more,” Bernard said in prepared remarks.
The report looked at various components of a financial institutions’s cybersecurity operation, including how it is organized and governed, who the chief information security officer (CISO) reports to, the level of board interest in the CISO’s work, and which cyber capability areas got spending priority.
The more successful cybersecurity programs included traits such as setting a tone at the top of an organization, with both executives on board; giving cybersecurity more attention and clout beyond the IT department; and aligning cybersecurity efforts with the company’s business strategy.
“Agile organizations are constantly adapting their cybersecurity program to deal with the evolving threat landscape,” Steven Silberstein, CEO of FS-ISAC, said in prepared remarks. “Sharing of industry standard best practices in governance, intelligence, resiliency and prevention is integral to the protection of the sector.”
According to the report, business growth and expansion was identified as the second-biggest challenge in managing cybersecurity among CISOs surveyed at the most mature companies, trailing only the rapid IT changes and rising complexities — an issue that faces all CISOs regardless of a company’s maturity level.
In contrast, according to the survey, companies with less mature cybersecurity programs were often still contending with much more basic issues than how to cope with growth challenges. The second-largest problem that less mature companies face, for instance, is prioritizing options for securing the enterprise.
FS-ISAC pursued the survey in fall 2018, working with Deloitte’s cyber risk services practice. Ninety-seven companies participated, with 29 percent of those reporting revenue of more than $2 billion annually, while 23 percent were classified as midsize, with annual revenue between $500 million and $2 billion.
Source: Deloitte/Financial Services Information Sharing and Analysis Center