Financial Cyber Survey

June 2021
 Financial Cyber Survey | June 2021

Editorial
The financial sector is generally known for having a high cybersecurity maturity level, due to having
been at risk of cyber-attacks for several decades. However, financial businesses must be careful
not to rest on their laurels, and they must continuously test assumptions about their cybersecurity
posture and close any gaps between these assumptions and their aspirations as well as regulations.

In this survey, we investigate the Danish financial sector’s ability to respond to cyber threats. The
survey provides unique insights into the cybersecurity practices in the sector and reveals some
major trends:

The cyber threat has continued its increase. And phishing remains the number one way to
penetrate organisations, according to the respondents. The financial sector has been “in the game”,
so to speak, for several decades – cyber criminals have always sought a financial gain. Thus, being
exposed to cyber threats has been a condition for financial businesses for a long time. The shape of
the threat has changed, though. Today, it is not only about stealing money, but sometimes also about
doing damage just for the sake of damage.

Businesses might have a false sense of security. The businesses in the sector have quite positive
self-images when it comes to how close they are to being ideal cybersecurity organisations. Maybe a
bit too positive as only one out of ten businesses have fully implemented what is generally considered
baseline cybersecurity measures. While it is good to see that the businesses aspire to have high cyber
maturity levels, we strongly recommend testing these assumptions and maturity levels independently
and closing any gaps between the self-evaluations and the independent assessments.

Many find it difficult to comply with cyber regulations. No less than one third of the businesses
in our survey indicate this. Indeed, compliance can be a complex task. Businesses within the financial
sector need to adhere to a multitude of regulations and take into account multiple regulators that are
not always aligned. But businesses should be ahead of regulations instead of chasing them. This not
only gives them an advantage in terms of cybersecurity but is also far less costly.

In summary, the Danish financial sector continues to believe that it is higher up the cyber maturity
ladder compared to other less mature industries. That may be the case. This should, however,
not lead to complacency, which could result in these organisations falling behind the curve in the
cyber-arms race.

We hope you will find this survey interesting. Please do not hesitate to contact us for further
information.

Hinko van Beek Jay Choi

Partner Partner
+45 30 93 52 57 +45 30 93 41 92
[email protected] [email protected]

3
Financial Cyber Survey | June 2021

The perceived cyber threat has

increased – but the sector is used
to the threat
The cyber threat has increased according to the respondents. However,
many also report of an unchanged threat level which might be explained
by the sector’s relatively high level of cybersecurity maturity.

What does the survey show?

“I would not necessarily say
Three out of four respondents in the survey think that
the cyber threat against their business has increased that the threat has changed.
or increased significantly over the last two years. The
remaining respondents report of an unchanged threat
We had the first couple of
level. Nobody is of the perception that the cyber threat big attacks, and then media
has decreased.
attention changed.”
The businesses in the survey were asked about their
CISO, global financial services provider
perception of the development in the cyber threat level
during COVID-19 (the survey was conducted in August
2020). Thirty-four percent indicate that the threat has
increased during this period, and 66% indicate that that the threat level has remained unchanged over the
the level has stayed the same. Again, nobody is of the last two years.
perception that the threat has decreased.
It is important to be aware of the distinction between
Deloitte’s perspective the actual cyber threat level and the perceived cyber
Most of the respondents are of the perception that threat level. As this is a survey, the numbers reflect the
the cyber threat has increased over the last couple of perceived level. This could be part of the explanation
years. However, compared to other sectors that have why a relatively big proportion of the businesses in the
been investigated as part of Deloitte’s Cyber Surveys financial sector sees the threat level as unchanged.
(the consumer sector, the public sector and the Compared to the other sectors, the financial sector has
energy, resources and industrials sector), the financial a high cybersecurity maturity level in general, having
sector has a high proportion of respondents indicating been “in the game” and at risk of cyber-attacks for many

4
 Financial Cyber Survey | June 2021

years – people have always been after a financial gain.

