Despite the financial services sector being highly regulated, 56 per cent of organisations in Asia Pacific (APAC) have either experienced a security incident (26 per cent) or are not sure if they have had a security incident as they have not checked (27 per cent).
That's according to newly released findings from Frost & Sullivan, in a study spanning the region and commissioned by Microsoft.
"Trust is foundational for all business decision-making,” said Kenny Yeo, industry principal of cyber security at Frost & Sullivan. “This is especially true when it comes to the financial services industry as they are protecting not only their own businesses, but also their customers’ data and financial assets.
"For banks and other financial services organisations, the potential loss of trust and the consequent reputation damage is a far greater threat than the economic impact of a cyber crime."
Furthermore, the study found that over the past year, each cyber attack has cost large financial services companies in APAC an average of US$7.9 million in direct and indirect economic loss, with three out of five organisations also experiencing job losses resulting from cyber security incidents.
For mid-sized financial services companies, the average economic loss due to a cyber security incident was US$32,000 per organisation.
"Cyber security is one of the most pressing issues of our time and there are no silver bullets,” said Connie Leung, senior director, financial services business lead across Asia at Microsoft. “The financial services sector is subjected to many laws and regulations relating to cyber security.
"These can be far-ranging and complex. In addition, financial services companies are working to enhance customer experience while applying the required controls.
"Global digitisation combined with unprecedented changes to the financial services business model is mandating transformation. To get there, financial services companies must embrace new digital business models that combine agility and security, with trust at the centre."
The initial study involved a survey of 1,300 business and IT decision makers ranging from mid-sized organisations (250 to 499 employees) to large-sized organisations (>than 500 employees), and 12 per cent of these respondents are from the financial services industry.
To calculate the cost of cyber attacks, Frost & Sullivan created an economic loss model based on insights shared by the survey respondents. This model factors in two kinds of losses which could result from a cyber security breach, namely, direct and indirect.
The direct financial loss includes loss of productivity, fines, remediation cost, etc, while the indirect financial loss includes the opportunity cost to the organisation such as customer churn due to reputational damage.
Furthermore, the study found that for financial services companies, remote code execution, online brand impersonation, ransomware and data exfiltration are the biggest concerns as they have the highest impact to the business and they often result in the slowest recovery time.
While on one hand, financial services companies see great competitive advantage in offering advanced digital services to their customers, the study revealed that cyber security concerns and approaches are impeding their digital transformation journey.
Specifically, more than three out of five (63 per cent) of the business and IT leaders in the financial services sector have indicated that the fear of cyber attacks has derailed their organisations’ digital transformation plans, thus undermining the organisations’ ability to capture opportunities and diminishing their competitive advantage in the burgeoning digital economy.
However, despite the fact that cyber security will likely be enhanced through the digital transformation process, the majority of respondents (40 per cent) from financial services industry saw their cyber security strategy as merely a means to safeguard their organisations against cyber attacks.
In contrast to only one out of four (25 per cent) seeing cyber security as a business advantage and an enabler for digital transformation.
If financial services companies do not view cyber security as one of the cornerstones of digital transformation, it will hinder their ability to deliver a ‘secure-by-design’ digital project, thereby leading to products and services with security vulnerabilities.
Delving deeper, the study revealed that only 28 per cent of financial services companies that had fallen victim to a cyber attack considered building a cyber security strategy before the start of a digital transformation project, as compared to more than one out of three (35 per cent) organisations that have not encountered any cyber attack.
The remaining respondents stated that they either considered cyber security after their projects have started, or they did not take cyber security into consideration when designing their digital transformation projects.
The survey also found that financial services companies with fewer than 10 cyber security solutions were quicker to recover from cyber incidents than those having 26 to 50 cyber security solutions.
This debunks a popular misconception that deploying a large portfolio of cyber security solutions will render stronger protection.
The reality is that the complexity of managing a large portfolio of cyber security solutions may lead to a longer recovery time for cyber attacks.
AI for cyber security
Artificial Intelligence (AI) has been on the front-lines of the fight against fraud for a while now, but these days, it is more powerful than ever, thanks to machine learning and stronger computing power.
Today, it is a weapon of choice for financial services companies to reduce cyber security risks.
The study revealed that four in five (81 per cent) financial services companies in the region have either adopted or are considering an AI-based approach to complement their cyber security strategy.
Furthermore, by rapidly analysing vast quantities of data and providing actionable insights for cyber security professionals, AI-driven cyber security architecture enables organisations to accomplish tasks, such as identifying cyber attacks and removing persistent threats like data exfiltration malware, faster than any humans, thus making it an increasingly vital element of any organisation’s cyber security strategy.