The Soaring Risks of Financial Services Cybercrime: By the Numbers

Jennifer Rose Hale
Financial services cybersecurity must be a top priority for leaders. After all, while no industry has been immune to the increasing threat of cybercrime, financial institutions are particularly and perniciously vulnerable. According to one report, financial services firms are 300 times as likely as other companies to be targeted by a cyberattack. Let's take a look at the key numbers behind the risk posed by financial services cyberattacks.  

Top Cyberthreats for Financial Services

Consider these major factors that constitute threats to cybersecurity in financial services markets:
  • Unencrypted data. As a matter of oversight rather than malicious intent, companies regularly expose their data inadvertently.
  • Malware and ransomware. According to FBI data, more than 4,000 ransomware attacks have occurred daily since 2016.
  • Unsecure third-party services. Vendor security lapses can create the same negative outcomes  exposure, damage to reputation as internal errors or attacks. Organizations are increasingly held responsible for third-party vendors through legislative and industry actions such as the General Data Protection Regulation, California's new privacy laws, the Payment Card Industry Data Security Standard and more.
  • Phishing threats. One group found that phishing attacks are on the rise with the increase of remote working. While phishing has traditionally targeted unknowing recipients through email, social media is another area of risk.

Financial Services Cybersecurity Regulations in the US

Globally, governments are enacting regulations and publishing guidance to secure their data and industries against malicious attacks as well as human error. New and revised regulations are increasing in frequency. They have complicated the cybersecurity field for private businesses, which must account for laws in their own jurisdictions and others in which they may do business.  

Cybersecurity Requirements for Financial Services Companies

Led by California and Virginia, many US state legislatures are considering their own actions  which may spark the development of federal regulations. In the meantime, US banks are regulated by the Gramm-Leach-Bliley Act Safeguards Rule. It is one of the regulations in addition to those noted above being enacted worldwide that hold institutions responsible for the security of their vendors.  

Proposed Cybersecurity Requirements for Financial Services Companies

As increasing threats inspire new cybersecurity regulations, financial services leaders should be aware of oncoming changes in how they do business. In one example, a proposed US rule would require banks to notify their primary federal regulators within 36 hours of a notification-worthy computer-security incident.  

Financial Impact of Security Breaches

the cost of cyberthreats

The costs of security breaches and attempts at preventing them are bracing, particularly for the financial sector. According to Accenture, the financial services industry faces the highest average cost $18 million of cybercrime per company.

Overlooked data permissions can become expensive vulnerabilities, and making sensitive data available to employees who don't explicitly need it raises the risk. The average financial services employee, for example, has access to 11 million files, a number that increases to 20 million for employees of large financial organizations, according to Varonis.  

The Enormous Costs of Cybersecurity Threats

Take a look at the numbers associated with three types of cybercrime:

Data breaches. IBM's 2020 Cost of Data Breach Report cited $3.86 million as the global average total cost of a data breach in 2020. But financial services are hit harder, with an average cost of $5.85 million.

Ransomware. A 2020 survey found that the average cost of remediating a ransomware attack is $761,106, while organizations that don't pay the ransom spent approximately $732,520 to recover their systems.

Phishing. CSO Online reported that phishing attacks caused 80% of reported security incidents. Another report indicates that users open 30% of sent phishing messages.  

The Massive Spend on Cybersecurity

It's no surprise that cybersecurity prevention has become a big budget line item. Forbes reports that the global cybersecurity market in 2020 is $173 billion, and that number is only increasing. Security and risk management were seen as the primary driver of IT spending by 34% of CIOs, according to IDG's State of the CIO research.  

Top Targets and Sources of Cyberattacks

Top Targets and Sources of Cyberattacks

When identifying the top risks of cyberattacks, look toward the top of the organizational chart. C-suite leaders are 12 times more likely than other employees to fall victim, and 40% of respondents cite C-suite employees, including the CEO, as their company's highest cybersecurity risk (GBhackers).  


According to Verizon, while 63% of attacks are perpetrated by financially motivated external actors, 27% have internal sources — either employees acting intentionally for financial motivation or simply making errors.

Why Boards Should Prioritize Cybersecurity in the Post-COVID World


As governments worldwide enact or revise legislation and guidance related to cybersecurity, organizational leadership also is responding by making security a top priority.

A vast majority 92% of boards are involved in cybersecurity direction and strategy, Diligent Institute found in research for its report What Directors Think: Navigating a Pivotal Year. In the same report, 37% of directors responding noted that cybersecurity is the most challenging issue to oversee, after new technologies and innovation (42%) and culture (40%).



Read more about Diligent's work supporting financial services

An aggressive response and clear cybersecurity strategy is supported by the research into customer attitudes. According to a Varonis report, '''80% of consumers will defect from a business if their information is compromised in a breach,''' while 65% lose trust in an organization.  

How To Mitigate a Cyber Attack Within Your Financial Services Organization

So what can you do? Diligent has assembled actionable best practices for your organization. The upshot: Like so many strategic efforts, the key is an informed and involved leadership team supported by the right tools. Ensure board members understand the scope of the risk and rapidly changing regulations globally. Incorporate cybercrime risk prevention into top-level business strategy. Replace personal email for collaboration with encrypted communication tools. Steps such as these and others will reduce the target your organization presents to external and internal errors and attacks.  


While it may not be possible to prevent all cyberattacks in financial services organizations, thoughtful steps to mitigating risk and a plan to address attacks when they happen will ensure leaders are stewarding their companies effectively through the years to come. Through its modern governance platform and expertise with the concerns of financial services, Diligent continues to support organizations like yours as they navigate today's risks. Read more in Diligent's New Cyber Risk Scorecard.


Discover Your Cyber Risk Score


Additional Sources

Related Insights
Jennifer Rose Hale
Jennifer Rose Hale has over 20 years' experience with digital and employee communications in for- and nonprofit environments, including managing large-scale website launches and redesigns, copywriting for Fortune 200 companies and identifying and using goals and analytics to measure online performance and project success. Her writing and client areas of expertise include personal finance, science, technology and education.