Financial Crime World

Financial Institutions’ Cybersecurity Strategies: A Mixed Bag

A recent study by Deloitte highlights the varying approaches to cybersecurity among financial institutions (FSIs), with some adopting a centralized approach and others opting for a hybrid model. The study also reveals differences in budget allocation, reporting structures, and priorities among large, midsize, and small FSIs.

Centralized vs. Hybrid Approach

While two-thirds of respondents from the largest participating companies reported a centralized approach to cybersecurity, those from smaller institutions were more likely to adopt a hybrid model. This suggests that larger FSIs may have the resources to dedicate a team solely to cybersecurity, while smaller organizations may need to rely on shared responsibilities across different departments.

Budget Allocation

The study found that FSIs are prioritizing innovation and emerging technologies in their cybersecurity budgets. Cloud, data analytics, and social media were among the top areas of investment for large firms. However, there was a noticeable difference in budget allocation between smaller and larger institutions, with smaller FSIs allocating a greater proportion of their budget to traditional IT security measures.

Reporting Structures

The study highlighted variations in reporting structures among FSIs. While some CISOs (Chief Information Security Officers) reported directly to the CEO or board, others were more likely to report to the CIO (Chief Information Officer). This suggests that there is no one-size-fits-all approach to cybersecurity leadership and that each institution should consider its unique needs when determining reporting structures.

Priorities

The study identified mobile, cloud, and data analytics as top priorities for adoption among FSIs in the next two years. Embedding cyber defenses into new digital initiatives was also cited as a key business issue with security implications.

Recommendations for Improvement

To improve their cybersecurity capabilities, FSIs are advised to:

  • Proactively engage the board: Provide board members with details on how management is addressing cyber risk.
  • Engage the entire organization in cybersecurity: Ensure that everyone understands and embodies their role and responsibilities in detecting intrusions and maintaining good security hygiene.
  • Provide multiple lines of defense: Embed cybersecurity practices and personnel within business units and regional offices to support central teams.
  • Alter CISO responsibilities: Encourage CISOs to spend more time as strategists and advisors, rather than solely focusing on tactical roles.

Conclusion

The study highlights the need for FSIs to continually adapt to evolving cyber threats. While benchmarks can provide a starting point for assessing cybersecurity readiness, remaining secure, vigilant, and resilient also requires collaboration with broader communities facing similar challenges. By learning from peers’ experiences and working together, FSIs can stay ahead of the curve in protecting their people and systems.

About Deloitte Center for Financial Services

The Deloitte Center for Financial Services provides thought leadership and insights to help financial institutions address complex challenges and opportunities. With a focus on innovation, risk management, and customer experience, the center offers research, analysis, and solutions to support the financial services industry’s continued growth and success.