IIF/McKinsey Cyber Resilience Survey
IIF/McKinseyCyber ResilienceSurveyCybersecurity posture of the financial services industryMarch 2020
Source: IIF/McKinsey Cyber Resilience Survey 2019
ntsTableof contentsontentscontentsTable ofof contentscontentsTableTable of contentsIntroductionmethodologyandFindingson firm-level ndingsmethodologyonFindingsfirm-levelFindingson ysummaryof findingsresilienceand summaryof findingscyberresilienceandofsummaryfindingscyber resilienceandoffindingscyberresilienceand summarysummaryofsummaryfindingsandsummarycyberof findingsfindingsresiliencecyber resilienceresilienceandofcyberFindings on sector-levelFindings on costsFindings on indingsFindings cyber sector-levelresilienceand dingsonFindingsFindingsFindingsononFindings Escyber resiliencecosts next-generationand FTEsnext-generationquestions esiliencecyberresiliencecostsand FTEsFTEscostsnext-generationand costsandFTEsnext-generationImmediate actions toImmediatetoImmediateto toImmediateactionsto actionsImmediateactions totoImmediateenhancecybersecurityenhance ityenhance cybersecuritycybersecurityenhance2CompanyMcKinsey & CompanyMcKinseyMcKinsey&&CompanyIIF/McKinsey Cyber Resilience Survey2McKinsey2McKinsey && CompanyCompany22McKinsey& ComMcKinsey & Com1
ound on the surveyStructure of the surveyPurpose of the final reportBackgroundBackgroundthe survey onthe surveyStructureStructuresurvey of thesurveyof thePurposeof thePurposefinal reportof the finakground onthe survey onStructureof thesurvey of thePurposefinal reportCyber risk has become one of the top risk Our research is survey-based. To helpThis report highlights the themes we emberresponses,weand observationswe themadeacrossthewe4 sawCyber riskbecomeCyberone hasof thebecometopresearchone of istheOurtopresearch lightsThisthereportthemeshighlightswe sawthe thk has becomeone hasof thetop riskOursurvey-based.Tosurvey-based.helpresearch isThishighlightsthemesIn response,theInstituteof Internationalmappedourwesurveyin part to theNationalkey areas, aswewellas observationsinsights wegainedrisk concernsamongrisk ade across wethe madeerns amongfinancial nsey& CompanyInstituteofStandardsand Technologyfrom discussionswiththanas50wefirms.In response,the FinanceInstituteIn response,the Instituteofmappedoursurveymappedin partourto thesurveyNationalin partto asthewellNational4 keyareas,well4 gainedkeyasareas,insightsaswewellgainedas insesponse,the Instituteof firms.mappedoursurveyin partto theNational4 keyareas,asmoreinsightshave collaborated on research to provide(NIST) Cybersecurity Framework.firms during regional and global IIF ogyStandardsand Technologyfromfromwithdiscussionsmore than 50withfirmsmorenal Finance(IIF) andFinanceMcKinsey& andFinanceInstituteStandardsand&ofTechnologyfrom discussionswith discussionsmore than 50firmsthese firms an understanding of the wayscybersecurity forums.Thesurvey consistedof 107questionsCompany havecollaboratedCompany haveon researchcollaboratedon curityduringregionalandduringglobalregionalIIF CROand globalhave collaboratedon research(NIST) CybersecurityFramework.duringFramework.regional andglobalIIF CROthey can enable and strengthen cyberacross4keyareas:firmandsector-levelto providethese firmsto provideanthese Thefirmsanofunderstandingofcybersecurity forums.cybersecurity forums.these firmsan nsistedThesurveyof 107 consistedquestionsof 107 ionsresilience, buildingonthe currentandThe surveycosts and FTEs, andtheways canenableandstrengthenthey canenableplanned practicesof peeracross4andkey sector-levelareas:acrossfirm-4andkey sector-levelareas: firm- and sector-levelacross4 institutions.key rbuildingresilience,on the currentbuildingon the currentlience, cyberbuildingon the currentcyberresilience,costsresilience,FTEs, costsand and FTEs, andcyberresilience,costs andFTEs, cyberand andand plannedand plannedof peer practicesinstitutions.ofpeerinstitutions.ed practicesof peer practicesinstitutions.next-generation questions.next-generation questions.next-generation questions.2IIF/McKinsey Cyber Resilience SurveyMcKinsey & CompanyMcKinsey& Company33McKins
Research methodology and summaryResearch methodology and summaryrmationResearch methodology and summaryrmationOur research used two mechanismsto obtain informationand TechnologyServices SectorSurveyand Technologyone attributedtoServicesSectordualized playbackone attributed todualized playbackal reportGroupdiscussions— Structured in 4 sections with 107 questions— Mapped in part to the National Institute of Standards and TechnologyCybersecurity Framework (NIST CSF) and Financial Services SectorCybersecurity Profile (FSSCP)— Responses collected by McKinsey & Company— Responses sanitized and aggregated for reporting; none attributed to anyspecific respondent or institution except in individualized playback documents— Conducted as part of IIF forums in 2019 and 2020— Observations and findings are included as part of final reportal reportMcKinsey & Company4McKinsey & Company4IIF/McKinsey Cyber Resilience Survey3
