Just 8% of cybersecurity heads at U.S. financial firms report to the chief executive officer directly and more should do so to improve decision-making, according to the Financial Services Information Sharing & Analysis Center.
The industry group's first-ever survey on the topic showed that 39% of chief information security officers report directly to the chief information officer, followed by 14% who said they answer to the chief risk officer.
Before the 2008 financial crisis, most risk chiefs didn't report directly to the CEO, reflecting a lack of influence at the biggest banks just as the industry was piling on more risk. After the crisis, risk managers had considerably more clout.
"Free and direct flow of critical information to the CEO and to the board of directors will help increase transparency and facilitate faster decision-making," the group said in a statement accompanying the survey, to be published Monday.
The most critical defense against cyberattacks is employee training, according to 35% of those surveyed, ahead of network defense and infrastructure upgrades (25%) and breach prevention (17%). Protective measures on a firm's computer system can still fail if a worker clicks on a link or downloads an email attachment carrying malicious code.
A majority of respondents, 54%, said they send quarterly reports to their companies' boards, while 18% said they do so twice a year and 16% annually. The survey was conducted in the fourth quarter of last year, with 102 chief information security officers responding.
A related survey from Accenture Plc found that financial-services firms face the highest cyber-crime costs of all industries. Financial companies deal with an average of 125 breaches a year, resulting in annual costs of about $18 million per firm, according to the survey, scheduled for release on Tuesday. That's up 10% from a year ago and 40% in three years. Accenture's survey was conducted in the third quarter and involved 42 financial companies.