Cybersecurity in financial services

From PwC's Financial Services Institute

Phishing. Ransomware. DDoS attacks. These are terms financial services security professionals have come to know intimately—and despise. Amid threats from individual actors and organized attackers, security teams have had to step up. As attacks have become more sophisticated, regulators are raising their level of scrutiny, and global cybersecurity and privacy legislation is changing. It’s a big challenge for firms that have come to rely so heavily on digital technology.

A look back

Threat actors keep finding weaknesses to exploit. According to PwC’s most recent Global State of Information Security® (GSIS) Survey, the most common type of cyberattack in 2016 was phishing. Firms also faced growing risks due to business email compromise, ransomware, and distributed denial of service (DDoS) attacks. And criminals and other threat actors aren’t giving up, as shown by the SWIFT incident and rising concerns over payment systems.

Raising the bar. It’s been a busy year for financial institutions as they’ve tried to keep up with additional cyber standards from the NAIC, the CFTC, and the NYDFS. In October, the Fed, OCC, and FDIC jointly issued an advance notice of proposed rulemaking on cyber risk management standards. While all of these standards are important, many firms struggle to reconcile the sometimes conflicting guidance.

Cyber risk and cybersecurity programs mature. As more sensitive data moves to the cloud, many financial institutions are upping their game. This year, 51% of US financial services respondents in the GSIS survey reported that they use managed security services for solutions like authentication and real-time monitoring and analytics.

Top 5 cybersecurity challenges in financial services - PwC

The road ahead

Regulatory focus on cyber isn’t going away. Cybersecurity isn’t a partisan issue. Financial institutions will be pushed to collaborate more with regulatory bodies to collectively share information. They’ll have better visibility into emerging threats—and a greater responsibility to prepare for them.

More collaboration. Most firms have realized the benefits of working together and with governmental bodies to prevent cyberattacks. The coming year will be no different. Industry collaboration will grow through venues such as Financial Services Information Sharing and Analysis Center (FS-ISAC) and new initiatives such as the Financial Systemic Analysis & Resilience Center (FSARC) and Sheltered Harbor.

Looking after consumer data. Firms must already comply with industry, state, federal, and international privacy regulations. The CFPB recently announced consumers can give permission for third parties to access their information. Firms will likely share blame for mishandled data.

New technology, new challenges. Combining cloud services with tools like artificial intelligence and blockchain will introduce new risks—and require new approaches to combating those risks.

As business goes digital, cyber spend increases. In fact, 54% of US financial services respondents to our GSIS survey plan to spend more on beefing up security in the mobile channel.

What to consider

Integrate cybersecurity, anti-fraud, and anti-money laundering efforts. You’ll improve your ability to ward off threats by combining analytics from pooled data, strengthening your risk management environment, and implementing controls more effectively.

Find the regulatory balance in the guidance. Focus first on building a robust risk-based cybersecurity program. This can help you achieve your broad strategic objectives while also complying with regulatory requirements.

Establish an independent, second line of defense. Keep your security governance and oversight capabilities separate from cybersecurity design, implementation, and operations. Also, your second line of defense should engage the board and its risk committee on cyber topics.

Anticipate risks from third parties. Recognize the potential for increased risks when outsourcing. Collaborate with third party vendors to make sure they take the right measures to protect your data.

Speed innovation by focusing on cybersecurity up front. When designing and developing new digital products and services, you should integrate cybersecurity and privacy in the beginning stages.

“Cyber expectations are growing. Firms need to balance rapid innovation with the need to provide both seamless customer service and privacy protection.”

Joseph Nocera Financial Services Cybersecurity Leader

Learn more


Featured videos


Playback of this video is not currently available

PwC discusses board focus on cybersecurity and privacy in financial services

PwC's John Stadtler and Bill Lewis discuss how financial institution boards are addressing cybersecurity and privacy. Threats are all around financial institutions, and boards are feeling the pressure. What should they do to stay ahead of the game on cyber threats?


Playback of this video is not currently available

How to be prepared in the ever-changing threat environment

PwC’s Sean Joyce discusses the changing financial crime environment and what financial services firms need to consider.

How PwC can help

Our teams in asset and wealth managementbanking and capital markets, and insurance are helping our clients tackle the biggest issues facing the financial services industry. With professionals across tax, assurance, and advisory practices, we can help you find ways to thrive even in a period of uncertainty. Whether you're preparing for regulatory changes, putting FinTech/InsurTech to work, or rethinking your human capital strategy, we work together with you to deliver value to your business.

For more information on how PwC can help with cybersecurity, reach out to one of our leaders below or explore our cybersecurity and privacy services.

Contact us

Joseph Nocera
Principal, Cybersecurity and Privacy
Tel: +1 (312) 298 2745

Marie Carr
Financial Services Institute
Tel: +1 (312) 298 6823

Cathryn Marsh
Financial Services Institute Leader
Tel: +1 (720) 931 7836

Follow us