”The financial sector has
Thus, being exposed to cyber threats is a condition for
businesses in the financial sector, and they have learned always been exposed to
to live with it. They are more aware, and it does not feel
like an increase.
cyber-attacks, and it is not
only about stealing our clients’
However, the shape of the threat against the financial
sector has developed over the years. Today, it is not money, but also about doing
only about obtaining a financial gain from financial damage just to do damage.”
businesses. Sometimes, the sole purpose of the attack
is destruction. CRO, financial services provider

How has the cyber threat against your

organisation in your view developed?

Last 2 years 72% 28%

During COVID-19 34% 66%

Increased Unchanged

5
Consumer Cyber Survey | September 2020

6
 Financial Cyber Survey | June 2021

Cybersecurity is a natural part

of the top management’s agenda
Cybersecurity is frequently discussed by the top management. The increa-
singly tighter cyber regulations might have made the businesses in the sector
prioritise the agenda.

What does the survey show? more informed decisions due to a generally improved
Forty-two percent of the respondents indicate that understanding of the cybersecurity landscape, and for
cybersecurity is on the leadership agenda monthly aligning investments accordingly.
or more frequently. Thirty-five percent discuss
cybersecurity in the boardroom on a quarterly basis,
while 23% indicate that cybersecurity has the top
How often is cybersecurity on
management’s attention twice a year or less frequently. the top leadership’s agenda?

Deloitte’s perspective
Cyber threats pose a significant risk to today’s busi-
nesses. Therefore, it is positive to see that cybersecurity
9%
Once a year or
is a topic for the C-level executives and the boards in less frequently
the businesses in the financial sector. Seventy-seven
42%
percent of the respondents in the survey indicate that
cybersecurity is on the leadership agenda on a quarterly
14% Monthly
or more
Bi-annually
basis or more frequently. frequently

The top management of the businesses in the financial

sector is more focused on cybersecurity than the top
management of the businesses in the other sectors that
we have surveyed. This is no surprise, as cybersecurity
has long been an eminent part of the financial sector’s 35%
business operations, e.g. in the context of fraud detec- Quarterly
tion and prevention. This combined with the increasingly
tighter cyber regulations in the financial sector may have
made the financial sector prioritise the cybersecurity
agenda. The topic has become a natural part of the
leadership agenda.
“Our board is asking a lot
about cybersecurity and if
It is important to stress that frequency is not the
only criterion for prioritisation; yet, it is likely that we need more resources.”
a higher frequency offers opportunities for making CISO, global financial services provider

7
Financial Cyber Survey | June 2021

Phishing is considered the

biggest risk
As many of the businesses in the financial sector are dealing directly with
other people’s money, phishing naturally has the attention of the sector.

What does the survey show? or directly leading to fraud via transfer of funds, e.g.
The survey shows that phishing/malware (e.g. social using unsuspecting consumers’ bank account details.
engineering) is considered the biggest cyber risk The latter is somewhat specific to the financial sector
among the businesses in the financial sector. Half of and it has been a focus area especially for the banks
the respondents have ranked this as the number one for several decades now.
risk. The second biggest risk is, according to the
average ratings, technical vulnerabilities in applica-
tions and infrastructure, and the third biggest risk
“In general, we are probably
is data leakage/data integrity.
most exposed to phishing
Deloitte’s perspective
It does not come as a surprise that phishing is
attempts, having somebody
considered the number one cybersecurity risk by lurking around and pulling
financial businesses. Phishing has been an effective
channel for cyber-attackers; either as a means to information from us.”
introduce malware into an organisation’s systems Head of Risk & Security, company in the financial sector

Rank these cybersecurity threats from 1-6, with 1 posing the

greatest threat to your business and 6 being the smallest.
Rank 1 Rank 2-6 Average
Phishing/Malware (e.g. social engineering) 51% 49% 2,1

Technical vulnerabilities in applications and infrastructure 11% 89% 3,2

Data leakage/data integrity 12% 88% 3,3

Unauthorised access to systems, and/or excessive entitlements 11% 89% 3,7

Third party / supply chain control deficiencies 7% 93% 4,3

Inadequate detection & response 9% 91% 4,5

8
9
Financial Cyber Survey | June 2021

Basic cyber defence efforts

are lacking
Only one out of ten businesses have implemented all four baseline
cybersecurity measures: response plans, self-defence plans, cyber
awareness training and cyber hygiene.

