Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cost of Cybercrime Study in Financial Services: 2019 Report

343 views

Published on

Now in its 9th year, this new Accenture presentation explores the impact associated with cybercrime, quantifying the cost of cyberattacks and analyzing trends in malicious activities in the financial services industry. And this year for the first time, we look to the future so that financial services organizations can better target their funds and resources and open up new revenue opportunities to unlock economic value.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Cost of Cybercrime Study in Financial Services: 2019 Report

  1. 1. UNLOCKINGTHE VALUEOF IMPROVED CYBERSECURITY PROTECTION NINTH ANNUAL COST OF CYBERCRIME STUDY IN FINANCIAL SERVICES 2019 REPORT
  2. 2. • The average cost of cybercrime for an organization increased US$1.4M to US$13.0M. • Phishing and social engineering (+16%), ransomware (+15%), and stolen devices (+15%)— largely people-based attacks—show the biggest increases. • Information theft is the most expensive consequence of cybercrime and companies spend most on discovery activities. Organizations spend more than ever to deal with the costs and consequences of more sophisticated attacks. • The threat landscape continues to expand with an increase in nation-state espionage, supply chain and critical infrastructure threats. • In the drive for growth and innovation, 79% of business leaders say new business models introduce technology vulnerabilities faster than they can be secured. • The average number of security breaches in the last year grew by 11% from 130 to 145. The expanding threat landscape and new business innovation is leading to an increase in cyber attacks. • Place greater emphasis on protecting people to combat the rise in attacks against them. • Prioritize technologies to limit information loss and disruption, the largest consequences of cybercrime and a growing concern with new privacy regulation like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). • Use automation (including artificial intelligence (AI) and machine learning) and advanced analytics to manage rising cost of discovering attacks, the largest component of spend. Prioritize technologies that reduce the consequences of cybercrime to unlock future economic value. • Improving cybersecurity protection can reduce the cost of cybercrime and provide additional revenue opportunities. A total of US$5.2 trillion over the next five years. • This translates into additional revenue of 2.8 percent—or an average of US$580M annually—in each of the next five years for an average G2000 company. • This provides a useful benchmark to measure investments in cybersecurity protection. What is the economic value of improving cybersecurity protection worth to an organization? GLOBAL COST OF CYBERCRIME STUDY FINDINGS IN BRIEF Copyright © 2019 Accenture. All rights reserved. 2
  3. 3. GLOBAL COST OF CYBERCRIME STUDY Copyright © 2019 Accenture. All rights reserved. 3 11 US UK Japan Germany France Brazil Canada Australia Spain Italy Singapore EXAMINING THE ECONOMIC IMPACT OF CYBER ATTACKS 355Companies 2,647 Jointly developed by: Countries Travel Comm & Media Life sciences Retail Health Consumer Goods Public Sector US Federal Energy High Tech Insurance Automotive Software Utilities Banking / Capital Markets Annual research study 9th 16Industries Interviews
