Banks outpace other industries in cyber investments, defense strategies: report

Dive Brief:

The banking industry is making major investments in cybersecurity, across institutions of varying sizes and credit quality, according to a report by Moody's. The report, based on a survey of 88 banks from across the globe, shows that larger banks are making greater investments in cybersecurity compared with the rest of the industry.
A majority of banks employ strong cyber governance practices, with 95% employing a chief information security officer (CISO) or chief security officer. Almost three-quarters of banks have a CISO, or another top cybersecurity executive, reporting directly to the C-suite. In addition, half of banks surveyed have some cyber expertise on their board of directors.
Banks in North America are ahead of other regions in deploying advanced cyber defense practices, such as red-team testing or scanning for vulnerabilities, to detect weaknesses in their systems. North America-based banks also stand out in terms of their use of cyber insurance, with 91% implementing a stand-alone policy.

Dive Insight:

The banking industry has been attuned to cyber risks, said Lesley Ritter, a vice president and senior analyst at Moody's.

"They have been dealing with cyber threats for well over a decade, while at the same time being quick adopters of digital technology which has the potential of making them more vulnerable," Ritter said via email. "This heightened awareness translates into the banking sector standing out relative to other industries in terms of investment in cybersecurity, ability to attract scarce cyber talent and broad adoption of risk mitigation practices."

A company's cyber risk is linked to a variety of factors, including its access to liquidity, the health of its balance sheet and its ability to adhere to sound cybersecurity practices, Ritter said.

"Still, we view the banking sector as high risk in terms of cybersecurity, because of how attractive it is as a target for many different types of attackers," Ritter said. "The sector consistently ranks at the top when it comes to the most targeted sectors, and that's why strong, sustained investment in cybersecurity is critical."

High-profile security incidents can also spur investment. Capital One suffered one of the biggest data breaches in the industry in 2019, when 106 million records were exposed after a former employee of Amazon Web Services exploited a firewall misconfiguration.

The Moody's report shows 100% of banks in North America require cyber risk assessments of new vendors, periodic risk assessments of existing vendors and require timely notification of cyber incidents and vulnerabilities that impact those vendors.

Regulators in the U.S. have taken steps to promote faster incident reporting and more proactive cyber resiliency measures among banks and other financial-related industries.

The Federal Deposit Insurance Corp. (FDIC) and the Office of the Comptroller of the Currency (OCC) in December proposed a 36-hour window for banks to notify regulators of a cyber incident that could materially disrupt operations.

The New York Department of Financial Services (DFS) issued new regulations in June regarding measures that financial institutions needed to take to protect against ransomware attacks. More than 70 ransomware attacks were reported to the regulator between January 2020 and May 2021, DFS said.