On April 19, 2017, professional services company Accenture released the results of its survey of security executives in the banking sector relating to cybersecurity strategy and priorities.  The survey results and accompanying analysis (the “Accenture Report”) conclude that financial services organizations are overconfident about their cybersecurity capabilities and must develop more mature cybersecurity protection mechanisms.  Accenture reached this conclusion from survey results about current systems and the fact that financial firms experience security breaches on a routine basis, both detected and undetected.  The Accenture Report, entitled Building Confidence: Solving Banking’s Cybersecurity Conundrum, is available here.   

The Accenture Report assesses banks’ confidence in the effectiveness of their cybersecurity apparatus, finding that “overconfidence within the banking industry is alarmingly prevalent.”  Accenture concludes that generally, security and risk executives think their security capabilities are achieving cyber-related business outcomes, such as protecting customer and company information.  More specifically, the survey showed that “[l]arge percentages of banking respondents were confident that they are doing the right things in terms of cybersecurity, with 78 percent of large enterprise security executives surveyed expressing confidence in their cybersecurity strategies and 76 percent believing they have actually embedded effective cybersecurity into their cultures.”

The Accenture Report posits that the overconfidence stems from financial services firms’ failure to recognize the volume and effectiveness of cyberattacks—two to three effective attacks per month.  Per Accenture, “financial services firms are suffering from an astounding number of security breaches,” and a “typical financial services organization will face an average of 85 targeted breach attempts every year, a third of which will be successful.”  The Accenture Report also suggests that financial institutions’ overconfidence reveals a failure to recognize that attackers spend a great deal of time inside organizations before attacks are detected.  In the survey, “[f]ifty-nine percent of banking respondents admit it takes ‘months’ to detect successful breaches, while another 14 percent identify them ‘within a year’ or longer.” 

Finally, with respect to threat patterns, the Accenture Report states that while companies typically prioritize external security, almost fifty percent of banking respondents to the survey reported that “internal breaches have the greatest cybersecurity impact.”  The Accenture Report also notes that “many attacks are successful because they exploit employees’ login credentials.”

Accordingly, in addressing how to solve banking’s cybersecurity “conundrum,” Accenture first emphasizes the importance of creating a strong culture of cybersecurity, asserting that “a company’s people represent its best form of defense.”  To change the culture, Accenture contends that changing behaviors is critical, and suggests this is best accomplished by ensuring through training, communication, and other means, that employees and executives understand what security means to their work and the organization—“[s]ecurity is not just an IT problem.  It’s a company problem, and even a people problem.” 

Additionally, Accenture emphasizes that accountability and oversight must be spread across C-level roles so that personnel can identify, understand, and respond effectively “across multiple lines of defense.”  This should include, according to the Accenture Report, compliance audits and material, day-to-day engagement between Chief Information Security Officers and enterprise leadership.  Accenture suggests that creating such engagement requires convincing leadership that the cybersecurity team is critical to company value.

To help improve banks’ cybersecurity capabilities, the Accenture Report also recommends a twofold program: “one focused on cybersecurity assessment on the one hand, and attack simulation on the other.”  The objective of this approach is to view a cybersecurity assessment through the lens of an attack, thereby making it “easier to prioritize and to demonstrate to leadership where funding should be applied.”  The recommended assessment is not an audit based on checklists; rather, “[t]oday such an analysis needs to be a true risk assessment that identifies the controls needed to mitigate each risk.”  Accenture recommends that the controls be based on an agreed risk tolerance and metrics that evaluate “the risks against the scale of the problem.”

As to attack simulations, Accenture emphasizes the need not only for testing against external attacks, but also against internal threats.  To avoid having to test against a seemingly limitless variety of attacks, Accenture recommends that energy and investments be focused on where the company’s key assets reside.  The Accenture Report also describes a “security sparring match” exercise that helps participants understand their adversaries by determining what level of sophistication hackers would need to access the systems.  Once understood, the Accenture Report suggests, the cyber team can determine the level of cyber defense necessary to combat adversaries in accordance with the institution’s risk appetite.

To further improve a company’s cybersecurity capabilities and strengthen its resilience to cyberattacks, Accenture recommends looking at seven areas:  

1. “Business alignment” – understanding what incident scenarios could materially affect the organization;
2. “Governance and leadership” – focusing on security accountability, advancing a security-minded culture, monitoring performance, incentivizing employees, and creating a chain of command;
3. “Strategic threat” – exploring threats to align security procedures with business strategy;
4. “Cyber resilience” – developing an ability to deliver superior operational results while facing cyber adversaries;
5. “Cyber response readiness” – having a cyber response plan, strong communications about incidents, tested plans regarding critical assets, effective escalation, and stakeholder involvement;
6. “Extended ecosystem” – ensuring cooperation during crises, implementing cybersecurity clauses in agreements with third parties, and regulatory compliance; and
7. “Investment efficiency” – shaping organizational understandings about cyber threats to promote appropriate allocations of cyber resources and to avoid overspending.

With regard to spending, the survey revealed that about 40 percent of banking institutions “spend between 7 percent and 10 percent of their IT budget on cybersecurity,” an amount Accenture considers appropriate.  However, the survey also showed that 20 percent overspend and 40 percent underspend.  Accenture considers both overspending and underspending to reflect an “unbalanced cybersecurity risk management strategy.”