Survey respondents reported an increase in cybersecurity spending, with identity and access management, cyber monitoring and operations, and endpoint and network security receiving bigger shares of the pie.
One of the most important components of a financial institution’s cyber risk management operation is the level of resources allocated to cybersecurity programs. The average annual cost of cyberattacks has been ballooning for many organizations. So, it was not surprising to find that cybersecurity spending rose among the financial institutions surveyed compared to those responding in the prior year (figure 1).
Respondents to our most recent survey spent about 10.9% of their IT budget on cybersecurity on average, up from 10.1% a year earlier. This equaled about 0.48% of company revenue on average, again up from 0.34%. In terms of spending per employee, respondents spent about US$2,700 on average per full-time employee (FTE) on cybersecurity, increasing from about US$2,300 last year.
At the same time, cybersecurity spending by sector has changed significantly across different benchmarks (figure 2).
Despite increased spending, budget allocations have remained largely consistent over the three years of the survey. Cyber monitoring and operations, endpoint and network security, and identity and access management collectively received more than 50% of the spending pie in our latest survey (figure 3).
Another reason for increased cybersecurity spending is increased pressure on boards and executive management teams, which has heightened their interest in cybersecurity at responding financial institutions (figure 4). Based on Deloitte’s interactions with clients, CISOs who were able to continuously refine and articulate cybersecurity’s value propositions to the board tended to be more successful in securing board engagement.
Board engagement was not limited to strategic or operational areas. Security technologies rose from number nine among respondents in our prior survey to number seven in the most recent one, indicating that boards are becoming more interested in understanding the technical aspects of cybersecurity. Similarly, boards were more interested in reviewing roles and responsibilities of the security organization than in the past. This likely validates the growing emphasis around the notion that cybersecurity is everyone’s job and not just the CISO’s responsibility.
Survey respondents who rated their cyber programs as more mature had boards and management committees that were more interested in nearly all areas of cybersecurity than those from organizations with less mature cyber risk management programs. This underscores the importance of board engagement.
Looking ahead, given the tough macroeconomic conditions arising from the COVID-19 pandemic, many companies will likely be taking a hard look at whether they need to cut expenses across the board. Financial institutions, however, should be particularly judicious before making a reduction in cybersecurity budgets. Given the increased push toward digitization and the challenges raised by new, often remote work environments, as well as an increase in insider threats, cyber risks confronting most organizations are intensifying.
Access to Innovation
Access to Capital
Access to Talent
Access to Market
Access to Knowledge
