Banks and insurers have been among the preferred targets of hackers for years. The study "From Cyber Security to Cyber Resilience - Strategies for Dealing with an Increasing Threat Situation" provides insights into the state of cyber resilience of companies in Germany. Although financial service providers are often better positioned in terms of cyber security, there is still a lot to be done to achieve solid cyber resilience.
The specialist magazine "CSO Online" has listed more than 30 cyber attacks on companies in various sectors since the beginning of the year. However, the number of unreported cases is likely to be higher. The new study "From cyber security to cyber resilience - strategies for dealing with an increasing threat situation" by KPMG and Lünendonk & Hossenfelder provides current insights into the risks and the degree of maturity of banks, insurers and other industries.
Almost everyone perceives an increased threat situation
84 percent of those surveyed perceive an increase in the threat of cyber attacks compared to the previous year. 3 percent of financial service providers named Distributed Denial of Service (DDoS) attacks as the top 71 influencing factors for the increased threat situation. This is followed closely by attacks using phishing/ransomware and the use of unauthorized devices such as USB sticks on company networks, each with 64 percent.
More than a compulsory exercise
Nine out of ten participants surveyed rate their ability to detect and ward off cyber attacks at an early stage as high. This could be related to the fact that many cyber attacks go undetected and respondents may have a false sense of security. Looking at the individual sectors, it is noticeable that financial service providers achieve a higher level of protection.
That's not surprising. Because the current regulations such as BAIT/VAIT/KAIT, the new requirements of the Federal Financial Supervisory Authority (BaFin) and the latest European legal acts - such as the Digital Operational Resilience Act (DORA) and the Cyber Security Directive Network and Information Security 2 (NIS2 ) – contain clear guidelines for the financial sector.
Cyber security must be a top priority
However, it is not enough to just meet the legal requirements. Cyber security must be a priority. In concrete terms, this means that the board of directors or the management should be involved in the development of the cyber security strategy. But that only happens 14 percent of the time. In the future, cyber security must receive the same attention from top management as economic key figures - and must not only come into focus once an attack has happened.
Digital identities as a gateway
Identities and data are the “crown jewels” of companies. In order to make it as difficult as possible for hackers, companies must focus on digital identities. They are currently the most common gateway for criminals. So-called Privileged Access Management (PAM), which is prescribed by BaFin via the BAIT/VAIT/KAIT, can provide good services here. As part of Identity & Access Management (IAM), it is used to securely organize and manage highly privileged user accounts such as system administrators and the associated authorizations in IT systems. But currently only 25 percent of financial service providers use a PAM. Another 33 percent are currently introducing one. For 80 percent of all companies surveyed, a PAM is the focus in the next two years, and even 89 percent have an IAM on their agenda.
Cloud transformation drives cyber security
Additional challenges arise when multiple cloud solutions are deployed. After all, 69 percent of companies rely on hybrid or multiple cloud environments, ie they combine clouds from different providers with each other. Each of them must be integrated into the overall cyber security strategy. One looks for that in vain: More than every second study participant (54 percent) said that the integration of hybrid multi-cloud and multi-cloud provider environments into internal IT security processes was mediocre. Only a third (34 percent) described integration as high. An important pillar is the establishment of a Security Incident and Event Management (SIEM). The SIEM makes it possible to control the various providers and integrate the various cloud environments into the company's own security processes.
Detection-and-response capabilities can be improved
It is very worrying that security monitoring is often still organized in a decentralized manner. Monitoring the entire IT landscape is much more difficult in such cases. In the financial sector, only 38 percent use central security monitoring. This task can be centralized by a SIEM, for example. It captures, monitors, and analyzes events from a variety of sources across the enterprise network in real time. This allows hazards to be identified and eliminated before damage occurs. In view of the increasing threat situation, it is good that 80 percent of companies want to make the establishment and expansion of a SIEM a priority in the next two years.
Conclusion of the study
The study results show that financial service providers are aware of the increasing threat. And although they already have a high level of protection compared to other sectors, there are still serious deficiencies in security maturity. A positive aspect is that the majority of the participants have recognized this and want to expand their own skills to defend against cyber attacks. But higher investments alone are not enough. Banks and insurers should rely more than before on automated security solutions and well thought-out end-to-end concepts that are lived by everyone.
More at KPMG.de
About KPMG
In Germany, too, KPMG is one of the leading auditing and consulting companies and has around 12.200 employees at 27 locations. Our services are divided into the business areas Audit, Tax and Advisory. Audit focuses on the examination of consolidated and annual financial statements. Tax stands for the tax advisory work of KPMG. The Consulting and Deal Advisory areas combine our high level of specialist know-how on business, regulatory and transaction-oriented topics.