Just How Much Are Financial Institutions Spending on Cybersecurity? An Average of About $2,300 Per Employee, Deloitte Survey Finds
Bill Sinn | May 01, 2019
Financial institutions spend an average of around $2,300 per full-time employee on cybersecurity annually, reveals a survey released today by Deloitte and the Financial Services Information Sharing and Analysis Center (FS-ISAC).
According to the report, “Pursuing Cybersecurity Maturity at Financial Institutions,” respondents from banks, insurers, investment management firms and other financial services companies spend anywhere from six to 14 percent of their information technology budget on cybersecurity, averaging 10%. This number translates to a range of around 0.2% to 0.9% of company revenue and — breaking it down even further — between $1,300 to $3,000 on cybersecurity per full-time or equivalent employee in the survey, which was fielded in the fall of 2018.
Survey responses show that larger firms allocated nearly one-fifth of their cybersecurity budget to identity and access management — nearly twice the percentage of midsize and smaller companies, which tended to spend more heavily on endpoint and network security.
“Of course, money alone is not the answer — as we found in the study, higher cybersecurity spending doesn’t necessarily translate into a higher cybersecurity maturity level,” said Julie Bernard, a principal with Deloitte Risk and Financial Advisory’s cyber risk services, Deloitte & Touche LLP. “While everyone is looking for an efficiency ratio for their cyber costs, how a security program is planned, executed and governed is as important, if not more.”
The report — shared with executives at the FS-ISAC 2019 Annual Summit today — looked at various components of a financial institutions’s cybersecurity operation, including how it is organized and governed, who the chief information security officer (CISO) reports to, the level of board interest in the CISO’s work, as well as which cyber capability areas were prioritized in terms of spending.
The most successful programs exhibit several core traits, including:
Setting a tone at the top of an organization, with both executives and the board. Lack of management support and/or inadequate funding was cited as a CISO’s top challenge in managing cyber by companies with a lower level of risk management maturity. Those boards and management committees viewed as the most successful were more interested in nearly all areas of cybersecurity; more CISOs reported to chief operating officers and chief risk officers than to chief information officers and chief technology officers in these firms as well.
Raising cybersecurity’s profile beyond the IT department to give the security function higher-level attention and greater clout. The most mature institutions were more likely to elevate the cybersecurity function by completely segregating cybersecurity from IT. According to Bernard, to drive effective execution of a “cyber risk control” program, executive management needs to structure their cyber leadership team to drive communication and implementation of security across the enterprise — and have both the authority and expertise to do so.
Aligning cybersecurity efforts with the company’s business strategy. The prolific impact of having cyber embedded in organizational strategy, planning and execution of operational or performance efforts should not be underestimated, according to Bernard. “Cyber deserves organizational alignment, prioritization and reporting structures,” she said. “Embedding cyber professionals into the businesses can enable the cyber organization, and its leaders, to be more strategic and better manage cyber risk across the enterprise.”
“Agile organizations are constantly adapting their cybersecurity program to deal with the evolving threat landscape,” noted Steven Silberstein, CEO of FS-ISAC. “Sharing of industry standard best practices in governance, intelligence, resiliency and prevention are integral to the protection of the sector.”
According to the report, business growth and expansion was identified as the second-biggest challenge in managing cybersecurity among CISOs surveyed at the most mature companies, trailing only the rapid IT changes and rising complexities — an issue that faces all CISOs, regardless of a company’s maturity level.
“As companies grow by adding new platforms, products, geographic regions, apps and web capabilities; cybersecurity considerations can multiply along with the introduction of each new element,” said Bernard. “The reality of ‘cyber everywhere’ is taking hold as organizations are working quickly to understand what that means for operations, innovation and beyond — and the stakes have never been higher for getting it right.”
In contrast, according to the survey, companies with less mature cybersecurity programs were often still contending with much more basic issues than how to cope with growth challenges. The second largest problem that less mature companies face, for instance, is prioritizing options for securing the enterprise.
The survey was fielded last fall by FS-ISAC, in conjunction with Deloitte’s cyber risk services practice. Ninety-seven companies participated, with 39% of those reporting revenue of more than $2 billion annually, while 23% were classified as midsized, with annual revenue between $500 million and $2 billion.
The report is available online here: www.deloitte.com/insights/cybersurvey
- Insurtech Landscape 2019: Top 5 Takeaways
- Grinnell Mutual Tackles Massive Transformation -- in Stride
- A Candid Conversation with Paul Mang
- SageSure Insurance Managers Improved Competitiveness by Consolidating Payments to a Single Digital Platform
- Digital Does Matter in Insurance-- And Insurers are Missing the Mark
- The 22nd-Century Insurer: Taking a Cloud-First IT Approach
- The September/October 2019 issue of ITA PRO magazine is now available in digital format here:
- ITA Pro Magazine May/June 2019
- Spotlight on the 2019 IASA Conference
- ValueMomentum Selects Erie as Site of Regional Development Center
- Capgemini and Majesco Become Alliance Partners
- Electronic Chat with Dr. Dan Shoham
- Electronic Chat with Todd Greenbaum
- Martha Notaras: The “Outsider” with an Amazing Inside View
- Electronic Chat with Larissa Tosch
- Martha Notaras Will Join ITA LIVE 2019 as a Keynote Speaker
- Five Things to Consider When Evaluating Your Cyber Risk
- ITA Pro Magazine, January/February 2019
- Synergy Between Insurers' IT and Analytics Teams Key to Operationalizing Insights, Says Novarica
- Major Ransomware Attack Could Hit U.S. with $89B In Economic Damages
- ITA Announces 1st of Three Keynote Speakers at ITA LIVE 2019
- Electronic Chat with Jeroen Morrenhof
- Legacy Systems Are Dead. Really? Don't Count On It.