Research methodology and summaryA total of 27 companiesparticipated in the surveyIn InDesign1Breakdown by geography, size, businessesA total of 27 companies participated in the surveyIn InDesign1Research methodology and summaryResearch methodology and summaryBreakdown by geography, size, businessesA total of 27 companies participated in the spondents’ principal marketBreakdownby geography, size, businessesRespondents’ principal market235billion,numberof participants billions,numberof participants235155GlobalSize by assetsSize by assets5152GlobalNational222 %78%74%AssetPayments& l CapitalInvestmentbanking marketsbankingmanagement& clearingSource: IIF/McKinsey Cyber Resilience Survey 2019Questions 1 - 5470% 78%63%CorporatePrivateequitybanking74% 7%44%19%InvestmentInsuranceDataproviderPercentage of ey Cyber Resilience SurveyPercent of respondentsSupervisory class and geographyRegionalPercent of respondents with a presence in these businessesPercent of respondents with a presence in these businessesSupervisory class and geographyMcKinsey & Company5McKinsey & Company6
Research methodology and summaryThe 4 survey sections revealeda diversity of challengesSectionTopicSummary of findingsAFirm-levelcyberresilienceCapabilities of each firm in developing andstrengthening firm-level resilience across 7Financial Services Sector Cybersecurity Profile(FSSCP) functions—————BSectorlevel cyberresilienceInformation on collaboration between financialsector firms and the public sector to enhancesector-wide cyber resilience— Many are willing to work together to raise resilience for all (e.g., 40%would do joint 3rd party / vendor due diligence)— Many would also participate in public platforms or initiativesCCosts andFTEsParticipants’ cyber risk dedicated spendand FTE numbers, including their roles andresponsibilities— 58% self-reported underspending— The protect function gets the most resources, some others arelackingDNext generationquestionsFuture topics and integration of next-generationtechnology, agile methodologies, and cyberinsurance coverage————Firms with over 1 trillion in assets have better cyber resilienceLargest vulnerability could be supply chain/dependency mgmt.Out-of-date infrastructures are at risk for hacking37% said it takes more than 3 months to remediate a vulnerabilityCompanies are willing to share information with peersCyber insurance levels are insufficientKey challenges include cloud adoption, digital innovation, talent gapCloud adoption is both a challenge and an opportunityAutomation and artificial intelligence will see continued adoptionNote: Resilience scores are calculated for every function of the FSSCP based on self reported responses,so may not accurately reflect overall organizational cyber resilienceIIF/McKinsey Cyber Resilience Survey5
Research methodology and summaryWe also gained insights duringdiscussions at 4 IIF CRO roundtablesinvolving over 50 companiesCRO roundtable sessions in 4 continentsInsightsSupply chain cybersecurity risk is overwhelmingly akey concern across firms.Latin America firms discussed de-risking digitaltransformations and leveraging cloud adoption asopportunities to increase their cyber resilience.European firms highlighted concerns about cloudsecurity, and discussed opportunities to increaseresilience through a regional cloud user coalition.Firms in the Middle East and Asia were concernedabout nation-state cyber attacks and operationaltechnology (OT) security. They were also lookingto increase investments to address cybersecurityresource and talent gaps.6IIF/McKinsey Cyber Resilience Survey
Research methodology and summaryThe largest firms have higher cyberresilience scores across functionsResearch methodology and summThe largest firms have higher cyber resilience scores across functionCompanies with more than 1 trillion in assetshad an average resilience score of 3.0Companies with more than 1 trillion in assets had anaverage resiliencescoreof 3.0 class under thatcompanieswithassetThesizehad anscore2.6under that size had anTheaveragecompanies withassetofclassaverage score of 2.6Cybersecurity resiliency requirements getCybersecurity resiliency requirements get complexcomplexas companies grow beyond a certainas companies grow beyond a certain scale, so it isscale,importantso it istoimportantto asembedresiliencyasembed resiliencypart of thegrowthpart ofthe growth strategystrategyNote: Resilience scores are calculated for every function of the FSSCP based on self reported responses, so may not accurately reflect overall organizational cyber resilienceSource: IIF/McKinsey Cyber Resilience Survey 2019McKinsey & CompanyNote: Resilience scores are calculated for every function of the FSSCP based on self reported responses,so may not accurately reflect overall organizational cyber resilienceIIF/McKinsey Cyber Resilience Survey7
