Scope and (many) Limitations

It is essential to clarify from the outset that this analysis does not seek to establish a direct correlation between cybersecurity expenditure and measurable security outcomes, such as the successful mitigation of cyber threats or financial savings resulting from reduced attack impact. While investment in cybersecurity is a necessary component of a robust defence strategy, the complexity of cyber risk, evolving threat landscapes, and the multifaceted nature of security effectiveness preclude any straightforward causal relationship between financial allocation and security success. This study, therefore, focuses on the strategic prioritisation of cybersecurity investment within financial institutions rather than attempting to quantify its direct operational efficacy.

Furthermore, it is important to note that the financial data presented reflects cybersecurity spending over a multi-year period, albeit one from several years ago. Given that this analysis is conducted in 2025, some figures may not fully capture more recent investment trends, emerging security technologies, or shifts in cyber risk exposure. While historical data provides valuable insight into spending patterns and institutional priorities, it does not necessarily indicate present or future financial commitments.

A subsequent analysis will seek to explore potential correlations between cybersecurity investment and key security outcomes, leveraging publicly accessible data where possible. This follow-up study will critically assess available metrics—such as breach frequency, regulatory penalties, and operational resilience—to determine whether any discernible patterns emerge between financial commitment to cybersecurity and real-world security performance. However, given the inherent challenges of isolating variables in this domain, findings will be framed within the limitations of available data, temporal gaps in financial reporting, and broader contextual industry factors.

Financial Comparisons Across a Handful of Major Banks

Major global banks have dramatically increased their cybersecurity investments in the past five years, both in absolute spending and as a share of IT budgets. Table 1 below compares cybersecurity spending for several top banks (by assets) in 2018 vs. 2022, illustrating these trends. North American banks show some of the highest absolute cyber budgets (hundreds of millions of USD annually), while European banks tend to allocate a slightly higher percentage of their IT budget to security. Asia-Pacific banks historically spent less on cybersecurity (contributing to higher vulnerability rates in that region (Low investments in cybersecurity expose financial sector to threats: Experts – The Economic Times), but are now rapidly ramping up investments as cyber threats intensify globally.

Table 1. Cybersecurity Budget Trends at Selected Major Banks (2018–2022) (link here)

Regional Case Studies

Detailed case studies from different regions demonstrate how major banks are implementing significant cybersecurity initiatives. These examples show how banks tailor their cyber strategies to address region-specific threats and comply with local regulations, while investing heavily to bolster resilience.

North America: JPMorgan Chase & Co.

JPMorganChase, the largest U.S. bank by assets, has made cybersecurity a centerpiece of its technology strategy. In 2019, the bank spent roughly $600 million annually on cybersecurity and employs about 3,000 cybersecurity personnel (With $600 Million Cybersecurity Budget, JPMorgan Chief Endorses AI and Cloud – SecurityWeek). For perspective, this budget was a dramatic increase from preceding years (the bank’s cyber spend doubled from $250 million to $500 million in the mid-2010s (2018 Cybersecurity Market Report), reaching ~$600 million by 2019). JPMorgan’s CEO Jamie Dimon identified cyber risk as perhaps “the biggest threat to the U.S. financial system” (With $600 Million Cybersecurity Budget, JPMorgan Chief Endorses AI and Cloud – SecurityWeek), underscoring why the bank continues to pour resources into cyber defence. JPMorgan’s initiatives focus on advanced capabilities like artificial intelligence and cloud security. Again in 2019, Dimon endorsed a move “all in” on cloud and AI to enhance security, noting the cloud can improve resiliency and scale defenses.

Fast forward to 2024, and JPMorgan’s situation was laid bare by CEO JPM’s Asset Management & Wealth Mary Callahan Erdoes:

Hard numbers on the above were stated during the conference as: $15bn annual technology spend with 62,000 technologists, many of whom were/are focused on cyber specifically.

The firm has built multi-layered defenses and real-time monitoring to handle everything from routine fraud attempts to advanced nation-state threats. U.S. regulatory expectations (from bodies like the FFIEC and New York State DFS) and industry collaboration via the Financial Services Information Sharing and Analysis Center (FS-ISAC) have further driven JPMorgan’s strategy. The bank regularly works with government and industry partners to share threat intelligence and bolster critical infrastructure protection.

Europe: HSBC Holdings plc

HSBC, one of Europe’s largest banks (with a global footprint concentrated in Europe and Asia), has likewise made robust cybersecurity investments and adaptations. HSBC’s annual cybersecurity spending is estimated in the hundreds of millions (USD) – on the order of $600–750 million per year in recent years (Financial Firms Spend Up to $3,000 Per Employee on Cybersecurity). This forms a significant portion of HSBC’s roughly $6 billion overall technology budget (approaching ~10% allocated to security). HSBC’s approach to cybersecurity is heavily influenced by the cross-border regulatory landscape and evolving threats in its key markets. European regulations (think the EU’s General Data Protection Regulation (GDPR) and the PSD2 directive (mandating strong customer authentication)) have pushed banks like HSBC to achieve high standards in data security and fraud prevention. Additionally, EU supervisors (e.g. the European Central Bank) now ask banks for detailed cyber resilience metrics (such as dedicated security staffing) to ensure preparedness (THE CHALLENGE OF ORGANIZING THE BUDGETARY MANAGEMENT OF CYBERSECURITY IN YOUR COMPANY – RiskInsight).

In response, HSBC announced a series of security initiatives to stay ahead of emerging threats. For example, in 2023, HSBC announced that it had become the first bank in the UK to trial quantum cryptography for network security, partnering with BT Group and Toshiba to pilot Quantum Key Distribution for encrypting data between its London data centres (We’re fighting the cyber criminals of the future | HSBC News).