  4. 4. What types of cyber attacks and security breaches are included in this research? We define cyber attacks as malicious activity conducted against the organization through the IT infrastructure via the internal or external networks or the Internet. Cyber attacks also include attacks against industrial control systems (ICS). A security breach is one that results in the infiltration of a company’s core networks or enterprise systems. It does not include the plethora of attacks stopped by a company’s firewall defenses. DEFINING CYBER ATTACKS AND SECURITY BREACHES Copyright © 2019 Accenture. All rights reserved. 4
  5. 5. WITH AN EXPANDED THREAT LANDSCAPE AND NEW DIGITAL VULNERABILITIES, THE GLOBAL NUMBER OF SECURITY BREACHES INCREASED IN THE LAST YEAR Copyright © 2019 Accenture. All rights reserved. 5 Average number of security breaches in 2017 +11% Average number of security breaches in 2018 130134 breaches in Financial Services +13% 145152 breaches in Financial Services (56 breaches in Insurance, 154 for Banking /Capital Markets companies) For Financial Services year-over- year (27% since 2016)
  6. 6. IN FINANCIAL SERVICES, LARGEST INCREASE COME FROM THE NUMBER OF ORGANIZATIONS EXPERIENCING WEB-BASED ATTACKS Copyright © 2019 Accenture Security. All rights reserved. 6 Types of cyber attacks experienced by Financial Services companies (% increase 2017–2018) Web-based attacks are still an issue (+8%). People-based attacks, ransomware (+5%) are on the rise. 34% 45% 40% 52% 60% 64% 82% 76% 97% 35% 40% 54% 56% 56% 61% 74% 77% 94% Malicious insider (-1%) Ransomware (+5%) Stolen devices (-14%) Denial of service (-4%) Malicious code (+4%) Botnets (+3%) Web-based attacks (+8%) Phishing and social engineering (-1%) Malware (+3%) 2017 2018
  7. 7. Percentage spending levels by six IT security layers for Financial Services Companies Spending on the human layer is on the rise. But is the increase sufficient to cope with the fastest growing cyber attacks like ransomware? 7 THE APPLICATION AND PHYSICAL LAYERS HAVE EXPERIENCED THE LARGEST INCREASE Copyright © 2019 Accenture Security. All rights reserved. 20% 18% 11% 6% 7% 31% 24% 16% 14% 10% 5% Network layer Application layer Data layer Human layer Physical layer Host layer FY 2017 FY 2018 38%
  8. 8. MALICIOUS INSIDER ATTACKS ARE NOW THE MOST EXPENSIVE TO RESOLVE Copyright © 2019 Accenture Security. All rights reserved. 8 Types of cyber attacks experienced by Financial Services companies US$ (% increase 2017–2018) Another people-based attack, malicious insiders, leads the way as the costliest type of cyber attack to resolve, followed by malicious code (+81%). The cost of denial of services attacks are down 41% points. $1,981 $82,893 $34,074 $243,101 $84,954 $156,690 $157,891 $133,949 $8,838 $1,015 $89,686 $43,034 $169,059 $114,700 $196,610 $87,460 $227,865 $5,462 Botnets (+95%) Ransomware (-8%) Stolen devices (-21%) Malicious insider (+44%) Web-based attacks (-26%) Phishing and social engineering (-20%) Malicious code (+81%) Denial of service (-41%) Malware (+62%) 2017 2018
  9. 9. Length of time taken to resolve cyber attacks for Financial Services Companies Days (% increase 2017–2018) Other people-based attacks, like Phishing & Social Engineering (+22%) and Ransomware (+30%) have seen increases in the length of time to resolve. …AND ARE STILL TAKING LONGEST TO RESOLVE 9Copyright © 2019 Accenture Security. All rights reserved. 4.5 14.8 25.9 24.0 33.8 11.7 24.3 55.1 49.8 2.8 14.7 23.9 14.7 26.0 6.2 20.0 58.8 65.8 Botnets (+62%) Stolen devices (+1%) Web-based attacks (+9%) Denial of service (+63%) Ransomware (+30%) Malware (+89%) Phishing and social engineering (+22%) Malicious insider(-6%) Malicious code (-24%) 2017 2018
