Banks outpace other industries in cyber investments, defense strategies: report

Dive Brief:

The banking industry is making major investments in cybersecurity, across institutions of varying sizes and credit quality, according to a report by Moody's. The report, based on a survey of 88 banks from across the globe, shows that larger banks are making greater investments in cybersecurity compared with the rest of the industry.
A majority of banks employ strong cyber governance practices, with 95% employing a CISO or CSO. Almost three-quarters of banks have a CISO, or another top cybersecurity executive, reporting directly to the C-suite. In addition, half of banks surveyed have some cyber expertise on their board of directors.
Banks in North America are ahead of other regions in deploying advanced cyber defense practices, such as red team testing or scanning for vulnerabilities, in order to detect weaknesses in their systems. North America-based banks also stand out in terms of their use of cyber insurance, with 91% implementing a stand alone policy.

Dive Insight:

The banking industry has been very attuned to cyber risks, according to Lesley Ritter, VP and senior analyst at Moody's.

"They have been dealing with cyber threats for well over a decade, while at the same time being quick adopters of digital technology which has the potential of making them more vulnerable," Ritter said via email. "This heightened awareness translates into the banking sector standing out relative to other industries in terms of investment in cybersecurity, ability to attract scarce cyber talent and broad adoption of risk mitigation practices."

A company's cyber risk is linked to a variety of factors, including its access to liquidity, the health of its balance sheet and its ability to adhere to sound cybersecurity practices rather than the industry it operates in, Ritter said.

"Still, we view the banking sector as high risk in terms of cybersecurity, because of how attractive it is as a target for many different types of attackers," Ritter said. "The sector consistently ranks at the top when it comes to the most targeted sectors, and that's why strong, sustained investment in cybersecurity is critical."

High-profile security incidents can also spur investment. Capital One suffered one of the biggest data breaches in the industry in 2019, when 106 million records were exposed after a malicious threat actor exploited a firewall misconfiguration.

The SolarWinds supply chain attack highlighted the risks involved when companies fail to employ due diligence with third-party vendors. The report shows 100% of banks in North America require cyber risk assessments of new vendors, periodic risk assessments of existing vendors and require timely notification of cyber incidents and vulnerabilities that impact those vendors.

Regulators in the U.S. have taken steps to promote faster incident reporting and more proactive cyber resiliency measures among banks and other financial-related industries.

In December 2020, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency proposed a 36-hour window for banks to notify regulators of a cyber incident that could materially disrupt operations.

The New York State Department of Financial Services issued new regulations in June regarding measures that financial institutions needed to take to protect against ransomware attacks. More than 70 ransomware attacks were reported to the regulator between January 2020 and May 2021, according to the regulator.