Cybersecurity Budgets and Benchmarks for Financial Institutions

While cybersecurity budgets at financial services institutions are constrained compared with previous years, fundamental concerns still dominate priorities, according to a recent survey report.

Digital transformation is the top business driver for cybersecurity, but respondents indicate that regulatory pressure is increasing and gaining in importance. Further, it seems cybersecurity functions are increasing their focus on business impact and risks, not just technology challenges, reflecting cybersecurity’s growing strategic role for the business.

The survey, which captures the opinions of executives from 61 financial institutions of varying sizes and geographies, finds that even though cybersecurity programs are maturing under the pressure of business requirements and regulatory interest, chief information security officers (CISOs) face budgetary challenges. Financial institutions have reduced cybersecurity budgets as a share of total revenue in the banking and capital markets and insurance sectors—from 0.72% in 2021 to 0.54% in 2023. However, spending grew slightly relative to total revenues in investment management, from 0.40% in 2021 to 0.49% in 2023.

Within those budgets, spending priorities revealed by the survey are largely consistent with those seen in the 2020 and 2021 surveys. Infrastructure and network security, threat detection and response, strategy and governance, and identity and access management capabilities continue to command the largest shares of spending.


For a significant majority of institutions (87%), most cybersecurity spending is devoted to operations—not capital investment—and includes 6% of respondents who were fully focused on operations, with no allocation to transformative investments.

As cybersecurity assumes a more central role in business and risk management, CISO’s strategies are increasingly driven by their organisation’s broader needs. For example, the three top business considerations cited in the 2023 survey were transformation program/strategy, identified risks and issues, and innovation.


Digital Transformation, Risk Reduction

As the aftershocks of the COVID-19 pandemic fade, financial services institutions are refining their strategies for digital transformation, and the survey indicates that cybersecurity is being integrated into the new processes and systems as they are built. Cloud computing remains the top transformation priority for financial services institutions according to the survey, followed by an increase in the use of intensive data analytics. Interest in AI is surging as well, creating new concerns that CISOs should consider addressing.

What’s more, regulators are focusing on cybersecurity and IT risks, leading many financial services institutions to pay increased attention to managing identified risks. The survey finds that three in four financial services institutions identify coping with identified risks—such as audit findings and other regulatory issues—as the main drivers for cybersecurity spending, almost on par with new digital investments.

The growing importance of risk reduction is also reflected in financial services institutions’ spending: Regulatory drivers account for more than half of the cybersecurity budget at 46% of the firms surveyed, while 54% report that strategic priorities are dominant.

These two drivers—increased risk and regulatory pressures—feed one another, notes the survey report. Specifically, new technology introduced into business processes invites increased regulatory scrutiny. While some regulators have been focused on risks associated with cloud data and services, cyber concerns raised by AI and cognitive computing are soon likely to attract more attention, according to the report.

Delivering Cybersecurity to the Business

The majority (61%) of responding financial institutions report that their cybersecurity function follows a global, centralised, and consolidated operating model. In such a model, the cybersecurity function spans the institution’s geographic locations; centralises services, policies, and standards for the benefit of the business lines; and consolidates its focus on all aspects of cybersecurity, from technology and IT to the impact on business, risk, and talent.

The second most common operating model (24%) is globally centralised, with an IT focus—leaving some aspects of cybersecurity to the broader business organisation. Only 2% of institutions report that their operating model distributes cybersecurity functions to business units.

CISOs continue to depend on outsourcing for many of their operations: 42% of respondents indicate that they outsource more than 25% of their organisation’s cybersecurity budget. However, 21% of respondents say that they have not outsourced any of their cybersecurity operations. Security operation centres are most commonly outsourced (43%), followed by incident detection and response (32%) and so-called red teaming (32%). Virtually all financial services institutions (96%) prefer to keep cloud security in-house.

—by Julie Bernard, principal, and Meghana Kanitkar, managing director, both with Deloitte Risk & Financial Advisory, Deloitte & Touche LLP,