Asset managers and other financial service firms spend roughly $2,300 per full-time employee on cybersecurity a year, said a results of a survey released Wednesday by Deloitte and the Financial Services Information Sharing and Analysis Center.
The survey report, "Pursuing Cybersecurity Maturity at Financial Institutions," reveals that banks, insurance companies, investment managers and other financial services companies spend between 6% and 14% of their annual information technology budget on cybersecurity, for an average of 10%. This equals roughly 0.2% to 0.9% of company revenue, or between $1,300 to $3,000 on cybersecurity per full-time or equivalent employee.
The report looked at various components of a financial institution's cybersecurity operation, including how it is organized and governed, who the chief information security officer reports to, the level of board interest in the CISO's work and which cyber capability areas were prioritized in terms of spending.
Responses from the survey reveal that larger firms allocated nearly one-fifth of their cybersecurity budget to identity and access management. This is nearly twice the percentage of smaller and midsize firms, which tend to spend more on endpoint and network security.
"Of course, money alone is not the answer — as we found in the study, higher cybersecurity spending doesn't necessarily translate into a higher cybersecurity maturity level," said Julie Bernard, a principal with Deloitte's risk and financial advisory unit and insurance sector leader for cyberrisk services at Deloitte & Touche, in a news release announcing the survey results. "While everyone is looking for an efficiency ratio for their cyber costs, how a security program is planned, executed and governed is as important, if not more."
The most successful programs exhibit several core traits, including setting a tone at the top of an organization, with both executives and the board; raising cybersecurity's profile beyond the IT department to give the security function higher-level attention and greater clout; and aligning cybersecurity efforts with the company's business strategy.
Survey respondents identified keeping up with the rapid changes and rising complexities of IT as the biggest challenge in managing cybersecurity, followed closely by business growth and expansion.
The survey was conducted in the fall of 2018 by FS-ISAC in conjunction with Deloitte's cyberrisk services practice. Ninety-seven companies participated, with 39% of those reporting revenue of more than $2 billion annually, while 23% were classified as midsize, with annual revenue between $500 million and $2 billion.