Skip to content
Microsoft Industry Blogs

A look at cyber risk trends in financial services

Cyber risk trends in financial services are often cited in the media. Cyber incidents are growing at high double-digit percentages (or more) year-on-year. And the business of insuring cyber risks appears to be growing even faster. Banks and insurers are subject to ever more cyber-oriented regulation that ranges from identifying required controls to more specific regulatory technical standards or reporting requirements. Among these challenges a competing objective is to maintain or enhance customer experience while applying the required controls.

Looking more closely at some of these trends provides further insight. Especially in financial services, social media has emerged as a source of attack. And attacks directed at people have increased—for example, by obtaining credentials through deception—and may exceed those such as network-directed attacks, per Chubb Cyber Index.

So-called “outside-in” analysis of business exposure to cyber risks has also emerged in the past few years with a number of vendors providing risk estimates for a business based on information that can be sourced or detected on the internet.

Trends in cyber risk underwriting

More widespread cybercrime reporting—including the publication of crime indices and the emergence of incident-reporting standards—is improving the potential for more robust actuarial analysis of cyber risks and therefore more accurate pricing of coverage. Some insurance and reinsurance market participants have started to develop deeper competencies in cyber risk underwriting. In the future, greater industry-wide sharing of anonymized security and incident data might help in this space.

Coverage of cyber risk will likely continue to increase (in terms of volume of written policies) and may become more widely accessible—and not just in the enterprise market, but perhaps for small businesses and individuals, as well. The prerequisites for obtaining coverage or improving rates or terms may mature over time. While independent or self-assessments are often required for both coverage and for general risk reporting, insurers may move to offering deeper guidance on risk management. Indeed, insurance may also be offered in partnership with vendors who have these insights.

How Microsoft is investing in solutions for cybersecurity

Microsoft is working on ways to help financial services customers keep ahead on cybersecurity, whether by reducing cyber risk or by reducing the effort required to manage this risk on an ongoing basis. Below are several examples of our cybersecurity investments.

  • Microsoft has licensed the Unified Compliance Framework (UCF), which Microsoft customers can access through the Microsoft Common Controls Hub. This allows financial institutions to de-duplicate and assess the risk controls implied by more than 800 laws and standards and to map these to controls applied in, for example, the Azure platform.
  • We recently provided blueprints for running common financial services workloads in the cloud that observe Federal Financial Institutions Examination Council (FFIEC) compliance—including listing security control implementation mappings and a responsibility matrix. Similar blueprints are provided for Payment Card Industry Data Security Standard (PCI DSS) compliance.
  • We see identity management as a key pillar of cyber risk management. For many years we have been helping our customers implement hybrid identity solutions for employees with Azure AD and to view attack information and manage risk policies using Advanced Threat Protection. More recently we have been helping insurers and banks implement Azure Active Directory B2B and B2C with threat protection for their partner/intermediary and customer facing solutions. We’ve also helped secure API access using these technologies in open banking scenarios in line with the second Payment Services Directive (PSD2) Secure Customer Authentication (SCA) standard.
  • As we describe in a recent post, Microsoft Services has used the Azure platform and AI features to help with the detection of various types of fraud detection in real-time in mobile banking scenarios. While we are not alone among technology vendors in using AI in our threat protection solutions, this example shows how banks can use the power of AI to secure their custom applications. Some of our customers are also starting to investigate how to use the cloud and AI more broadly for fraud hubs, which bring together activity, log, and transactional information from disparate systems in real-time for insights into financial crimes as well as customer behavior.

In addition to our efforts in these specific areas, Microsoft Services teams work with banks and insurers around the world to plan cybersecurity initiatives, improve management of security operations, and to recover business operations as the result of a compromise.