  10. 10. Organizations were asked to report their spend (costs) to discover, investigate, contain and recover from cyber attacks over four consecutive weeks. Also covered are the expenditures that result in after-the-fact activities and efforts to reduce business disruption and the loss of customers. These costs do not include outlays and investments made to sustain an organization’s security posture or compliance with standards, policies and regulations. Once compiled and validated, these costs were then grossed-up to determine the annualized cost. CALCULATING THE COST OF CYBERCRIME Copyright © 2019 Accenture. All rights reserved. 10
  11. 11. $7.6 $7.7 $9.5 $11.7 $13.0 $- $2.0 $4.0 $6.0 $8.0 $10.0 $12.0 $14.0 2014 2015 2016 2017 2018 Totalaveragecostofcybercrime (US$M) Copyright © 2019 Accenture Security. All rights reserved. 11 THE AVERAGE COST OF CYBERCRIME FOR AN ORGANIZATION INCREASED BY 12 PERCENT OVER THE YEAR TO US$13.0 MILLION +2% +23% +23% The GLOBAL average cost of cybercrime for companies in study US$ The increase over the last five years is 72%, or US$ 5.5 million, on average for companies in our study. The average cost of cyber crime in Financial Services in 2018: US$ 18.5 million +12%
  12. 12. Copyright © 2019 Accenture Security. All rights reserved. 12 THE COST OF CYBERCRIME IS INCREASING IN ALL COUNTRIES Change in cybercrime cost by country US$ millions (% increase 2017–2018) The average increase in cybercrime costs for the countries in our sample is +26%. The United Kingdom (31%), Japan (30%) and United States (29%) have the largest increases followed by Australia (+26%). The increase for Germany (18%) is less than half the increase in 2017 (42%). $6.79 $7.24 $8.01 $8.16 $9.25 $9.32 $9.72 $11.46 $13.12 $13.57 $27.37 $5.41 $6.73 $7.90 $8.74 $11.15 $10.45 $21.22 - $5M $10M $15M $20M $25M $30M Australia (+26%) Brazil* Italy (+19%) Spain* Canada* Singapore* France (+23%) United Kingdom (+31%) Germany (+18%) Japan (+30%) United States (+29%) 2017 2018Cost (US$ Millions)
  13. 13. Copyright © 2019 Accenture Security. All rights reserved. 13 THE COST OF CYBERCRIME CONTINUES TO RISE IN MOST INDUSTRIES Average annualized cost by industry sector US$ (million) Average cost of cybercrime = US$13.0 million $7.91 $8.15 $10.65 $10.91 $11.43 $11.82 $11.91 $13.74 $13.77 $18.50 $14.69 $15.78 $16.04 $17.84 $8.28 $7.05 $7.10 $6.47 $9.30 $12.47 $7.34 $10.41 $13.21 $18.28 $15.48 $10.70 $14.46 $16.85 - $2M $4M $6M $8M $10M $12M $14M $16M $18M $20M Public Sector Travel Communications & Media Life Sciences Retail Health Consumer Goods US Federal Energy Financial Services High Tech Automotive Software Utilities 2017 2018Cost (US$ Millions)
  14. 14. What is the economic value of improving cybersecurity protection worth to an organization? THEVALUEOF CYBERSECURITY
  15. 15. 0 2 4 6 8 10 12 14 16 18 The cost of cybercrime The value of cybersecurity $USmillion New revenue opportunity Savings in the cost of cybercrime The cost of cybercrime Copyright © 2019 Accenture Security. All rights reserved. 15 HOW MUCH IS IMPROVED CYBERSECURITY PROTECTION WORTH TO A BUSINESS? There is a positive correlation between size and cost. The bigger the organization the bigger the cost burden on them. But can improved cybersecurity protection create more economic value for businesses? Economic value includes savings in the cost of cybercrime plus new revenue opportunity. The economic value of improved cybersecurity protection Econometric modelling Historical analysis THE COST OF CYBERCRIME THE VALUE OF CYBERSECURITY 2014–2018 2019–2023
