Financial Execs May Be Overconfident About Cyber Security, Survey Shows

Cyber security is crucial for today’s financial services professionals — at this point, almost everyone understands that. Yet some firms may still be underprepared for serious cyber attacks and the damage they can cause.

A new survey of financial executives found that many overestimate the cyber protections their companies have put in place. The report explores how this situation could actually increase the risk of future incidents and lead companies to take on large, avoidable losses. Here’s what to know, plus steps you can take to improve the cyber security of your firm.

New Survey Results and Analysis

The new survey from Kroll, the New York-based consulting firm, polled 180 CFOs, CEOs and other financial executives worldwide who directly manage the cyber security budgeting and information security planning for their companies. Kroll wanted to find out how leaders felt about their cyber security efforts as well as how their companies had fared against real cyber threats.

The vast majority reported they were highly confident in their company’s cyber security capabilities. But there was a small problem with that self-assessment — many of the same CFOs also reported critical cyber safety deficiencies at their firms and a history of recent cyber attacks that had caused significant losses. Here are the details:

  • A total of 87% of the CFOs surveyed expressed high confidence in their cyber security practices, but 40% also admitted to never having a briefing from their information security leadership.
  • When it came to significant cyber incidents, 79% reported at least one in the last 18 months that resulted in data compromises or financial losses. Three or more serious cyber incidents were reported by 61%, and a worrying 13% reported 10 or more such incidents.
  • The total financial impact was significant, with 89% of companies facing cyber incident costs of $1 million or more over the last 18 months. Eighteen percent reported a cost of $1–5 million, 24% saw costs of $5–10 million, 32% lost $10–25 million and 16% said their impact was over $25 million. Additionally, seven out of ten executives polled told Kroll their companies had suffered a valuation loss of 5% or more.

In a positive move, 78% of the CFOs surveyed told Kroll they do plan on increasing their IT budget for the next fiscal year, and 45% of these executives say budgets will be boosted by 10% or more. However, the report also notes that only around 10–15% of total IT budgets are spent on cyber security, which may not be enough given the threat.

Action Steps for Financial Professionals

While Kroll’s survey shows that many large companies find it challenging to fend off cyber attacks, it shouldn’t discourage other professionals. Better cyber security is achievable with the right steps. In fact, it may even be easier for small businesses to make the necessary changes.

Earlier this year, we wrote about how the federal government has created a fact sheet detailing eight steps companies can take to protect themselves and the financial services industry as a whole. Financial professionals are encouraged to:

  • Use multi-factor authentication (MFA) across all systems to make it harder for attackers to gain access.
  • Deploy modern security tools on your computers and devices to continuously look for and mitigate threats.
  • Work with cybersecurity professionals to make sure that systems are patched and protected against all known vulnerabilities, and change passwords across networks so that previously stolen credentials can’t be used by malicious actors.
  • Back up data with offline backups that are beyond the reach of hackers.
  • Run drills and tabletop exercises of your cyber emergency plans so that you are prepared to respond quickly to minimize the impact of an attack.
  • Encrypt your company’s data so that it can’t be used if it is stolen.
  • Train employees on common tactics attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or slow operation.
  • Consider engaging proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents.

Cyber Liability Protection

Even with the best cyber security practices, a determined hacker may still get through your defenses. So it’s important to have the right cyber liability protection if they do. Cyber Liability coverage from Lockton Affinity Advisor is available to cover costs associated with cyber attacks, with a policy specifically designed for financial professionals like you.

Lockton Affinity Advisor coverage comes with ERISA 3(21) and 3(38) protection, so you are covered for fiduciary duties you perform. Coverage also comes with individual aggregate limits, so that you have access to your full policy limits. Plus, adding Cyber Liability to your E&O policy is quick and easy with Lockton Affinity.

Visit or call (844) 406-5958 to learn more.