What does the survey show? and interconnected world, it is crucial that businesses
Typical baseline cybersecurity measures include are protected by robust and resilient cybersecurity
response plans, self-defence plans, cyber awareness defences. The number is also surprising given the
training and cyber hygiene. positive self-evaluation elsewhere in the survey where
72% have rated the level of their own cyber-security
Fifty-three percent of the respondents indicate as 7 or higher on a scale from 0 to 10, 10 being the
that they have a fully implemented self-defence most mature. Thus, there is a risk of the businesses
plan, and 44% indicate that they have a fully overestimating their own cybersecurity capabilities,
implemented response plan. Forty-three percent operating with a false sense of confidence in their
of the respondents say that they conduct regular cyber defence.
awareness training, and 37% say that cyber hygiene
is fully implemented. Only 9% of the respondents
indicate that they have all four cyber measures fully
implemented.

Deloitte’s perspective
”We are very afraid of breaching
As investments in new technology grow, so does the GDPR. Our company is based
potential attack surface, enabling cyber criminals
to exploit weaknesses. Therefore, it is alarming on systems that were designed
that only around one out of ten businesses in the way before GDPR.”
financial sector have implemented all four baseline
cybersecurity measures. In an increasingly digitised CRO, financial services provider

10
 Financial Cyber Survey | June 2021

“One of the most important

defence mechanisms of
the banks are the employees
– a human firewall.”
Head of Risk & Security, company in the financial sector

According to Deloitte’s cyber experts, cyber you, you are not as resilient as you might feel you are.
hygiene and awareness training are fundamental Ideally, such plans need to be in writing, and you need
and elementary initiatives that are crucial to any to test them frequently to make sure that you are
organisation’s cyber resiliency. Also, it is a necessity to ready for when – not if – your organisation is hit by a
have both a strategic plan and an operational plan for cyber-attack.
how you should defend yourself against the threats
you are facing. If you do not have a response plan that There are plenty of low-hanging fruits that can be
tells you how to act when a cyber-attack strikes harvested relatively easily to strengthen cyber defence
and resiliency. For instance, many organisations need
to operationalise the knowledge, plans or procedures
that already exist within the organisation but have not
yet been documented or tested.

9%
“We have a security incident
All four cyber
measures fully
implemented
response team which is a 24/7
function that monitors and
reacts to security incidents.”
Are all four cyber measures fully
implemented in your organisation? CISO, global financial services provider

11
Energy, Resources & Industrials Cyber Survey | January 2021

12
 Financial Cyber Survey | June 2021

Security-by-design: On the right track

Not incorporating security-by-design is costly and puts the business in a
vulnerable position. The sector has come a long way, but still needs to be
better at including cybersecurity from the get-go.

What does the survey show? recognised as an instrumental part of product and sy-
When asked about the development of their latest digital stem-development processes. We have come a long way
solutions, almost half of the respondents indicate that when it comes to security-by-design, and it is important to
cybersecurity was taken into account before the actual recognise this positive development.
development of the solution. Forty percent indicate that
they started taken cybersecurity into account during the However, half of the respondents are not doing securi-
development or before implementation, while 10% say ty-by-design – taking cybersecurity into account before
that this happened as part of or after implementation. actually starting the development of a solution. This num-
None of the respondents say that cybersecurity was not ber is too high. Not only does this increase the business’
taken into account at all. Two percent indicate that they vulnerability; in many cases, it also makes the solution
had not taken cybersecurity into account until an actual more expensive, especially if the security efforts need to
cyber-attack (or attempt) prompted them to. be integrated once the solution has been implemented.
Our qualitative data suggest that businesses really have
Deloitte’s perspective the intention of getting better within the area. When asked
Businesses need to be proactive in their approach to about what would make them rank their own general
cybersecurity. It is costly and ineffective not to take cybersecurity higher, respondents pointed to exactly this
cybersecurity into account from the beginning in all – getting better at taking cybersecurity into consideration
design and system-development processes. Half of the from the beginning.
respondents indicate that cybersecurity is taken into
consideration before the actual development of the
solution. This is positive and it supports the general trend
“We have what we call a design
that we have seen in the past 10 years, with cybersecurity authority board that aims at
having gone from not being considered at all to now being
screening everything to ensure
48% that what is to be observed is
Think of the last time your
company developed a
40% observed.”
digital solution (e.g. Iot, CRO, financial services provider
cloud, robotics or similar).
When in the development
process was cybersecurity
taken into acount? 10%

