Cost of Cybercrime Study in Financial Services: 2019 Report

UNLOCKINGTHE
VALUEOF
IMPROVED
CYBERSECURITY
PROTECTION
NINTH ANNUAL
COST OF CYBERCRIME
STUDY IN FINANCIAL
SERVICES
2019 REPORT

• The average cost of cybercrime for an organization increased US$1.4M to US$13.0M.
• Phishing and social engineering (+16%), ransomware (+15%), and stolen devices (+15%)—
largely people-based attacks—show the biggest increases.
• Information theft is the most expensive consequence of cybercrime and companies spend
most on discovery activities.
Organizations spend more
than ever to deal with the
costs and consequences of
more sophisticated attacks.
• The threat landscape continues to expand with an increase in nation-state espionage,
supply chain and critical infrastructure threats.
• In the drive for growth and innovation, 79% of business leaders say new business models
introduce technology vulnerabilities faster than they can be secured.
• The average number of security breaches in the last year grew by 11% from 130 to 145.
The expanding threat
landscape and new business
innovation is leading to an
increase in cyber attacks.
• Place greater emphasis on protecting people to combat the rise in attacks against them.
• Prioritize technologies to limit information loss and disruption, the largest consequences
of cybercrime and a growing concern with new privacy regulation like the General Data
Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
• Use automation (including artificial intelligence (AI) and machine learning) and advanced
analytics to manage rising cost of discovering attacks, the largest component of spend.
Prioritize technologies that
reduce the consequences of
cybercrime to unlock future
economic value.
• Improving cybersecurity protection can reduce the cost of cybercrime and provide
additional revenue opportunities. A total of US$5.2 trillion over the next five years.
• This translates into additional revenue of 2.8 percent—or an average of US$580M
annually—in each of the next five years for an average G2000 company.
• This provides a useful benchmark to measure investments in cybersecurity protection.
What is the economic value
of improving cybersecurity
protection worth to an
organization?
GLOBAL COST OF CYBERCRIME STUDY
FINDINGS IN BRIEF
Copyright © 2019 Accenture. All rights reserved. 2

GLOBAL COST OF CYBERCRIME STUDY
11
US
UK
Japan
Germany
France
Brazil
Canada
Australia
Spain
Italy
Singapore
EXAMINING THE ECONOMIC IMPACT OF CYBER ATTACKS
355Companies
2,647
Jointly developed by:
Countries
Travel
Comm & Media
Life sciences
Retail
Health
Consumer
Goods
Public Sector
US Federal
Energy
High Tech
Insurance
Automotive
Software
Utilities
Banking / Capital
Markets
Annual
research
study
9th
16Industries
Interviews

What types of cyber attacks and security breaches are
included in this research?
We define cyber attacks as malicious activity conducted
against the organization through the IT infrastructure via
the internal or external networks or the Internet. Cyber
attacks also include attacks against industrial control
systems (ICS).
A security breach is one that results in the infiltration
of a company’s core networks or enterprise systems. It
does not include the plethora of attacks stopped by a
company’s firewall defenses.
DEFINING CYBER ATTACKS AND
SECURITY BREACHES

WITH AN EXPANDED THREAT LANDSCAPE AND
NEW DIGITAL VULNERABILITIES, THE GLOBAL
NUMBER OF SECURITY BREACHES INCREASED IN
THE LAST YEAR
Average number of
security breaches in 2017
+11%
Average number of
security breaches in 2018
130134 breaches in
Financial Services
+13%
145152 breaches in
Financial Services
(56 breaches in Insurance,
154 for Banking /Capital
Markets companies)
For Financial Services year-over-
year (27% since 2016)