  16. 16. 23% 77% Value at risk: 2019–2023 (Value at Risk* due to direct and indirect attacks, Cumulative 2019–2023, US$t) * Expected loss of savings in cybersecurity spend and revenue opportunity over the next 5 years. Calculations over a sample of 4,700 global public companies. $5.2t Direct Attacks Indirect Attacks Copyright © 2019 Accenture Security. All rights reserved. 16 Value at risk by industry (US$Bn) Source: Accenture Research Value at risk by country (US$Bn) 47 70 110 147 209 219 223 257 283 305 340 347 347 385 505 642 753 Capital Markets Travel Transportation Chemicals Energy Utilities Nat. Res. Comms & Media Ind. Equip. Insurance Retail Health Banking CG&S Automative Life Sciences High Tech 97 100 133 133 137 172 216 347 532 1700 t Australia Spain Canada Brazil Italy France United Kingdom Germany Japan United States THE ECONOMIC VALUE AT RISK DUE TO CYBER ATTACKS OVER THE NEXT FIVE YEARS IS US$5.2 TRILLION GLOBALLY
  17. 17. Copyright © 2019 Accenture Security. All rights reserved. 17 THE ECONOMIC VALUE AT RISK PROVIDES A USEFUL BENCHMARK FOR SECURITY INVESTMENTS Average annualized cost by industry sector US$ (million) The average G2000 company revenue in 2018 was US$20 billion. Life sciences and high tech companies have the highest revenue at risk. Capital markets and industrial equipment companies have the lowest revenue at risk. Industry Revenue at Risk (CAGR 2019 – 2023) Global=2.8% 2018 Average G2000 Revenue (US$ M) Average annual revenue opportunity at risk 2019–2023 (US$ M) 2019 –2023 Cumulative revenue opportunity at risk (US$ M) Automotive 3.1% $20,000 $770 $3,851 Banking 2.4% $20,000 $570 $2,848 CG&S 3.4% $20,000 $738 $3,689 Capital Markets 1.5% $20,000 $365 $1,826 Chemicals 2.7% $20,000 $572 $2,859 Comms & Media 2.0% $20,000 $456 $2,282 High Tech 4.5% $20,000 $1,056 $5,278 Energy 2.1% $20,000 $352 $1,762 Health 3.7% $20,000 $1,156 $5,779 Industrial Equipment 1.5% $20,000 $368 $1,841 Insurance 3.9% $20,000 $949 $4,743 Life Sciences 5.6% $20,000 $1,475 $7,375 Natural Resources 2.6% $20,000 $541 $2,703 Retail 1.5% $20,000 $339 $1,695 Transportation 1.6% $20,000 $343 $1,715 Travel 1.5% $20,000 $378 $1,891 Utilities 2.9% $20,000 $579 $2,895
  18. 18. Prioritize technologies that reduce the costs and consequences of cybercrime to unlock future economic value. THEVALUEOF CYBERSECURITY
  19. 19. Percentage cost by consequence for Financial Services Companies Despite important decreases, information loss is a worrying trend with new regulation like the GDPR and CCPA to consider. 19 BUSINESS DISRUPTION IS NOW THE MOST EXPENSIVE CONSEQUENCE OF A CYBERCRIME Copyright © 2019 Accenture Security. All rights reserved. 35% 13% 0% 0% 38% 37% 21% 5% 0% Business disruption Information loss Revenue loss Equipment damages Other FY 2017 FY 2018 52%
  20. 20. Percentage cost by internal activities for Financial Services Companies Discovery and recovery spend highlight a significant cost-reduction opportunity for organizations that are able to systematically deploy security technologies to help facilitate the discovery-to- recovery cycle. 20 COMPANIES SPEND THE MOST ON DISCOVERY AND NOW THE LEAST ON RECOVERY ACTIVITIES Copyright © 2019 Accenture Security. All rights reserved. 13% 16% 30% 29% 25% 28% 18% Discovery Investigation Containment Recovery FY 2017 FY 2018 41%
  21. 21. 20% 24% 34% 40% 41% 42% 62% 53% 79% 29% 31% 26% 44% 52% 55% 62% 67% 71% Automated policy management (-9%) Extensive use of cyber analytics and UBA(-7%) Automation, AI and machine learning (+8%) Enterprise deployment of GRC (-4%) Extensive use of data loss prevention (-11%) Extensive use of cryptographic technologies (-13%) Advance perimeter controls (+0%) Advanced identity and access governance(-14%) Security intelligence and threat sharing(+8%) 2017 2018 SECURITY INTELLIGENCE AND THREAT SHARING IS FULLY DEPLOYED BY MORE COMPANIES THAN ANY OTHER SECURITY TECHNOLOGY Copyright © 2019 Accenture Security. All rights reserved. 21 The proportion of Financial Services companies who deploy nine key security technologies The deployment of automation, AI and machine learning and cyber analytics and user behavior analytics (UBA) are far too low.