2%

Before During As a part of After a

development development/ or after cyberattack
before implementation
implementation
13
Financial Cyber Survey | June 2021

Businesses, be ahead
of regulations!
There is a multitude of regulations that the businesses must comply
with. But being ahead of regulations instead of chasing them gives the
businesses an advantage and is far less costly.

What does the survey show? The respondents were also asked about the effects of
Forty-seven percent of the respondents indicate that these regulations. There is a group of respondents that
they are highly able to comply with the government’s indicate that the regulations have resulted in an increa-
cyber regulations within IT privacy and cybersecurity sed focus on cybersecurity in their organisation. Some of
(e.g. GDPR, cyber data privacy and outsourcing). For- them indicate that the regulations have provided them
ty-one percent indicate that they are able to do this to with a framework for working with cybersecurity. Other
some degree, and 1% to a lesser degree. No one is of respondents point to the stick effect of the regulations
the perception that they are not able to comply at all, – getting fined if regulations are not complied with.
and 10% indicate that they don’t know.
Then, there is a group of respondents indicating that
The respondents were also asked if they find it easy or the regulations have increased the bureaucracy.
difficult to comply with these regulations. Twenty-nine
percent find it easy, 32% find it difficult, and 37% find it
neither difficult nor easy. No one finds it very difficult,
and only 1% find it very easy.

Deloitte’s perspective “We are regulated in a large

The proportion of businesses indicating that it is
difficult to comply with government regulations is number of countries, directly or
high – one third (no one finds it very difficult, though). indirectly. That of course gives
Part of the explanation could be that regulations can
be complex. There is a multitude of regulations that a lot of complexity in terms of
businesses within the financial sector need to adhere
to and multiple regulators - that are not always aligned
the compliance piece.“
- to take into account. CISO, global financial services provider

14
 Financial Cyber Survey | June 2021

Some point to more administrative work. Others say

“I think we are doing well on
that the regulations have made things more difficult,
as they do not always agree with the regulations. complying with cyber regu-
Not all of the businesses surveyed, however, see the
lations. That is our ambition,
regulations as having an impact. They indicate that at least.“
they would have taken the measures anyway. This is
CRO, financial services provider
positive. Businesses should be ahead of regulations
instead of chasing them and being worried about
them. This not only gives them an advantage in terms
of cybersecurity but is also far less costly.

How easy or difficult

do you find it to comply
with the government
37%
cyber regulations?
32%
29%

1% 0%

Very easy Easy Neither nor Difficult Very difficult

15
Financial Cyber Survey | June 2021

A positive self-image – but is it

too positive?
The businesses rank themselves high when asked about their closeness
to the ideal cybersecurity organisation. The sector is indeed very mature
within the area, but do they paint too positive a picture?

What does the survey show?