This quote is from former CEO of HSBC Europe, Colin Bell, who highlighted HSBC’s proactive stance on next-generation security. HSBC also continually upgrades more immediate defences: the bank processes 4.5 billion payments a year, and it relies on encryption and real-time threat monitoring to protect those transactions.

Asia-Pacific: DBS Bank (Singapore)
In the Asia-Pacific region, DBS Bank provides a case study in integrating cybersecurity deeply into a digital transformation strategy. DBS is a leading Singapore-based bank operating across Asia, and it has been recognised as one of the world’s most technologically advanced banks. With this digital focus, DBS’s leadership is acutely aware that cyber risk comes hand-in-hand with innovation. A quote from Seng Wei Keng in this FS-ISAC piece sets the tone nicely:

DBS has implemented a multi-layer “onion” security architecture to defend its systems (DBS’ Piyush Gupta explains how the bank deals with digital trust in an era of deep fakes and misinformation – CNA). According to CEO Piyush Gupta, DBS operates under the assumption that some attackers will penetrate outer defences, so the bank emphasises in-depth measures and internal monitoring to limit any potential damage. This includes extensive use of techniques like micro-segmentation of networks, behavioural analytics, and AI-driven anomaly detection to quickly identify and isolate threats. DBS also contracts specialised cybersecurity firms to scour the dark web for any signs of attacks targeting the bank or brand, enabling rapid takedowns of phishing sites and fake domains. These initiatives have earned DBS recognition; it was the first bank to implement an innovative “digital soft token” mobile authenticator (with a money-back security guarantee for customers) and won the regional Cybersecurity Award in 2019 for its security excellence (DBS: On Becoming the Wizard of Digital Transformation).

Regional regulations and threat trends shape DBS’s cyber strategy as well. Singapore’s regulator, the Monetary Authority of Singapore (MAS), imposes stringent Technology Risk Management guidelines, requiring banks to maintain strong cyber governance and report incidents within hours. DBS not only complies but often exceeds these requirements, serving as an industry leader in implementation of measures like secure API frameworks and zero-trust principles. Asia-Pacific has become the most targeted region for cyberattacks globally (31% of all reported cyber incidents in 2022, for example, were in APAC) (Top Cybersecurity Statistics for 2024 | Cobalt), so banks like DBS have had to rapidly elevate their defences. The bank’s investments in cybersecurity have grown annually (while exact figures aren’t public, DBS’s overall tech spending is substantial, and a healthy fraction is devoted to security efforts). By leveraging its tech-forward culture and complying with forward-looking initiatives (for example, MAS’s 2024 quantum-resilience trials with banks (MAS to commence quantum-proofing cybersecurity trials with banks …)), DBS adapts to the region’s unique challenges.

Executive Quotes on Cybersecurity Investments

Leaving the reader with these quotes gives you a sense – at least on paper and in front of the press mic – of the seriousness with which bank executives are taking the cyber threat. Leading banking executives have explicitly underscored the importance of proactive cybersecurity investment and strategy – and it’s clear that the spend, both in total volume and as a percentage of IT spend – supports their intuitions. Whilst data are sometimes a bit hard to nail down, what’s clear is that major banks, globally, are spending with vigour. (How effective spend is in reducing loss from cyber attacks is a topic for another article, although successes like that of DBS, for example, suggest risk and impact can be managed well.)

Below are selected quotes from CEOs and board-level leaders at major banks over the past years, highlighting their perspectives on cyber initiatives and commitment:

• Brian Moynihan (CEO, Bank of America): “I go to bed every night feeling comfortable that [our cybersecurity] group has all the money, because they never have to ask… You’ve got to be willing to do what it takes at this point.” (Making the Right Investment in Cybersecurity | Bank Director – thank you Emily McCormick for the nod to the quote drawn from a 2015 interview with Bloomberg in which Moynihan 2015 described giving “unlimited” budget to cybersecurity, reflecting an open-ended commitment to cyber defence. *And that was 2015!
• Jamie Dimon (CEO, JPMorgan Chase): “Cybersecurity…may very well be the biggest threat to the U.S. financial system,” he warned, while noting the growing mobilisation of industry and government to combat it (With $600 Million Cybersecurity Budget, JPMorgan Chief Endorses AI and Cloud – SecurityWeek).
• Colin Bell (CEO, HSBC Bank plc & HSBC Europe): “Our customers, clients and employees expect us to have safe and secure operations and resilient cybersecurity, so we must stay ahead of the curve… That’s why we’re already preparing our global operations for a quantum future. We’re…investing in strong, strategic partnerships to explore how we could deploy these technologies as they develop.” (We’re fighting the cyber criminals of the future | HSBC News) (Emphasising a forward-looking investment in next-generation security technologies at HSBC.)
• Piyush Gupta (CEO, DBS Bank): “Security is paramount today… There are not only state actors, but large criminal syndicates, who are always trying to get in.” (DBS’ Piyush Gupta explains how the bank deals with digital trust in an era of deep fakes and misinformation – CNA) Gupta has also noted that he operates under a “not if, but when” assumption regarding attacks, using that mindset to drive continuous investment in layered security measures. This philosophy highlights a strategic shift to persistent vigilance and resilience in cybersecurity.

Next I’ll attempt to articulate the impact of this spend…

About the Author

Nick Kelly | SecureFlag | CyAN Member

Website: www.secureflag.com

LinkedIn: Nick Kelly