Report: Finance Is One of the Most Targeted Industries by Cyber Criminals
Financial services businesses have been a target for criminals since the days of the Pony Express. Now, modern businesses face a serious threat from cyber criminals seeking to steal funds from bank accounts, real estate closings, court settlements and retirement funds.
A new NetDiligence report on the top industries targeted by hackers explains how finance is one of the most targeted industries by cyber criminals. The extensive report looks at 7,500 insurance claims from nearly all of the top carriers over the last five years, with new updates for trends through 2021.
Here are eight startling statistics showing how the threat impacts the industry, plus our tips on how you can protect yourself.
1. Finance Ranks in the Top 5 — and Has for a Number of Years
Financial services businesses small and large are an attractive target for cyber thieves. Some look for an instant payday, while others hope to steal clients’ financial information to perpetrate additional financial crimes at a later date.
According to NetDiligence, small- to medium-sized financial services businesses ranked fourth in terms of numbers of claims from 2017 through 2021 out of all business sectors.
The total incident cost for these businesses — which does not include corporate finance giants that NetDiligence gives their own category — amounted to $71 million.
2. Finance Cyber Crime Costs Have Gone up Four of the Last Five Years
For small- and medium-sized businesses in the financial services world, cyber claims are a big deal. In fact, there have been over 500 such claims in the last five years.
Out of all industries, these businesses accounted for 8% of all cyber claims and 7% of total cyber incident costs. On a claim by claim basis, the least expensive claim reported cost just $1,000. However, the most expensive claim totaled $3.7 million.
Average claim costs fell in between these extremes and are trending up:
- In 2017, small- and mid-sized financial services claims cost an average of $84,000.
- In 2018, the figure was $135,000 per claim.
- In 2019, costs averaged $97,000.
- In 2020, they were up to $166,000.
- In 2021, they rose again to $233,000.
Even the average over the last five years totaled more than $90,000 per claim.
3. Most Cases Involved Deliberate Targeting by Cyber Criminals
There are many reasons that a financial services business could experience a cyber-related loss. Some happen on account of innocent mistakes, such as staff errors, mishandling of records, improper disclosure, computer glitches or lost laptops.
However, the vast majority of losses in the claims studied by NetDiligence happened due to criminal activity. By the numbers:
- 51% of losses were due to ransomware
- 18% of losses were due to hacking
- 10% of losses were due to email scams
Meanwhile, only 0.3% were due to a mistake.
4. Mistakes May Be Rare, But Their Costs Are Also Going up
When a financial professional makes a mistake that results in a loss for a business or its clients, a work stoppage or an exposure of sensitive information, the costs can be high. Unfortunately, it also appears these cyber costs are going back up after a decline in 2018 and 2019.
- In 2019, mistakes cost small- and mid-sized businesses an average of $6,000 per claim.
- In 2020, the figure had spiked to $63,000.
- In 2021, it was up to $82,000, the highest in five years.
For comparison, the deliberate actions of rogue employees costs businesses only $35,000 in 2021.
For mistakes made by a third party outside the firm itself, the report shows an average cost of $69,000 per claim over the last five years.
5. Wire Fraud Cyber Attacks Cost More Than Others
As many advisors already know, wire fraud presents a significant risk to professionals in the financial services industry. In fact, the NetDiligence report shows that there were over 200 claims filed in the last five years.
Costs for wire fraud incidents are also elevated. While the average cost of a claim for all small- to mid-sized business sectors over the last five years was $170,000, the wire fraud claims alone averaged $254,000.
The amount of funds lost in such wire fraud incidents was also substantial, averaging $220,000 per incident from 2017 through 2021.
6. More Than 1.1 Billion Records Were Exposed in the Last 5 Years
In the financial services industry, many advisors are also painfully aware of how much an exposed record can amplify the seriousness and cost of a cyber incident, due to strict privacy and reporting requirements under ERISA.
In 2021, the average number of records exposed in a single claim was 731,000 for small- and medium-sized businesses. Notably, most records exposure incidents happened at these smaller firms, with only 21 claims filed by large companies.
Only about one in 10 claims studied in the five-year report involved a record exposure incident, but that still led to an eye-watering number of total records exposed. Just 755 incidents exposed over 1.1 billion records!
Considering that financial industry cyber costs can exceed $250 per record, this is an area of particular risk.
7. Record Exposure Claims Cost 191% More Than Other Claims
Despite the rising value of sensitive data, a surprising number of cyber incidents are considered to be “recordless” — meaning cyber thieves would prefer to quickly make off with stolen funds, a paid ransom or some other prize instead of sensitive client information.
While that’s good news for advisors, the bad news is that the minority of incidents that do involve a record exposure almost always cost more than those that don’t.
- Averaged across the last five years, the cost of incidents where records were exposed was $188,000 versus $173,000 where they were not exposed.
- Yet in 2021 alone, the difference in cost was $494,000 with record exposure to $170,000 without. That’s almost three times or 191% more.
8. Legal Costs Are Highly Unpredictable for Finance Cyber Claims
As many advisors know, when mistakes are made and records are exposed, legal expenses are sure to follow. However, how much those costs will be is less certain.
The NetDiligence study looked at four types of legal costs incurred in 379 of the claims:
- Legal settlements
- Legal defense
- Regulatory fines
- Regulatory defense
For the five-year period of the study, legal defense costs had the highest average of $183,000 per claim. Meanwhile, costs for the other three legal expense categories averaged between $20,000 and $46,000 per claim.
However, the average costs in any given year were highly unpredictable. For example, the average legal defense cost per claim in 2020 was $503,000, 2.7 times higher than average. Yet in 2021, those costs were down, but the average settlement was $243,000, or more than six times the five-year average. In other years, it was regulatory fines and defense costs that were elevated.
How to Protect Against Finance Industry Cyber Risks
The financial services industry will likely always face elevated risks. Whether by train robberies, cyber fraud or something else, criminals find the potential payoff too hard to pass up.
For advisors, this means that even the very best risk management practices won’t always be enough. An incident involving a cyber loss, whether accidental or malicious, is likely to occur at some point in most careers. When it does, the costs could be unpredictably high.
Time and again, advisors find the best way to protect against this uncertain risk is by having the right insurance. With Lockton Affinity Advisor, you can obtain coverage specifically designed to protect against the risks you face as a professional financial advisor, including cyber risks.
Lockton Affinity Advisor Cyber Liability coverage addresses many of the deficiencies in the current marketplace, where sparse coverage, hidden fees and no available coverage are common.
Our coverage provides protection against mistakes, breaches, hacks and more. Cyber Liability Insurance is available to add to your Lockton Affinity Advisor E&O policy for better protection and better peace of mind.
Learn more about how our coverage meets ERISA standards, including services performed as an ERISA 3(21) and 3(38) advisor, plus recently updated requirements of top custodians by visiting LocktonAffinityAdvisor.com.