The cybersecurity posture of financial-services companies: IIF/McKinsey Cyber Resilience Survey

A recent joint survey on cyber resilience by the Institute of International Finance (IIF) and McKinsey found significant concerns regarding third-party security, and our survey determined that 33 percent of financial-services firms do not have proper vendor remote-access management with multifactor-authentication controls.

The survey was designed to provide an understanding of current and planned practices that financial firms are undertaking to enable and strengthen firm- and sector-level cyber resilience. Twenty-seven globally active firms participated in the survey, and more than 50 companies participated in group discussions in meetings we convened with chief risk officers in the Americas, Asia, Europe, and the Middle East.

The report IIF/McKinsey Cyber Resilience Survey: Cybersecurity posture of the financial-services industry focuses on four different areas: firm-level cyber resilience, sector-level cyber resilience, costs and full-time-equivalent employees, and next-generation trends (exhibit). A key theme is around building up cybersecurity controls around supply chains, including third- or fourth-party risks, in areas such as vendor remote-access management, activity monitoring, and concentration risk.

The four survey sections revealed a diversity of challenges.

Key challenges reported by firms include regulations, cloud adoption, digitization, and the talent gap. Firms said they are active in platforms to share threat intelligence and participate frequently in sectorwide cyber exercises. Automation is seeing extensive adoption, and this could soon be followed by elements of cognitive computing. The report also includes a number of recommendations and industry practices, collected through the survey, that companies can draw on to enhance their cybersecurity posture.

Download the full report for a deeper dive on the results (PDF–1MB).