IN FINANCIAL SERVICES, LARGEST INCREASE
COME FROM THE NUMBER OF ORGANIZATIONS
EXPERIENCING WEB-BASED ATTACKS
Copyright © 2019 Accenture Security. All rights reserved. 6
Types of cyber attacks
experienced by Financial
Services companies
(% increase 2017–2018)
Web-based attacks are
still an issue (+8%).
People-based attacks,
ransomware (+5%) are on
the rise.
34%
45%
40%
52%
60%
64%
82%
76%
97%
35%
40%
54%
56%
56%
61%
74%
77%
94%
Malicious insider (-1%)
Ransomware (+5%)
Stolen devices (-14%)
Denial of service (-4%)
Malicious code (+4%)
Botnets (+3%)
Web-based attacks (+8%)
Phishing and social engineering (-1%)
Malware (+3%)
2017 2018

Percentage spending
levels by six IT security
layers for Financial
Services Companies
Spending on the human
layer is on the rise. But is
the increase sufficient to
cope with the fastest
growing cyber attacks like
ransomware?
7
THE APPLICATION AND PHYSICAL LAYERS HAVE
EXPERIENCED THE LARGEST INCREASE
Copyright © 2019 Accenture Security. All rights reserved.
20%
18%
11%
6%
7%
31%
24%
16%
14%
10%
5%
Network layer Application layer Data layer Human layer Physical layer Host layer
FY 2017 FY 2018
38%

MALICIOUS INSIDER ATTACKS ARE NOW THE
MOST EXPENSIVE TO RESOLVE
Types of cyber attacks
experienced by Financial
Services companies
US$ (% increase 2017–2018)
Another people-based
attack, malicious insiders,
leads the way as the
costliest type of cyber
attack to resolve,
followed by malicious
code (+81%). The cost of
denial of services attacks
are down 41% points.
$1,981
$82,893
$34,074
$243,101
$84,954
$156,690
$157,891
$133,949
$8,838
$1,015
$89,686
$43,034
$169,059
$114,700
$196,610
$87,460
$227,865
$5,462
Botnets (+95%)
Ransomware (-8%)
Stolen devices (-21%)
Malicious insider (+44%)
Web-based attacks (-26%)
Phishing and social engineering (-20%)
Malicious code (+81%)
Denial of service (-41%)
Malware (+62%)
2017 2018

Length of time taken to
resolve cyber attacks for
Financial Services
Companies
Days (% increase 2017–2018)
Other people-based
attacks, like Phishing &
Social Engineering (+22%)
and Ransomware (+30%)
have seen increases in the
length of time to resolve.
…AND ARE STILL TAKING LONGEST TO RESOLVE
9Copyright © 2019 Accenture Security. All rights reserved.
4.5
14.8
25.9
24.0
33.8
11.7
24.3
55.1
49.8
2.8
14.7
23.9
14.7
26.0
6.2
20.0
58.8
65.8
Botnets (+62%)
Stolen devices (+1%)
Web-based attacks (+9%)
Denial of service (+63%)
Ransomware (+30%)
Malware (+89%)
Phishing and social engineering (+22%)
Malicious insider(-6%)
Malicious code (-24%)
2017 2018

Organizations were asked to report their spend
(costs) to discover, investigate, contain and
recover from cyber attacks over four consecutive
weeks. Also covered are the expenditures that result
in after-the-fact activities and efforts to reduce
business disruption and the loss of customers.
These costs do not include outlays and investments
made to sustain an organization’s security posture
or compliance with standards, policies and
regulations.
Once compiled and validated, these costs were
then grossed-up to determine the annualized cost.
CALCULATING THE
COST OF CYBERCRIME

$7.6 $7.7
$9.5
$11.7
$13.0
$-
$2.0
$4.0
$6.0
$8.0
$10.0
$12.0
$14.0
2014 2015 2016 2017 2018
Totalaveragecostofcybercrime
(US$M)
THE AVERAGE COST OF CYBERCRIME FOR AN
ORGANIZATION INCREASED BY 12 PERCENT
OVER THE YEAR TO US$13.0 MILLION
+2%
+23%
+23%
The GLOBAL average
cost of cybercrime for
companies in study
US$
The increase over the last
five years is 72%, or US$
5.5 million, on average
for companies in our
study.
The average cost of cyber
crime in Financial
Services in 2018: US$
18.5 million
+12%