”We know we have gaps.
In the survey, we asked the respondents to envision
an ideal organisation where cybersecurity is deeply But that is also part of our
rooted; cyber and information security resources
are adequate; and thorough threat assessments and
maturity, right? Knowing
contingency plans are in place. The respondents were where our gaps are, and what
then asked to indicate how close their organisation is
to this ideal on a scale from 0 to 10 (10 being the ideal it takes to reduce them.“
organisation). CISO, global financial services provider

The average self-evaluation is just about 7. Seventy- Deloitte’s perspective

two percent of the respondents rate themselves 7 or The businesses in the financial sector have a quite
higher. Seven percent rate themselves as 5 or below. positive self-image when it comes to how close they are
to being an ideal cybersecurity organisation. While the
average for the businesses in the financial sector is just
“We are a seven. Other around 7, the average for all four sectors in Deloitte’s

organisations have a more Cyber Surveys (consumer sector, public sector and
energy, resources and industrials sector) is around 6.
mature setup. We have some
The financial sector is a bit more mature than the other
work ahead of us.” sectors when it comes to cybersecurity. However,
Head of Risk & Security, company in the financial sector generally speaking – and in our experience – self-

16
 Financial Cyber Survey | June 2021

”We are a five. It is all about

integrating it by design -
security, privacy and so on.“
CRO, financial services provider

evaluations tend to paint too positive a picture. This To some extent, the positive self-evaluation also
could also be the case with the surveyed businesses. stands in contrast to the fact that less than one
While it is good to see that the businesses aspire out of ten businesses in the financial sector have
to be at the high cyber maturity levels, we strongly fully implemented baseline cybersecurity measures
recommend testing these assumptions and maturity (response plans, self-defence plans, cyber awareness
levels independently and closing any gaps between the training and cyber hygiene) – as asked about
self-evaluations and the independent assessments. elsewhere in the survey.

Imagine an ideal organisation

where cybersecurity is deeply
rooted, the organisation’s
7% 41%
72%
cyber resources are sufficient
and there is a clear threat
assessment and contingency
plan. How close do you believe 21%
18%
your organisation is to that
ideal? 13%

6%

0% 0% 0% 0% 1% 0%

0 1 2 3 4 5 6 7 8 9 10

17
Financial Cyber Survey | April 2021

18
 Financial Cyber Survey | June 2021

A value chain is only as cyber

resilient as its weakest link
Cyber-attacks have become a question of when they will occur - not
if. Having a resilient cyber defence in place is essential as it enables
businesses to rapidly respond to and recover from cyber-attacks suffering
minimal damage.

What does the survey show? There are differences, however. While 53% indicate that
The respondents indicate that they are quite cyber they are even highly resilient when it comes to handling
resilient within the areas of handling customer data and customer data, the percentage is only 29% when it
marketing/sales. Ninety percent of the respondents comes to new technology. Eight percent indicate that
indicate that they are highly or to some degree cyber they are not cyber resilient at all when it comes to the
resilient within these two areas. For the other key areas use of close business partners/suppliers (with system
shown in the graph on the next page, the percentage integration).
of businesses indicating that they are highly or to some
degree resilient is between 83% and 88%. Deloitte’s perspective
Compared to other sectors, the businesses in the
financial sector rate their own cyber resiliency lower
in general. Once again, part of the explanation could
“To be honest, what I am be that the businesses in the financial sector are more
fearing the most is not what I aware of the cyber threat because of their maturity.
They have been exposed to cyber threats for a long
am in control of, but what I am time due to the nature of the business and are thus
not in control of. And that is more realistic about it all, including their own resiliency.

not our third-party vendors. The FinTech (financial technology) companies aside,

It is our clients.” the financial sector has not been as adaptable and
accommodating as regards digital transformation due
CISO, global financial services provider to internal and external challenges. This might have

19
Financial Cyber Survey | June 2021

”When it comes to handling

customer data, our resiliency
could be better. We have had
an unfortunate incident.
However, in relation to GDPR,
I would not say the biggest risk
is cyber, it is our own actions.”
CRO, financial services provider

made the financial sector feel less cyber resilient in led to increased confidence in handling and protecting
terms of new technology. customer data. Seven percent of the businesses in the
financial sector, however, indicate that they are not
The survey shows a high level of perceived cyber resilient at all when it comes to handling customer data.
resiliency when it comes to handling customer data.
This is a positive development that can possibly
be accredited to EU’s General Data Protection
Regulation (GDPR) combined with an increased focus “We are very resilient. That is
on data privacy and general compliance with privacy
regulations. It is promising to see that the increased
the ambition, at least.”
focus on and awareness of privacy issues have also Head of Risk & Security, company in the financial sector

