In a survey of 758 banks, insurers, money managers and other companies, the accounting and consulting firm found that cyber-security spending in these areas will top US$ 4.1 billion (£2.6 billion) in 2014 before rising another 10 to 20 percent annually in the coming years – leading to US$ 1.3 billion (£830 million) to US$ 2.6bn (£1.6 billion) in additional spending by 2016.
The full report is still to be published, although The Wall Street Journal published an exclusive summary of the findings earlier today.
This announcement follows on from JP Morgan's CEO Jamie Dimon promising to double the company's cyber-security spend to US$ 500 million (£310 million) over the next five years – following its hack earlier this year – with WSJ also now reporting that Wells and Fargo will spend roughly US$ 250 million (£160 million) in this area, where it has also increased staffing by around 50 percent.
This splurge has, in many ways, not been a huge surprise. Market research firm Gartner reported earlier this year that cyber-security spending was to rise eight percent and Wells Fargo later added to this with their own estimate of growth in the ‘low-to-mid-teen' percentages over the next two years.
Reporters say that this spending is going on higher salaries, more consultants and staff (JP Morgan's letter to shareholders earlier this year revealed it hopes to have 1,000 cyber-security staff by the end of 2014) as well as better breach response, but information security professionals have openly questioned how cyber-security spending can be truly judged when security often fits into many other aspects of IT.
Indeed, PwC's earlier report into security spending revealed that budgets were actually set to decline in 2014 although a spokesman told SCMagazineUK.com at the time that this was tricky to truly gauge.
Grant Waterfall, cyber-security partner at the consultancy, said: “It's a bit of a mixed picture, some firms plan to spend more next year and I think it's a case of companies being in different places.
“There are also companies moving towards ‘digital disruption' to stay competitive and I am seeing those companies spending more on security, when previously it wasn't high on the agenda. However, this will hit some companies now, and others later,” he said.
Phil Cracknell, CISO and head of privacy and security services at Company 85, told SC that often expenditure is used as a way of minimising brand damage.
“Undoubtedly the JP Morgan news sometime back was to directly address losses and to bolster public opinion that cyber-security was taken seriously,” he said by email. “Even back when Citibank were hacked in 1994 for US$ 10 million (£6.4 million) and it was deemed the first online robbery, Citibank lost more in customers closing accounts through lack of confidence.
“JP moved swiftly to demonstrate its financial investment in cyber-security, and its competitors will have to react accordingly. Clearly good news for consulting firms who report on this trend as PwC has, but surely the real good news is for honest people's money, that should be in safer hands!”
Josh Goldfarb, chief security strategist at FireEye, added in a call with SC that he too is seeing rising cyber-security spending but warned that money alone is no metric – and doesn't guarantee security.
“From what I've seen, there're definitely companies ramping up spending but it's not just about the amount of money they spend, but how it's spent.
“The budget is good but it's a not a metric – it's a means to accomplish security and its part of risk management,” he said.
Goldfarb added: “What people quickly realise is that not every pound of the budget can have the same impact”.
He said that most of the new money is going on new products and staff, and said that the shift from prevention to ‘prevention, detecting and response' is seeing new people processes emerge.