Firm-level cyber resilienceSupply chain and dependencymanagement could bethe weakest linkIn InDesign3Supply chain and dependency management could be the wResilience score averages and top quartile view, by functionTop quartileAverageGovernance4Supply chain3Identify2For example, 33% of companies responded thatthey don’t have proper vendor remote accessmanagement, with multi-factor authentication10ProtectRecoverRespondSecurity around supply chain and vendors, andincident response were reported as the least-maturecapabilitiesThis suggests a need to strengthen access controland other cybersecurity areas for vendorsDetectNote: Resilience scores are calculated for every function of the FSSCP based on self reported responses,so may not accurately reflect overall organizational cyber resilienceNote: Resilience scores are calculated for every function of the FSSCP based on self reported responses, so may not accurately reflect overall organizational nce SurveySource: IIF/McKinseyCyberSurvey 2019 (n 27)Question 41
Firm-level cyber resilienceOut-of-date infrastructure presentsan easy target for hackersFirm-level cybeOut-of-date infrastructure presents an easy target for hackersPercentage of production infrastructure fully up-todatePercentagewith patches,or one patchbehind fully up-to-dateof productioninfrastructurepatches,or one patch behind% of withrespondents(n 27)% of respondents (n 27)Chart shows only 15% of firms reportedthat more than 90% of their infrastructureis up-to-date or one patch behind.Chart shows only 15% of firms reported that moreAmongadditionalfindings,only 48%than 90% oftheir infrastructureis up-to-dateor one ofpatch behind. reported they are actively scanningcompaniesmorethan 90%of theirIT ofenvironmentat leastAmong additionalfindings,only ted they are actively scanning more than 90%of their IT environment at least monthly to identifyOut-of-datevulnerabilities. infrastructure provides a window fohackersgain uctureprovides a windowforknownstealingdata,and otherhackers tovulnerabilities,gain environment a,andothermaliciousmalicious activities.activities.Source: IIF/McKinsey Cyber Resilience Survey 2019Question 31, 47IIF/McKinsey Cyber Resilience SurveyMcKinsey & Compa9
Firm-level cyber resilienceLong lead-times to remediatevulnerabilities also increase riskFirm-level cyber resilienceLong lead-t
Our research is survey -based. To help streamline member responses, we mapped our survey in part to the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The survey consisted of 107 questions across 4 key areas: firm - and sector-level cyber resilience, costs and FTEs, and next-generation questions.
all but one were positive by IIF. Two hundred and forty four samples were negative by ELISA, of which 58 (23.8%) tested positive by IIF, while 186 (76.2%) were found to be true negatives. Thus, IIF could pick up 23.8% additional positives which could not be detected by ELISA. On the other hand, IIF missed only one sample which was positive by .
By necessity, The McKinsey Waywas more descriptive than prescriptive. With The McKinsey Mind, we take the opposite tack. Whereas The McKinsey Way dealt with what McKinsey does, The McKinsey Mindshows you how to apply McKinsey techniques in your career and organization. To accomplish this, we build on the
Payment Manager QuickBooks IIF Extract Section 1: Overview This guide details the relationship between the fields in the IIF extract file and the fields in QuickBooks. It also includes information about importing the IIF file into QuickBooks. NOTE: Clients who use QuickBooks Online and who require a CSV import file must
- Cyber Resilience Review - Cyber Infrastructure Survey Tool Cyber Security Advisors Protective Security Advisors 3 . Presenter's Name June 17, 2003 Critical Infrastructure Cyber Community (C3) DHS launched the C3 Program in February 2014 to complement the launch of the NIST . DHS Cyber Resources - Operations Focused .
- Cyber Resilience Review - Cyber Infrastructure Survey Tool Cyber Security Advisors Protective Security Advisors 3 . Presenter's Name June 17, 2003 Critical Infrastructure Cyber Community (C3) DHS launched the C3 Program in February 2014 to complement the launch of the NIST . DHS Cyber Resources - Operations Focused .
follow-up of Bosniak IIF cysts is necessary, because of the risk of progression and malignancy [3–5]. The likelihood and time to progression is undetermined in the literature. The progression rate of IIF in our selected population has been reported as 4.6%, with all malignant cysts progressing within
RentalPoint uses Intuit Interchange Format (.iif ) files to export data from RentalPoint and import that data to QuickBooks. IIF files are ASCII text, CSV files that QuickBooks uses to import/export lists and to import transactions. The .iif import and export utilities are on the QuickBooks
The asynchronous design use the “web hooks” approach using two independent "one-way" invocations - one to start a long-running operation (Client to ESC) and the other one to notify a requester that it is completed (ESC to client) ESC REST API Headers/Path/Body Parameters Callbacks. One of the header parameters of the operation request will contain a callback field, whose value is a URI .