THE COST OF CYBERCRIME IS
INCREASING IN ALL COUNTRIES
Change in cybercrime
cost by country
US$ millions
(% increase 2017–2018)
The average increase in
cybercrime costs for the
countries in our sample is
+26%. The United
Kingdom (31%), Japan
(30%) and United States
(29%) have the largest
increases followed by
Australia (+26%).
The increase for Germany
(18%) is less than half the
increase in 2017 (42%).
$6.79
$7.24
$8.01
$8.16
$9.25
$9.32
$9.72
$11.46
$13.12
$13.57
$27.37
$5.41
$6.73
$7.90
$8.74
$11.15
$10.45
$21.22
- $5M $10M $15M $20M $25M $30M
Australia (+26%)
Brazil*
Italy (+19%)
Spain*
Canada*
Singapore*
France (+23%)
United Kingdom
(+31%)
Germany (+18%)
Japan (+30%)
United States (+29%)
2017 2018Cost (US$ Millions)

THE COST OF CYBERCRIME CONTINUES TO RISE
IN MOST INDUSTRIES
Average annualized cost
by industry sector
US$ (million)
Average cost of cybercrime
= US$13.0 million
$7.91
$8.15
$10.65
$10.91
$11.43
$11.82
$11.91
$13.74
$13.77
$18.50
$14.69
$15.78
$16.04
$17.84
$8.28
$7.05
$7.10
$6.47
$9.30
$12.47
$7.34
$10.41
$13.21
$18.28
$15.48
$10.70
$14.46
$16.85
- $2M $4M $6M $8M $10M $12M $14M $16M $18M $20M
Public Sector
Travel
Communications & Media
Life Sciences
Retail
Health
Consumer Goods
US Federal
Energy
Financial Services
High Tech
Automotive
Software
Utilities
2017 2018Cost (US$ Millions)

What is the economic value
of improving cybersecurity
protection worth to an
organization?
THEVALUEOF
CYBERSECURITY

0
2
4
6
8
10
12
14
16
18
The cost of cybercrime The value of cybersecurity
$USmillion
New revenue
opportunity
Savings in the cost of
cybercrime
The cost of cybercrime
HOW MUCH IS IMPROVED CYBERSECURITY
PROTECTION WORTH TO A BUSINESS?
There is a positive
correlation between size
and cost. The bigger the
organization the bigger
the cost burden on them.
But can improved
cybersecurity protection
create more economic
value for businesses?
Economic value includes
savings in the cost of
cybercrime plus new
revenue opportunity.
The economic
value of
improved
cybersecurity
protection
Econometric
modelling
Historical
analysis
THE COST OF CYBERCRIME THE VALUE OF CYBERSECURITY
2014–2018 2019–2023

23%
77%
Value at risk: 2019–2023
(Value at Risk* due to direct and indirect attacks,
Cumulative 2019–2023, US$t)
* Expected loss of savings in
cybersecurity spend and revenue
opportunity over the next 5 years.
Calculations over a sample of 4,700
global public companies.
$5.2t
Direct
Attacks
Indirect
Attacks
Value at risk by industry (US$Bn)
Source: Accenture Research
Value at risk by country (US$Bn)
47
70
110
147
209
219
223
257
283
305
340
347
347
385
505
642
753
Capital Markets
Travel
Transportation
Chemicals
Energy
Utilities
Nat. Res.
Comms & Media
Ind. Equip.
Insurance
Retail
Health
Banking
CG&S
Automative
Life Sciences
High Tech
97
100
133
133
137
172
216
347
532
1700 t
Australia
Spain
Canada
Brazil
Italy
France
United Kingdom
Germany
Japan
United States
THE ECONOMIC VALUE AT RISK DUE TO CYBER
ATTACKS OVER THE NEXT FIVE
YEARS IS US$5.2 TRILLION GLOBALLY

