Cybersecurity, by far, is one of the most worrisome topics for bank boards. Quantifying the risks is a challenge, especially since they are continually evolving, which makes it difficult for directors to keep pace with the changes. This issue’s Briefly Noted takes you through a few trends and news items to keep in mind as you keep learning about the cybersecurity risks and security posture of your bank.
Malicious Attacks No. 1 Cause of Breaches
The biggest causes of data breaches are malicious or criminal attacks, according to Ponemon Institute’s 2016 Cost of a Data Breach report, which is a global study of more than 300 companies in a variety of sectors. Forty-eight percent of breaches were caused by such attacks. Twenty-seven percent involved loss of data because of a system glitch, and another 25 percent were caused by human error.
Cybersecurity Guidance Piles On
To add to the list of recommendations about cybersecurity, the Group of Seven industrialized nations (formerly known as the Group of Eight, which includes the U.S., Canada, much of Europe and Japan) came out late last year with a short document outlining good practices for financial institutions. Still another issue is joint regulators’ advance notice they they are creating new cybersecurity standards for boards of banks with more than $50 billion in assets. Already in use at many financial institutions are the standards developed by the National Institute of Standards and Technology and the Federal Financial Institutions Examination Council’s cybersecurity assessment tool. One of the more contentious standards are mandatory, and went into effect this month for New York-state chartered banks.
What Banks Spend on Cybersecurity
Is your bank spending enough on cybersecurity? Forty-two percent of bank executives and directors say their institution’s cybersecurity budget totaled between 1 percent and 5 percent of revenues in fiscal year 2016, according to Bank Director’s soon-to-be published 2017 Risk Practices Survey, sponsored by FIS. Fifty-six percent spent less than 1 percent of revenues. The survey will appear online at BankDirector.com in late March.
Breached and Waiting Nearly a Year to Find Out
How long does it take to discover a cybersecurity breach? A pretty long time, it turns out, and it makes a big difference whether the breach is discovered internally or not. It took an average of 56 days for breaches to be discovered internally. If someone outside the organization notified the company, the average delay was 320 days from the date of the breach, according to cybersecurity firm Mandiant Consulting’s M-Trends 2016 report. And 53 percent of organizations impacted discovered the breach through an external source. Ouch.