Jun 10 2024

Data Breaches Are More Common and Costly in Financial Services, New Research Finds

Despite setbacks, leaders feel confident in their war against cybercriminals.

At least $5 million. Perhaps as much as $10 million. That was the economic damage done to the majority of the financial institutions that experienced a data breach in the past five years and were able to estimate a cost.

The number comes from the 2024 CDW Cybersecurity Research Report, and was gleaned from a survey of 171 IT decision-makers and influencers within U.S. financial institutions.

Among respondents, 118, or 69 percent, said that they were aware of a data breach within the previous five years. And among that group, 55 percent said it cost their institution between $5 million and $10 million. Fourteen percent said it cost more than $10 million.

“Our last breach was a malware attack,” said one respondent. “Our system was locked and our data breached. The only reason I call it successful was that we paid to have the system returned to our control, but at a total cost of approximately $1.8 million and 6 days of down time. It hurt us badly.” Respondents were granted anonymity.

Click the banner below to read the 2024 CDW Cybersecurity Report.

The Cybersecurity Stakes Are Greater in Financial Services

Released publicly last week, the CDW report sheds light on the ways public and private organizations in a variety of industries are responding to security threats.

While the report found a number of common themes across segments — all respondents cited evolving threats and keeping up with rapid advances in IT as among their biggest difficulties, for example — it also painted a picture of a financial services industry under particular stress.

To wit, data breaches are more common and more costly in financial services. About three-quarters of financial services organizations have had at least one breach over the past five years, compared with two-thirds of all organizations. And when a breach does occur, nearly a third of all organizations said it cost them less than $5 million, compared with 21 percent of financial organizations.


Share of financial services organizations that say they have "most" of their cybersecurity staffing needs covered.

Source: 2024 CDW Cybersecurity Research Report

Like other organizations, most financial services businesses are trying to improve their cybersecurity posture by moving toward a zero-trust architecture. Here, the picture is mixed: More than half describe themselves as having reached an “advanced” (44 percent) or “optimal” (9 percent) level of zero-trust maturity.

However, about a quarter of organizations have made little to no progress on this front. It’s worth noting that an organization’s perception of its own maturity level is highly subjective, and what qualifies as an “advanced” or “optimal” zero-trust environment varies by organization size, industry and other factors.

“Organizations definitely are all on a journey in terms of where they are from a zero-trust maturity perspective,” says Stephanie Hagopian, vice president of security for CDW. “And no two organizations are going to be in the same place in terms of what they’re doing or even what they have to do to operate in a highly mature state.”

Click the banner to discover the benefits of cyber resilience, and learn how to get there.

Cyber Confidence Is High in Financial Services

The good news: Nearly 87 percent of IT leaders in the industry say they feel “very” or “somewhat” prepared “to respond to a cybersecurity incident and minimize the resulting downtime.” That’s a higher confidence level than exists among IT leaders at large, where 81 percent of all respondents fell into one of those categories.

Financial services IT leaders also expressed confidence about their own visibility into their organizations’ cybersecurity landscape, with slightly more than half of respondents declaring themselves “very confident” and another 42 percent saying they are “somewhat” so.

That’s important, because an organization’s ability to understand all aspects of its network is a vital element of its capacity not merely to defend itself against attacks but to recover from those that occur. This cyber resilience is an underappreciated part of an organization’s overall defense posture.

“The more holistic your view of the enterprise as a whole — not only the specific cyber risk itself but also the business impacts that are associated with it — typically, the more successful you're going to be in your cyber resilience aims,” said Buck Bell, who leads CDW's Global Security Strategy Office, in the report. “From my perspective, cyber risk is business risk.”

getty images/simonkr

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.