Computer System Hacked. Virus Software Screen On Monitor

Financial institutions’ boards unprepared for cyberattacks despite prioritizing security

The following is a guest post by John C. Checco, Resident CISO, Financial Services, Proofpoint.

Financial institutions have been a bigger target for cyber attackers for many years—and have prioritized cybersecurity sooner than many other businesses.

As a result, they have often been more prepared to defend against threat actors. But new research shows that’s no longer the case.

While making cybersecurity a priority in the boardroom and investing heavily in cyber defenses, financial institutions’ board members feel just as unprepared for cyber attacks as their peers in other sectors, according to a report from Proofpoint and Cybersecurity at MIT Sloan (CAMS), entitled Cybersecurity: The 2022 Board Perspective.

The report found that 77% of financial institutions’ boards discuss cybersecurity at least once a month, and 77% view cybersecurity as a priority for their organization.

This commitment is reflected in their financial priorities: 76% of surveyed directors believe they have invested adequately in cybersecurity, and 87% expect their security budgets to increase further in the next year.

But despite the time and money spent on bolstering defenses, nearly half of those surveyed still think their financial institution is unprepared to cope with a targeted cyber attack in the next 12 months.

These findings closely reflect the overall sentiments of the 600 board members surveyed across all industries worldwide.

But the survey found some notable differences in the financial sector. Only 68% of financial services directors think their boards understand systemic risk, compared to 75% across sectors.

Further, 73% consider their institution at risk of a material cyber attack in the next year, compared to only 65% of all board members across sectors.

On the surface, the latter findings may not be encouraging for the industry. But they may be a sign of financial services’ cyber maturity.

Perhaps financial services organizations understand better than others that systemic risk is complex. It isn’t easy to fully comprehend, especially in today’s interconnected and evolving digital world.

These boards may also better grasp the growing magnitude of the threats—and are more realistic about their organizations’ prospects of suffering a material cyber-attack.

Close-up Focus on Person's Hands Typing on the Desktop Computer Keyboard. Screens Show Coding Language User Interface. Software Engineer Create Innovative e-Commerce App. Program Development

People risk broadly overlooked

It is well-established that their employees are the most significant risk for any organization. Human error, for example, is responsible for 95% of cybersecurity incidents, according to the World Economic Forum.

Yet financial boards do not understand this risk. Only 65% of financial services directors surveyed for Cybersecurity: The 2022 Board Perspective showed that human error is their most significant vulnerability.

This finding is a concern because boards may not invest time and money in the proper defenses.

If they do not understand that people are their main cyber vulnerability, they are likely not prioritizing this area.

Yet most attacks now focus on the human element, as threat actors have learned that breaking through the human perimeter is much easier than getting through cybersecurity controls.

Boards’ relationships with CISOs create barriers

The research found a communications gap between the boards and their CISOs. This rift is the most likely reason the increased cyber awareness does not lead to better organizational preparedness.

While financial services organizations fared a little better than other industries, they must do much more to have their boards and security leaders forge meaningful partnerships.

The report did find a sliver of good news: in financial services, there’s a smaller conflict between boards and CISOs. Among financial directors, 81% reported seeing eye-to-eye with their CISOs, vs. only 69% across all sectors.

This is very reassuring. Unfortunately, these positive relationships do not drive increased interaction between the two sides—just half of financial services boards interact with their CISOs regularly, and one-third only see the CISO during board presentations.

Related:

Such limited contact makes it difficult for boards and security leaders to work collaboratively toward better organizational preparedness and resilience.

That is especially true when CISOs have difficulty speaking the board’s language and translating cyber risk into business risk.

Financial services boards seem aware of this shortcoming. The survey found that after cybersecurity experience, the skill they next value the most in their CISOs is communication—the ability to raise awareness and explain cyber risk nontechnically.

Working together toward organizational success

Meaningful partnerships require both sides to work toward organizational success. The first step to achieving that is to improve communication.

Face-to-face contact is crucial to forging strong relationships, and strong relationships are essential to aligning priorities. CISOs also learn to speak their boards’ language to achieve better alignment and tell a more coherent and compelling story about cyber risk.

The financial sector will remain a prominent target for cyber attacks, and boards have a fiduciary duty to ensure that their organizations safeguard their customers’ data.

Making cybersecurity a priority is a great start, but it is not enough—boards and CISOs must work together strategically to advance preparedness against cyber attacks.

  • John C. Checco

    John is an information security professional providing subject matter expertise across various industries. He currently resides as a leader of the CISO Advisory Board on Financial Services for Proofpoint and President Emeritus of the New York Metro InfraGard Members Alliance (an FBI public/private partnership program). John specializes in the areas of Zero-Trust Strategies, Responsible Automation, Biometric Security, and Cyber-Physical coordinated threats on critical infrastructures. You can reach John on his LinkedIn page.