THE ECONOMIC VALUE AT RISK PROVIDES
A USEFUL BENCHMARK FOR SECURITY
INVESTMENTS
Average annualized cost
by industry sector
US$ (million)
The average G2000
company revenue in 2018
was US$20 billion.
Life sciences and high tech
companies have the highest
revenue at risk.
Capital markets and
industrial equipment
companies have the lowest
revenue at risk.
Industry
Revenue at Risk
(CAGR 2019 –
2023)
Global=2.8%
2018 Average
G2000 Revenue
(US$ M)
Average annual
revenue opportunity
at risk 2019–2023
(US$ M)
2019 –2023
Cumulative revenue
opportunity at risk
(US$ M)
Automotive 3.1% $20,000 $770 $3,851
Banking 2.4% $20,000 $570 $2,848
CG&S 3.4% $20,000 $738 $3,689
Capital Markets 1.5% $20,000 $365 $1,826
Chemicals 2.7% $20,000 $572 $2,859
Comms & Media 2.0% $20,000 $456 $2,282
High Tech 4.5% $20,000 $1,056 $5,278
Energy 2.1% $20,000 $352 $1,762
Health 3.7% $20,000 $1,156 $5,779
Industrial Equipment 1.5% $20,000 $368 $1,841
Insurance 3.9% $20,000 $949 $4,743
Life Sciences 5.6% $20,000 $1,475 $7,375
Natural Resources 2.6% $20,000 $541 $2,703
Retail 1.5% $20,000 $339 $1,695
Transportation 1.6% $20,000 $343 $1,715
Travel 1.5% $20,000 $378 $1,891
Utilities 2.9% $20,000 $579 $2,895

Prioritize technologies that
reduce the costs and
consequences of cybercrime to
unlock future economic value.
THEVALUEOF
CYBERSECURITY

Percentage cost by
consequence for Financial
Services Companies
Despite important
decreases, information loss
is a worrying trend with new
regulation like the GDPR and
CCPA to consider.
19
BUSINESS DISRUPTION IS NOW THE MOST
EXPENSIVE CONSEQUENCE OF A CYBERCRIME
35%
13%
0% 0%
38%
37%
21%
5%
0%
Business disruption Information loss Revenue loss Equipment damages Other
FY 2017 FY 2018
52%

Percentage cost by
internal activities for
Financial Services
Companies
Discovery and recovery
spend highlight a
significant cost-reduction
opportunity for
organizations that are
able to systematically
deploy security
technologies to help
facilitate the discovery-to-
recovery cycle.
20
COMPANIES SPEND THE MOST ON DISCOVERY
AND NOW THE LEAST ON RECOVERY ACTIVITIES
13%
16%
30%
29%
25%
28%
18%
Discovery Investigation Containment Recovery
FY 2017 FY 2018
41%

20%
24%
34%
40%
41%
42%
62%
53%
79%
29%
31%
26%
44%
52%
55%
62%
67%
71%
Automated policy management (-9%)
Extensive use of cyber analytics and UBA(-7%)
Automation, AI and machine learning (+8%)
Enterprise deployment of GRC (-4%)
Extensive use of data loss prevention (-11%)
Extensive use of cryptographic technologies (-13%)
Advance perimeter controls (+0%)
Advanced identity and access governance(-14%)
Security intelligence and threat sharing(+8%)
2017 2018
SECURITY INTELLIGENCE AND THREAT SHARING
IS FULLY DEPLOYED BY MORE COMPANIES THAN
ANY OTHER SECURITY TECHNOLOGY
The proportion of
Financial Services
companies who deploy
nine key security
technologies
The deployment of
automation, AI and
machine learning and
cyber analytics and user
behavior analytics (UBA)
are far too low.

