Banks’ Cyber Attacks up 4x in 4 Years, Spending to grow at least 12%/yr for Next 5 Years

Cyber security has become one of the most important issues in this year’s election, with the leak of hacked emails and the potential for electronic vote tampering commanding the spotlight in recent months. WikiLeaks, foreign hackers, and cyberwarfare have influenced the national conversation and the campaigns. In the first presidential debate, both candidates stressed that cyber security is a top priority for the next President of the United States.

These types of politically-motivated hacks  – such as those that plagued the DNC and the email accounts of Clinton campaign staffers – are generally ‘state sponsored Information security breaches’ designed to give the attacker a political or military advantage. A different sort of hack is carried out by non-state ‘independent hackers’ whose purpose is usually financial gain, or occasionally political protest.

According to IBM’S X-Force 2016 Cyber Security Intelligence Report, the healthcare, financial, and manufacturing sectors were the top three targets of cyber attacks in the past year. However, the financial sector has traditionally been a particularly sweet spot for hackers, given the availability of financial details and identity data in one place. This problem will likely intensify as the tools that bad actors use to target their victims become more easily available and cheaper to deploy at scale. Cybersecurity is already a threat that is impacting international events, as well as businesses and ordinary people who are subjected to fraud, identity theft, and ransomware attacks among other crimes.

Mentions of Cyber Attacks have increased four-fold since 2012:
Using Sentieo’s Document Search features to search for the terms “Information Security”, “Infosec” and “Cyber Security” in documents related to companies in the finance sector, we discovered that mentions of these terms have increased four-fold since 2012, as seen in the graph below. The companies that mention it most prolifically include Goldman Sachs, Morgan Stanley, JP Morgan, Citibank, Wells Fargo and Bank of America.

infosec-cyb
Information Security Spending is Increasing Sharply:
The growing threat of cyber attacks has prompted business to increase spending on cyber defense. According to a Homeland Security Research Corp. (HSRC) report on Banking & Financial Services Cybersecurity, the U.S. financial services infosec market in 2015 was the largest non-government information security market at an estimated $9.5 bn. The report also predicted this sector to be the fastest growing non-government security market, racking up a cumulative cyber security spend of $77 bn from 2015-20.

All major banks and financial companies have been investing heavily in both internal and external capabilities to prevent cyber attacks. According to HSRC, J.P. Morgan Chase & Co., Bank of America, Citigroup, and Wells Fargo accounted for roughly 15% of the financial sector’s total cyber security spending.
Information security spending by banks in particular has gone up since 2012. Mike Loughlin, Senior EVP and Chief Risk Officer of Wells Fargo, cautiously stated the increase in security spending:

wells-fargo_1

Brian Moynihan, Chairman and CEO of BoA notes that the bank’s cyber security spend is around $500 mn per year.

boa-snip
Attacks such as the 2014 JP Morgan breach have the potential to increase spending in this area even further. In that breach, believed to be the largest attack on the financial sector to date, 76 mn households and 7mn small business were compromised in an attack on JP Morgan’s databases. Although no money was taken, the exposure of account holders’ personal info has the potential to drive secondary attacks such as identity theft, and to drive away customers.  As a result, JP Morgan set aside $250 mn in 2014, $500 mn in 2015 and $600 mn in 2016 for cyber security efforts.
According to Marianne Lake, CFO of JP Morgan Chase & Co:

jpmc_cyber
Not only are financial companies investing in their internal capabilities to combat cyber crimes, they are also investing in cyber security startups. According to CB Insights, crossover investments in cyber security startups increased to 25 in 2015 from 5 in 2012. Crossover investors are mainly focused on public markets, but occasionally invest in startups alongside VCs, and cyber security is a sector that is drawing a disproportionate amount of this investment.

For example, Goldman Sachs recently invested in Ionic Security, a data protection startup. In 2015, GS invested $35 mn in iboss Cybersecurity, a cloud-based security platform. And earlier this year, we saw Fidelity invest $50 mn in Malwarebytes, a malware prevention and remediation solution.

Stronger Together:
In light of growing threats from Cyber attacks, the Cybersecurity Information Sharing Act (CISA) was adopted in December 2015 with the purpose of improving cyber security through increased information sharing between corporations and government. Additional public-private efforts, and cooperation between competitors such as the major banks to identify and cut off threats, are key parts of the effort to combat large-scale cyber crime.

According to a Wall Street Journal article, in August 2016 eight banks including J.P. Morgan, Goldman Sachs and Bank of America announced they had formed an alliance to fight cyber crime. Though this partnership is still nascent, through it the banks will share information regarding cyber threats, conduct simulated attacks, and prepare comprehensive responses for attacks which cut across corporate lines.

What Comes Next
Threats are on the rise.  Bad actors aren’t going away. Expect to see coordinated efforts amongst corporations, as well as public-private and international efforts focused on increased cooperation and information sharing, to take center stage in the coming months. Cyber security spending in many sectors of the economy has the potential to continue to increase for the foreseeable future. The threat from bad actors is constantly evolving, and the only way to stay one step ahead is to continuously and rigorously invest in security and innovation.

New call-to-action