Companies in the financial sector are growing more aware of cyber-security risks, but had little awareness of incoming security laws
Nearly 80 percent of financial institutions are seeing increased cyber-security threat levels and are planning to increase security spending as a result, according to a new study carried out by professional services firm Ernst & Young.
The study, based on a survey of 250 professionals in the finance industry, underscores a growing awareness of IT threats to financial organisations, and complements recent figures that show security has also become a top factor for consumers in choosing a bank.
The study also found relatively low levels of awareness of key legislation including the EU Network Information Security Directive and the EU General Data Protection Regulation, Ernst & Young said.
“Our recent survey indicates that whilst the finance community are becoming more aware of the impacts of cybersecurity across their business, their awareness of the full range of legislative and governance instruments remains an area that has scope for significant improvement,” stated Mark Brown, executive director of EY Cybersecurity & Resilience.
Nearly half, or 45 percent, of those surveyed said their organisation had experienced from 1 to 10 cyber-security incidents within the past 12 months, while 79 percent said they planned to increase security spending due to an increased level of threat.
Another 38 percent said the company had been affected by no threats they were aware of, and only 21 percent said the threat level was perceived to be the same or reduced.
When asked where security issues originated, 28 percent saw external hackers as the biggest source of problems, but 23 percent focused on vulnerabilities in technical systems and another 21 percent thought their own employees were the main risk.
Ernst & Young found financial organisations had surprisingly little awareness of some key EU data-related regulations – only seven percent had heard of the EU Network Information Security Directive, which is to introduce mandatory breach disclosure for specific sectors, and 19 percent knew of the EU General Data Protection Regulation, which is expected to introduce significant penalties for data loss.
“More news headlines will be triggered by companies being forced to openly disclose to their customers that they have suffered a cyber breach, causing potential loss of trading revenues through brand and reputational damage,” Ernst & Young said in the study.
A recent study found that financial services firms can take up to 98 days to identify IT threats.
Are you a security pro? Try our quiz!