Moody’s Ratings's survey of the cybersecurity practices of 240 banks around the globe revealed that firms are consistently increasing their investments, irrespective of size or credit strength, because of an escalating number of incidents.
Financial institutions are prime targets, as key institutions that safeguard client wealth, facilitate transactions through payment networks and manage vast amounts of personal information. Consequently, they are at the forefront of enhancing cyber strategies and investing in defences, processes and talent. The survey's results show financial institutions also devote more attention to cybersecurity at senior management and board levels than other industries, underlining its critical importance.
The observations in this report reflect survey responses and do not represent a definitive assessment of cybersecurity readiness.
Cybersecurity is receiving an increasing share of financial institutions' technology budget. Responses show financial institutions large and small have been steadily boosting cybersecurity's portion of the information technology (IT) budget in all regions since 2019. Firms in the Americas and Asia Pacific have invested more than those in EMEA.
Financial institutions commonly employing sophisticated cyber defense strategies. Advanced defenses practices, such as penetration tests and Red/Purple Team engagements, are more prevalent among larger banks, particularly in EMEA and the Americas.
North American banks have the strictest requirements for external providers. Responses from banks in North America underscore their practices in assessing risk from new suppliers. They also stand out for more frequent reviews of third-party suppliers' security measures and prompt notifications of breaches affecting suppliers' third-party vendors. Larger banks typically impose higher requirements on vendors than their smaller counterparts.
Banks host most of their IT infrastructure on site, with large banks leading migration to the cloud. Around 80% of the respondents' infrastructure remains on-premises as banks gradually migrate to cloud service and software providers with strong defence capabilities. Large banks have 65% of their infrastructure on-premises and aim to cut this figure to 55% within the next year. Banks in North America are the most advanced in this process, with more than 30% of their IT infrastructure on the cloud, while those in EMEA have only 10%.
About three-quarters of respondents carry standalone cyber insurance. Incident insurance is most prevalent in North America, with 97% reporting coverage, compared with 55% in APAC. The most common incidents covered by these policies include ransom payments, legal settlements, regulatory fines and reputational damage.
Cybersecurity is critical for banks, demanding more investments and senior management attention. As key institutions that manage vast amounts of personal and proprietary information, safeguard client wealth and facilitate transactions through payment networks, financial institutions are prime targets for cyberthreats. According to the IBM X-Force Threat Intelligence Index of 2024, financial institutions were the target of around 18% of cyberattacks globally — the second most-affected industry, behind only manufacturing companies, which had about a quarter of all incidents.
Consequently, financial institutions are at the forefront of improving cyber strategies and investing in defenses, processes and talent. As the number of attacks has risen, particularly after 2014, investments tied to cybersecurity have followed the trend. Events such as the ransomware attack on ICBC demonstrate how critical cybersecurity can be and the potential damage to bank operations. Our survey responses show financial institutions large and small have been steadily increasing the share of their budgets allocated to cybersecurity in all regions since 2019. Companies in the Americas and Asia Pacific, however, have invested more than those in Europe, the Middle East and Africa (EMEA).
Re-disseminated by The Asian Banker