Our Wired World

Reshaping The Cybersecurity Landscape

How digitization and the COVID-19 pandemic are accelerating cybersecurity needs at many large financial institutions

The survey on the rapidly changing world of cybersecurity post Covid-19 was conducted by Deloitte and  the Financial Services Information Sharing and Analysis Center

Cybersecurity for financial institutions was critical before COVID-19 hit—and likely even more so now. This year’s Deloitte and FS-ISAC survey reveals why firms may need to prioritize and reinvest in cyber protection programs.




Key messages:

  • Survey respondents reported an increase in cybersecurity spending, with identity and access management, cyber monitoring and operations, and endpoint and network security receiving bigger shares of the pie.
  • For the last three years, respondents identified rapid IT changes and rising complexities as their No. 1 cybersecurity challenge. To help effectively mitigate emerging cyber risks, companies should consider digitally enabling the cyber function within the broader IT service development process. Adopting “security by design” principles during technology development could also help financial institutions create more secure products.
  • Cybersecurity is often included as part of the IT function, and CISOs typically report to the CIO or CTO at their firms, according to most respondents from large financial institutions surveyed. This reflects the need for close integration of cybersecurity and IT.
  • At the same time, financial institutions may want to retain a certain level of independence for cybersecurity, which could help ensure risk management decisions are not overshadowed by IT constraints.
  • Respondents cited emerging technologies such as cloud, data analytics, and robotic process automation as top cybersecurity investment priorities. Access control, protective technology, and data security were emphasized as rationales.
  • As digitization and remote work accelerates, and lines among employees, customers, contractors, and partners/vendors are blurring, many traditional network perimeters and boundaries are obscured. Users, workloads, data, networks, and devices are everywhere. “Zero Trust” has emerged as a concept for enforcing “least privilege” for modern enterprises contending with the ubiquitous nature of these domains.

Time To Double Down On Cybersecurity

Most financial institutions have been moving steadily toward digitization for some time now. Operations across companies large or small in all financial sectors have been going digital, driven by the need for efficiency as well as rising customer expectations. Among financial services firms, the pace of adoption has often varied based upon a company’s readiness for change, agility, and size, among other factors.

Over the last few months, the COVID-19 pandemic has forced many companies to accelerate their digitization efforts. As office closures and restricted movement compelled everyone and everything that could go virtual to do so, many institutions had to more fully embrace a digital transformation in operations, distribution, and customer engagement.

This sudden shift, however, has compounded problems for many chief information security officers (CISOs) and cybersecurity teams charged with securing the digital fortress at their firms. Hackers and cyber scammers are trying to take advantage of expanding technology footprints and new attack surfaces, with most employees working remotely. In April, the New York Department of Financial Services highlighted the significant increase in cybercrime related to the COVID-19 outbreak.

Over the past three years, cybersecurity has continued to grow as a priority. Financial firms keep allocating more resources, increasing board involvement, and making investments that are more aligned to IT and business priorities. The report also identifies several key cyber risk management trends at large financial institutions, as well as future implications that may be relevant to firms of all sizes in the wake of COVID-19.

Spending Rises To Meet Increased Demand

One of the most important components of a financial institution’s cyber risk management operation is the level of resources allocated to cybersecurity programs. The average annual cost of cyberattacks has been ballooning for many organizations. So, it was not surprising to find that cybersecurity spending rose among the financial institutions surveyed compared to those responding in the prior year .

Despite increased spending, budget allocations have remained largely consistent over the three years of the survey. Cyber monitoring and operations, endpoint and network security, and identity and access management collectively received more than 50% of the spending pie in our latest survey.

Another reason for increased cybersecurity spending is increased pressure on boards and executive management teams, which has heightened their interest in cybersecurity at responding financial institutions. Based on Deloitte’s interactions with clients, CISOs who were able to continuously refine and articulate cybersecurity’s value propositions to the board tended to be more successful in securing board engagement.

Digital Agendas Shape Cybersecurity Programs At Large Financial Institutions

Technology is a part of everything that financial institutions do, but adopting new technologies across businesses comes with increased cyber risks. It is therefore likely no surprise that respondents ranked rapid IT changes and rising complexities as the No. 1 challenge in managing cybersecurity for the last three years, while the second biggest challenge was the unavailability of skilled cyber professionals to help secure systems in such a rapidly evolving IT environment.

At the same time, business growth and expansion, a rising challenge according to respondents in our 2019 report, may recede for the time being, as companies have generally shifted focus from growth to pandemic response and recovery.

