Cyber security is at, or near the top of, most firms’ list of concerns. And if it’s not, it should be. The UK Government has classified cyber security as a “tier 1” threat, on a par with international terrorism. The tenth annual Cost of Data Breach Study, conducted by Ponemon Institute and sponsored by IBM, found that the average consolidated total cost of a data breach is now $3.8 million, up 23% on 2013. The study also found that the cost incurred for each lost or stolen record containing sensitive and confidential information went up 6% from a consolidated average of $145 to $154. The USA Today, meanwhile, reported that an FBI official recently claimed that over 500 million records have been stolen from US financial institutions over the past year as a result of cyber attacks.
The dangers are particularly pronounced in corporate finance, one of the UK’s primary economic activities. Corporate finance covers Mergers and Acquisitions, buyouts, venture capital and IPOs, areas in which there is a vast amount of commercially sensitive or otherwise confidential information being shared between disparate parties. The sector was worth a total of £216.8 billion to the UK in 2013, and was a major driver of entrepreneurship, innovation and business expansion. Of such importance is the sector to the economy, the Government last year launched a review led by David Willetts that called on firms to make cyber security a higher priority during transactions.
It is not just the monetary impact of a data breach for financial institutions, the reputational effects can be equally as damaging. Cyber attacks have caused massive hits to stocks prices, with Citigroup, Bank of America and Wells Fargo dropping by between 0.4% and 0.9% in their stock prices as a result of attacks, and JPMorgan Chase’s fell by 1%. Financial institutions are subsequently spending vast sums of money on cyber security, reaching into the hundreds of millions, although even this is not the highest cost of a breach, with customer reimbursements and audit and consulting services costing institutions even more. The size and complexity of financial institutions also makes security a mammoth task, with holes inevitably being left in spite of the huge investment.
The attacks show no sign of abating, with the costs to hackers of launching them negligible. Mark Clancy, the chief executive of Soltra, a cross-party collaboration of banks and regulators to automate intelligence sharing, told the Telegraph: “It’s very inexpensive to launch an attack, [hackers] can build one thing and then use it to attack bank one, bank two, bank three and bank four the same way.” The forces at work are also often, according to experts, at least being supported by large nation states such as Russia, clouding the issue in geo-politics. Hackers are agile, fast moving, and have limited costs. For banks operating incredibly complex systems, awash with valuable information to hackers, and of such importance to their economy, they are a prime target for disruption by countries looking to do harm to another nation. So much so, it could be that no amount of regulation or investment will see the problem completely eradicated.