Annual cost savings
when deploying key
technologies for
Financial Services
Companies
US$
YET AUTOMATION, AI AND MACHINE LEARNING
DELIVERS THE LARGEST COST SAVINGS WHEN
FULLY DEPLOYED
Rank
$3,130,000
$2,700,000
$2,410,000
$1,600,000
$1,340,000
$1,260,000
$620,000
Automation, AI and machine learning
Advanced identity and access governance
Security intelligence and threat sharing
Extensive use of cyber analytics and UBA
Extensive use of cryptographic technologies
Advanced perimeter controls
Extensive use of data loss prevention
Enterprise deployment of GRC
Automated policy management
$4,130,000
$3,820,000

7.9%
10%
11,3%
12.7%
14.1%
14.4%
17.9%
0.0% 5.0% 10.0% 15.0% 20.0% 25.0% 30.0%
Advanced identity and access governance
Estimated annual return on investment (ROI)
Estimated ROI for key
security technologies for
Financial Services
Companies
The estimated average
ROI for all nine categories
of “enabling” security
technologies is 14.1
percent.
ADVANCED IDENTITY AND ACCESS
MANAGEMENT HAS THE BIGGEST RETURN ON
INVESTMENT
Advanced identity and access management
22.5%
23.8%

Rank by spending levels and
cost savings for key security
technologies for Financial
Services Companies
Rank by % spending
1 = Lowest % spend
9 = Highest % spend
Rank by cost savings
1 = Lowest % saving
9 = Highest % saving
Security intelligence, automation
and advanced analytics provide
the largest positive value
between investment and savings.
INVESTMENT IS BEING MISDIRECTED TO
SECURITY CAPABILITIES THAT DELIVER LESS
6
1
8
7
2
5
3
9
4
1
2
3
4
5
6
7
8
9
+5
-1
+5
+3
-3
-1
-4
+1
-5
Advanced identity and access management
Rank by percentage spending Rank by cost savings
*Value
Gap
Positive value gaps: Areas where financial services companies should invest more to deliver cost savings
Negative value gaps: Areas where financial services companies are overspending relative to cost savings

PRIORITIZE BREAKTHROUGH INNOVATIONS
LIKE AI AUTOMATION AND ANALYTICS
Place greater emphasis on protecting people
due to the rise in phishing, ransomware and
malicious insider attacks.
Invest to prevent information loss and business
disruption which are growing concerns with
new privacy regulation like GDPR and CCPA.
Use automation and advanced analytics to
manage the rising cost to discover attacks
which is the largest component of spend.
1
2
3
55 days
The time to resolve malicious
insiders attacks
38% of cost
Business disruption the most
expensive consequence
of cybercrime
57% of spend
Discovery and Containment
are the largest elements of
internal spend
ORGANIZATIONS SHOULD:

About Accenture
Accenture is a leading global professional
services company, providing a broad range
of services and solutions in strategy,
consulting, digital, technology and
operations. Combining unmatched
experience and specialized skills across
more than 40 industries and all business
functions—underpinned by the world’s
largest delivery network —Accenture works
at the intersection of business and
technology to help clients improve their
performance and create sustainable value
for their stakeholders. With more than
482,000 people serving clients in more
than 120 countries, Accenture drives
innovation to improve the way the world
works and lives. Visit us at
www.accenture.com
Disclaimer
This presentation is intended for general
informational purposes only and does not
take into account the reader’s specific
circumstances, and may not reflect the most
current developments. Accenture disclaims,
to the fullest extent permitted by applicable
law, any and all liability for the accuracy and
completeness of the information in this
presentation and for any acts or omissions
made based on such information. Accenture
does not provide legal, regulatory, audit, or
tax advice. Readers are responsible for
obtaining such advice from their own legal
counsel or other licensed professionals.
UNLOCKINGTHEVALUEOFIMPROVED
CYBERSECURITYPROTECTION
NINTHANNUALCOSTOFCYBERCRIME STUDYIN
FINANCIALSERVICES–2019REPORT

Cost of Cybercrime Study in Financial Services: 2019 Report

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cost of Cybercrime Study in Financial Services: 2019 Report

Similar to Cost of Cybercrime Study in Financial Services: 2019 Report (20)

More from accenture

More from accenture (20)

Recently uploaded

Recently uploaded (20)

Cost of Cybercrime Study in Financial Services: 2019 Report