Top Business Issues And Their Security Implications

Cybersecurity organizations will need to quickly adapt to this new operating environment by implementing enhanced controls and endpoint protection technologies to exert greater control over end-user devices...

More and more financial institutions are using emerging technologies to innovate and develop new products, services, and digital channels. But these critical enablers could become the target of additional cyberattacks. Thus, embedding cybersecurity into new products and services and new channels remain the top two business issues with security implications at large financial institutions surveyed.

New products and services: Financial institutions today are often competing as well as collaborating with fintechs on product and service innovation. As companies strive to be first to market, these innovations often require speed and flexibility to be successful. However, companies should ensure that enough precautions are taken in designing, building, and utilizing new innovations, as new cybersecurity threats could emerge during any of these stages. The challenge for an organization’s cybersecurity function is to create controls commensurate with the additional risk being taken on, without being perceived as a roadblock to innovation.

New channels: Companies often seek newer, easier ways to do business with customers, but newer channels may come with their own set of cyber vulnerabilities.

Cost reduction was already much on the minds of respondents, ranking third in each of the past two surveys, even before the fallout from COVID-19 became an additional concern.

Integrating Cybersecurity With IT, While Maintaining Its Strategic Importance

Financial companies manage and operate cybersecurity programs in different ways, from how they are structured, to reporting lines, to establishing focus areas for cybersecurity spending. Many have adopted a mix-and-match approach based on their company’s objectives.

In this dynamic environment, many financial firms are now closely linking cybersecurity programs to technology initiatives to effectively mitigate emerging cyber risks. This was reflected in the way cyber risk management was organized at large financial institutions participating in the survey. Indeed, a majority of respondents cited cybersecurity as a part of their IT organization .

The close alignment between cybersecurity and IT goals was also reflected in the reporting structure for survey respondents. Among CISOs surveyed from large financial firms, 62% report either to the chief information officer (CIO) or the chief technology officer (CTO), a substantial jump from 38% the year before and only 20% the year before that.

Lines Of Defense

By closely aligning cybersecurity with the IT function, financial institutions can be better positioned to deal with emerging cyber risks in a faster and more effective manner, helping their IT partners become more agile.

While the first line of defense in cybersecurity is often aligned closely to technology functions through common lines of reporting, security personnel usually have clearly segregated roles and responsibilities. In second lines of defense, however, cybersecurity is often a part of the technology or risk functions without clearly delineated requirements, roles, or responsibilities.

Companies should therefore clearly delineate cybersecurity from technology or risk functions across both the first and second lines of defense by providing clear separation of roles and responsibilities.

Maintaining The Strategic Importance Of Cybersecurity

Cyberthreats and attacks are no longer just a technology risk, but a business risk as well. That’s why the cybersecurity function should have sufficient independence and prominence. This can help ensure that decisions related to risk management are given due consideration and are not influenced or overshadowed by other IT considerations or constraints.

If cybersecurity is part of IT, it may not have enough visibility and ties to actual lines of business. At the same time, with CISOs reporting to CIOs, other stakeholder relationships may matter even more to balance risk and business priorities.

Companies should therefore consider specific measures to create linkages among lines of business, risk partners, and cybersecurity. This can be accomplished by creating steering committees, hiring business information security officers (BISOs), and other options. These actions could also help align cybersecurity with future business plans.

Finally, companies should work on ensuring that boards and management committees place cybersecurity high on their agendas. As noted earlier, having an engaged board can help the entire organization focus on the challenge of managing cyber risk while assuring that adequate resources are allocated. And board oversight should be ongoing, rather than only at the initial stages or when there is a cyber incident.

The Way Forward

The COVID-19 pandemic has significantly disrupted financial institutions and the ways they operate globally. Remote work has increased significantly, and—as a result—the use of videoconferencing and team collaboration applications has skyrocketed. And these changes may not disappear as firms recover. Indeed, a recent Deloitte report found that many financial institutions are evaluating permanent remote work for at least part of their workforce. Based on conversations with industry leaders, some companies are considering remote work for 30% or more of their employees on a more permanent basis.

Cybersecurity organizations will need to quickly adapt to this new operating environment by implementing enhanced controls and endpoint protection technologies to exert greater control over end-user devices. Companies should consider increasing training and awareness activities, focusing on remote etiquette for work-from-home environments.

At the same time, with lines blurring among employees, customers, contractors, and partners/vendors in general, firms should consider implementing “zero trust” principles for access since the organization’s perimeter is essentially gone. This means every transaction involving flow of data, whether it be through networks, applications, users, devices, or workloads, is controlled for least privileged access.