How CXOs View the Risks and Rewards of Cybersecurity
Most CEOs and CFOs in the financial industry will tell you that cybersecurity isn’t cheap. And it’s true — a recent study by Deloitte found that, on average, financial services companies spend 10% of their IT budgets on cybersecurity. A commonly held view among executives is that cybersecurity spending is an expensive precaution. The challenge for IT professionals is to help reframe that discussion with their C-level team and position cybersecurity as an investment, not an expense.
Balancing the Rewards and the Risks
The first question many C-level executives ask when allocating budgets is ‘how will this help grow the business?’ For example, CFOs will invest in increasing production, acquiring new customers, or bringing new products to market faster. At the same time, they’ll seek to contain costs in areas that don’t directly contribute to the revenue line.
A second and equally important consideration is risk. CXOs will ask, ‘what are the circumstances that could prevent us from achieving our business goals, and how do we minimize or eliminate them?’
There are many nuances to the risk discussion. What is the nature of the risk? Security risks can run the gamut from vulnerabilities in cloud platforms, web applications and email services to bad actors exploiting your environment from within. Next, how likely are risk events to occur? What are the financial and operational impacts? What will it cost to address them? Finally, do the benefits of mitigating the risks outweigh the costs?
IT professionals should be prepared to have fact-based discussions with their executive team when reviewing cybersecurity requirements. Industry-specific data, such as the frequency and impact of cyberattacks or the cost of downtime, is always helpful.
Assessing Cybersecurity Risks for Alternative Asset Providers
Here are four industry-specific facts that will help position the security risk discussion with your executive team:
Financial services firms are 300 times as likely as other companies to be targeted by a cyberattack. This finding from the Boston Consulting Group is echoed by the 2021 IBM X-Force Intelligence Report, which states, “Financial institutions experienced 23% of all attacks we analyzed in 2020, up from the 17% of attacks the sector experienced in 2019.”
The probability of a cyberattack is very high for financial services companies. A survey of the UK financial sector found that 70% of financial companies have experienced a cyber security incident in the past year.
The threat is escalating. Attacks targeted at the financial sector increased by 238% between February and April 2020, and ransomware attacks on the financial industry increased ninefold.
The costs are unbearably high. According to IBM, financial services cyberattacks in 2020 due to data breaches cost organizations an average of $3.86 million and took an average of 207 days to identify. Accenture projects that cyberattack on banks in 2020 and beyond will result in banks losing $347 billion, and capital markets will lose $47 billion by 2024.
Cybersecurity as an Investment
While the impact of cyberattacks is all too apparent for the financial industry, articulating the business benefits of cybersecurity can help C-level executives justify budget and resource allocations. These potential benefits include:
Reduced downtime. Ransomware attacks almost always result in downtime or service interruptions. A recent Ransomware Marketplace report found that the average ransomware incident lasts 16.2 days. Every organization calculates downtime costs differently, but for perspective, the Gartner Group estimates average downtime costs at over $300,000 per hour.
Brand Protection. No financial services company wants to be in the news for a services outage or significant data breach. A robust cybersecurity infrastructure can minimize the frequency and impact of attacks and help protect and elevate the organization’s brand.
Customer Retention. Effective cybersecurity protects a company’s greatest asset — its data. Customers are less likely to do business with an organization that has been compromised, and the reverse is true. If your company has an excellent cybersecurity track record, you’re more likely to retain and even grow your customer base.
Taking a Long-Term Approach
Aligning cybersecurity requirements with business objectives is only the first step in establishing an effective security infrastructure. Cyber threats are rapidly evolving, and external events can create new paradigms that impact security requirements. Who would have thought two years ago that today, much of the financial workforce would be working from home?
It is essential to regularly assess your security strategy, priorities, and alignment with business objectives. Ongoing engagement with your executive team is critical, as is a proactive approach. Once a severe cyberattack impacts your organization, it’s too late.
Another proactive option for addressing risk is cyber security insurance. Also called cyber liability insurance, this is a policy that offers businesses a range of options to cover the expenses associated with data breaches and other cyber attacks. These can include costs for: recovering compromised data, lost income, notifying impacted customers, and restoring affected systems.
While cyber security insurance is not a solution that makes you whole, it will reduce potential expenses. Many cyber insurance plans also provide for pre-claim expenses to help mitigate a risk before it becomes an incident.
Partnering with a Trusted MSP
With the exception of larger funds greater than $8B AUM, most alternative investment firms operate without a CTO or CIO, and most funds under $30B AUM do not employ a CISO. Even those that do may not have the necessary in-house resources and expertise to develop and support a strong security infrastructure.
An experienced managed security provider (MSP) can offer services that you may not have the capability to carry out alone. For example, vulnerability assessments can systematically review your environment for security weaknesses. Penetration tests will evaluate your infrastructure by safely exploiting threats. And risk remediation analysis (RRA) can reduce your susceptibility to a cyber attack from a range of tactics, techniques, and procedures (TTPs).
A valued MSP like Thrive NextGen is also well-versed in investor needs and concerns. We help firms anticipate and respond to investor questions about cybersecurity and data protection requirements. Our experienced team has deep domain expertise in the alternative asset industry and can assist in aligning your security requirements with your business strategy and objectives.
With every decision, your C-level team must recognize and prioritize risk before you can reap the benefits. This is particularly true when assessing cybersecurity requirements. That’s why many leading alternative asset companies choose Thrive to help align business and cybersecurity requirements and keep their organizations secure.