To what degree do
you feel that your
company is resistant
37% 45%
to cyber attacks in the 40% 38% 42% 41% 41%
following areas? 59%

Not at all
To a lesser degree
To some degree 53% 47% 45% 45% 44% 44% 44%
To a high degree 29%

Handling Customer Marketing Using Using other Using close Doing Using new
customer communi- and sales cloud business business trans- technology
data cation services partners/ partners/ actions
suppliers suppliers

20
Financial Cyber Survey | April 2021

21
Financial Cyber Survey | June 2021

Being proactive and attractive

helps recruitment
The competition is fierce when it comes to the recruitment of cyber
capabilities. A proactive approach and being able to offer people to work
in a tech-driven environment serve as key advantages for the sector.

What does the survey show? pool of talent in Denmark is too small, not least when it
When it comes to attracting new employees with com- comes to the specialists. Therefore, it is often necessary
petencies within cyber and information security, 21% of to look abroad for these skills.
the respondents indicate that they find this easy (nobody
finds it very easy, though). Twenty-two percent find it Different sectors have different advantages when it
difficult or very difficult, and 57% indicate neither nor. comes to attracting and retaining employees with cyber
capabilities. Where sectors such as the public sector
Twenty-two percent of the respondents indicate that they and the energy, resources and industrials sector might
find it easy or very easy to retain these employees. Lastly, be able to take advantage of people wanting to serve
when it comes to developing current employees’ compe- a higher purpose, our qualitative data suggest that
tencies within cyber and information security on a regular the financial sector might be able to take advantage
basis, 31% answer that they find this easy or very easy. of offering people to work in a more tech-driven
environment – giving people the opportunity to work
Deloitte’s perspective innovatively and with technical challenges.
The financial sector has a relatively good ability to
attract employees with cybersecurity capabilities. An
explanation for this could be that businesses in this “Attracting the right talents
sector often are able to pay a relatively high salary.
is hard because the pool of
A complimentary explanation could be that the
businesses in the sector are very aware that the people is small.”
competition for cybersecurity capabilities is fierce. CISO, global financial services provider
Combined with a desire to be “best in class”, the
businesses take on a very proactive approach and are
putting a lot of effort into attracting employees. How easy or difficult do you find it to attract/retain/
develop employees with competencies within cyber
and information security to/within your organisation?
The picture is mixed, however. About one out of five
businesses in the survey find it easy to attract employees
9% Difficult/Very difficult
with cybersecurity capabilities. But an equal proportion 22%
13%
Neither nor
finds it difficult or even very difficult. This split in
Easy/Very easy
opinion might have something to do with the type of
69% 56%
capabilities: You can find the generalists relatively easy, 57%
but it is harder to find the specialists with the deep
understanding and competencies (e.g. incident response
31%
professionals, security architects, and C-level strategy 21% 22%

consultants). A point from the qualitative data is that the Attract Retain Develop

22
Consumer Cyber Survey | September 2020

23
Deloitte is a leading global provider of audit and assurance, consulting, financial advisory,
risk advisory, tax and related services. Our global network of member firms and related
entities in more than 150 countries and territories (collectively, the “Deloitte organization”)
serves four out of five Fortune Global 500 ® companies. Learn how Deloitte’s approximately
330,000 people make an impact that matters at www.deloitte.com

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global
network of member firms, and their related entities (collectively, the “Deloitte organization”).
DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities
are legally separate and independent entities, which cannot obligate or bind each other in
respect of third parties. DTTL and each DTTL member firm and related entity is liable only for
its own acts and omissions, and not those of each other. DTTL does not provide services to clients.
Please see www.deloitte.com/about to learn more.

© 2021. For information, contact Deloitte Touche Tohmatsu Limited