It’s no secret that cybersecurity is an urgent affair; according to IBM, the average cost of a data breach in the United States is $9.4 million—more than double the cost globally. The world of finance, which deals with particularly sensitive data, is no exception. Last year, online trading platform Robinhood and crypto exchange Bitmart were among those that suffered data breaches. In the case of the latter, attackers stole nearly $200 million worth of cryptocurrency.
Oftentimes, though, data breaches are costly not because money is stolen, but because remediation is expensive, customer trust is lost, and/or regulators pursue sanctions. With that in mind, let’s look at four ways a cyber breach or non-compliance can cost your firm—and what to do about it.
1. Regulatory Fines
As cyber attacks become more frequent and costly, regulators are cracking down. Last year, the Securities and Exchange Commission (SEC) fined eight investment firms for cybersecurity failures that led to thousands of clients’ information being compromised. More specifically, cloud-based email accounts were taken over by unauthorized third parties. Those accounts were not managed in accordance with the company’s security policies, while the breach was not communicated properly.
Earlier this year, the SEC also proposed a new cybersecurity rule to improve risk management and reporting. While the rule is still being finalized, it no doubt foreshadows further fines.
2. Client Lawsuits
While regulatory agencies can impose monetary sanctions on firms for failing to protect sensitive data, so can clients—particularly when they band together into class action lawsuits. Numerous companies have faced and settled class action lawsuits for data breaches, including Capital One ($190 million), Morgan Stanley ($120 million), and Equifax ($380 million).
The threat of a class action lawsuit will vary by organization, but real estate investment trusts (REITs) hold a large amount of sensitive identifiable information and may be at a greater risk as a result.
3. Incident Investigation and Remediation
Regulatory fines and class action lawsuits are costs that follow a data breach. But the impact of a cybersecurity attack can be more immediate as well. When your operations are disrupted by a cyber attack, deals cannot be closed. On top of that, your firm will have to pay forensic costs to figure out what went wrong. You’ll likely have to invest in new cybersecurity tools to prevent an attack from happening again—at a time when those tools weren’t budgeted for. While these tools are of course a good investment, it’s much better to implement them proactively.
Furthermore, handling disclosures and public relations will require a tremendous amount of input from upper management—executives with top-level hourly rates. All in all, handling the breach properly is going to require spending a good chunk of change, while pulling the attention of important executives away from other pressing matters.
4. Lost Business or Damaged Reputation
Data breaches also can shake investor and client confidence—for good reason. Even if it’s a seemingly innocuous breach, like an unauthorized email blast, your firm will still have to explain how it happened. This might lead investors to question the reliability of your firm. In a recent McKinsey survey, 87% of respondents said they wouldn’t do business with any company they thought had weak security practices. This cost is the most difficult to quantify, but perhaps the most worrisome. Customer trust is difficult to rebuild once it’s been threatened.
Preventing Costly Data Breaches
When you add it up, cyber breaches can be quite costly. Most firms cannot afford to clean up a breach or navigate the costs of non-compliance. To prevent such a scenario from happening, financial services companies need to plan accordingly. Cybersecurity cannot be an afterthought any longer.
To minimize such costs, make sure your cybersecurity policies are properly implemented. Additionally, conduct annual cybersecurity awareness training, annual penetration tests, ongoing phishing trainings, and tabletop exercises that map out your response to a potential disaster. By practicing how to handle a disaster before it strikes, your firm may be able to minimize some of the costs outlined thus far.
With the cost of a data breach or non-compliance so high, it’s easy to feel overwhelmed. Having an experienced cybersecurity partner by your side can help minimize these costs and improve peace of mind. To learn how ECI can help your firm stay protected, contact us today.