  22. 22. Annual cost savings when deploying key technologies for Financial Services Companies US$ Copyright © 2019 Accenture Security. All rights reserved. 22 YET AUTOMATION, AI AND MACHINE LEARNING DELIVERS THE LARGEST COST SAVINGS WHEN FULLY DEPLOYED Rank $3,130,000 $2,700,000 $2,410,000 $1,600,000 $1,340,000 $1,260,000 $620,000 Automation, AI and machine learning Advanced identity and access governance Security intelligence and threat sharing Extensive use of cyber analytics and UBA Extensive use of cryptographic technologies Advanced perimeter controls Extensive use of data loss prevention Enterprise deployment of GRC Automated policy management $4,130,000 $3,820,000
  23. 23. 7.9% 10% 11,3% 12.7% 14.1% 14.4% 17.9% 0.0% 5.0% 10.0% 15.0% 20.0% 25.0% 30.0% Automated policy management Enterprise deployment of GRC Advanced perimeter controls Extensive use of data loss prevention Extensive use of cyber analytics and UBA Extensive use of cryptographic technologies Automation, AI and machine learning Advanced identity and access governance Security intelligence and threat sharing Estimated annual return on investment (ROI) Security intelligence and threat sharing Estimated ROI for key security technologies for Financial Services Companies The estimated average ROI for all nine categories of “enabling” security technologies is 14.1 percent. Copyright © 2019 Accenture Security. All rights reserved. 23 ADVANCED IDENTITY AND ACCESS MANAGEMENT HAS THE BIGGEST RETURN ON INVESTMENT Advanced identity and access management 22.5% 23.8%
  24. 24. Rank by spending levels and cost savings for key security technologies for Financial Services Companies Rank by % spending 1 = Lowest % spend 9 = Highest % spend Rank by cost savings 1 = Lowest % saving 9 = Highest % saving Security intelligence, automation and advanced analytics provide the largest positive value between investment and savings. Copyright © 2019 Accenture Security. All rights reserved. 24 INVESTMENT IS BEING MISDIRECTED TO SECURITY CAPABILITIES THAT DELIVER LESS 6 1 8 7 2 5 3 9 4 1 2 3 4 5 6 7 8 9 +5 -1 +5 +3 -3 -1 -4 +1 -5 Extensive use of cyber analytics and UBA Automated policy management Security intelligence and threat sharing Automation, AI and machine learning Enterprise deployment of GRC Extensive use of cryptographic technologies Extensive use of data loss prevention Advanced identity and access management Advanced perimeter controls Rank by percentage spending Rank by cost savings *Value Gap Positive value gaps: Areas where financial services companies should invest more to deliver cost savings Negative value gaps: Areas where financial services companies are overspending relative to cost savings
  25. 25. PRIORITIZE BREAKTHROUGH INNOVATIONS LIKE AI AUTOMATION AND ANALYTICS Copyright © 2019 Accenture Security. All rights reserved. 25 Place greater emphasis on protecting people due to the rise in phishing, ransomware and malicious insider attacks. Invest to prevent information loss and business disruption which are growing concerns with new privacy regulation like GDPR and CCPA. Use automation and advanced analytics to manage the rising cost to discover attacks which is the largest component of spend. 1 2 3 55 days The time to resolve malicious insiders attacks 38% of cost Business disruption the most expensive consequence of cybercrime 57% of spend Discovery and Containment are the largest elements of internal spend ORGANIZATIONS SHOULD:
  26. 26. About Accenture Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network —Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 482,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at www.accenture.com Disclaimer This presentation is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals. UNLOCKINGTHEVALUEOFIMPROVED CYBERSECURITYPROTECTION NINTHANNUALCOSTOFCYBERCRIME STUDYIN FINANCIALSERVICES–2019REPORT

×