- Now Accepting Nominations for the 2019 ITA Bridge Awards
- It's time to register for ITA LIVE!
- Registration is Now Open for ITA LIVE 2019!
- What to Expect from a Digital Experience Platform Implementation
- ITA Pro Magazine September Edition is Now Available
- It's National IT Professionals Day
- Save the Date for ITA-LIVE 2019
- OneShield Software and UrbanStat Work Together to Improve Real-Time Analytics and Risk Decision-Making
- ITA LIVE 2019 - SAVE THE DATE!
- Insurance Technology Association Announces New Editor-in-Chief
- August 2018 Edition ITA Pro Magazine is Now Available
- Enterprise Architecture in an Agile World
- Top 10 Tips for Securing Your Mobile Devices and Sensitive Client Data
- Industry Insight: 4 Global Insurance Trends in Digital, Data, Content Services and Security
- Diving Deeper into Prioritizing Your Strategic Digital investments
- Why Content Rules
- How Mass Personalization Will Open the Small Business Benefits Market
- At Year End 2017, Will Your Organization Be Protected from Cyber Risks?
- Do Insurance Bots Dream of Mitigating Risk?
- Conditioned to Respond
- Managing & Mobilizing Insurance Data in a Connected World
- Race to the Finish Line
- New Tools, New Opportunities in Claims
- ITA LIVE: Reaching Insurance Industry Crossroads
- Advice to Insurance IT Leaders: Keep Your Eye on the Ball
- New Date, Venue for ITA LIVE 2017
- Guidewire Makes Major Push to Small and Midtier Market by Acquiring ISCS
- Insurance Disruption is Happening Right Now
- Insurity Adds Strategic Investment Partner, General Atlantic
- Beyond Transformation: The Convergence of Finance, Risk, and Actuarial Functions
- The Rapid Evolution of Consumer Protection Regulation
- Talent Hunt: Finding, Attracting, Retaining Top People
- Insurers Flexing Their Distribution Models
- Technology Driving Disruption in Insurance
- Fear of ‘Next Bubble’ Challenges Life, Annuity Carriers
- Technology Allows Commercial Lines Insurers to Stand Out
- Single Sign-on Viewed as Biggest Tech Challenge for Agencies
- ISCS Observes 20th Anniversary; Scurto Predicts Major Changes Ahead
- Policyholders and Their First Impressions
- Progressive Making Progress on the UBI Front
- High and Dry: Insurers Search for Disaster Recovery Plans
- Insurers Sign The (Un)Dotted Line
- Reflections of a Retired Insurance CIO
- Mobile Device Management Just One Answer to BYOD Issue
- Lessons from GEICO and Progressive on Winning the Critical Buying Stage
- You Are a Target for a Cyber Attack
- Web-based Systems are the Next Evolution in Claims Technology
- Gaining a “Wow” Experience from Web Users
- Time to Shift from Business/IT Alignment to Business/IT Alliance
- Healthcare Insurers Changing to Consumer Model
- Organization is the Key for Selecting Software Vendors
- Analysts Expound on the Needs of the Mid-tier Insurance Market
- Finding the Cure for Obamacare’s Website
- New Software Solutions Benefit Insurers on the Inside and Outside
- Products, Market Impede Investment in Systems for Life Insurers
- Combatting Cyber Threats: Predict, Prevent, Persist
- The Future of Telematics Heads Beyond Insurance
- The Shame in Cyber Security Lapses
- Building Policy Administration Systems for the Future
- Insurers Look Into The Eyes of Their Policyholders
- It’s a New Dawn for the ITA
INSURANCE IT NEWS
- Chisel AI Named as an IDC Innovator for Insurance Sales Automation Solutions
- New Majesco Report Emphasizes the Burning Platform for Insurance Transformation and Market Leadership
- Veruna Named Insurance Technology Company of the Year
- Joint partnership between MedRisk and Raintree Systems to reduce administrative burden and expedite payment for physical therapy
- Hearsay Systems Joins Guidewire PartnerConnect Solution Alliance Program
- Effisoft's Reinsurance Software Named "2019 Software Innovation of the Year" by Reactions Magazine
- Virginia Farm Bureau Mutual Insurance Company Selects One Inc for Claims Processing
- OPTIS Study Finds Big Players Still Paying Top Dollar for P&C Agencies
The Email Chat is a regular feature of the ITA Pro magazine and website. We send a series of questions to an insurance IT leader in search of thought-provoking responses on important issues facing the insurance industry.
ITA LIVE 2020
ITA LIVE 2020 –SAVE THE DATE!
April 5th – 7th, 2020
The Diplomat Resort
Become a member today to receive updates – www.itapro.org/MR
BLOGS AND COLUMNS
You have surely heard it said that small businesses are the growth engine for America. Today, the phrase has a special ring to it for benefits... READ MORE
With stagnant growth and lingering low interest rates, the life insurance industry faces a challenging future... READ MORE
Finding insurance carriers willing to write commercial lines risks has always been a challenge for producers... READ MORE
As Guidewire Software prepares for the start of Connections, its 11th annual user conference that begins on Nov. 2, Brian Desmond, chief marketing... READ MORE