Financial institutions in the U.S. and Europe experienced an average of 3.4 significant cyber breaches in the last 12 months, according to a new report by passwordless company Hypr. (Photo by Leon Neal/Getty Images)

Despite the ongoing move to multi-factor authentication (MFA), the financial sector still faces a significant problem when it comes to breaches related to identification compromise, according to one recent research report.

Released July 13, the authentication in financial services study discovered that U.S. and European financial institutions experienced an average of 3.4 significant breaches within the past year, costing these banks, credit unions and investment firms on average $2.19 million annually in losses and remediation (which does not even account for so-called “intangible and hidden costs”).

However, more troubling is that the report found that 8 in 10 of these breaches were related to a “weakness in authentication.” Hypr commissioned Vanson Bourne for the research included in "The State of Authentication in the Finance Industry 2022."

The research alleges that at the heart of this problem, financial firms have become too “complacent” about authentication practices in the face of an exponential rise (in some cases) of cyberattacks and a rising level of sophistication from cybercriminals.

“Findings uncover the burden that current authentication practices are leaving on financial organizations globally, specifically the high-risk cracks in security, strain on budgets and overall operational disruption,” according to a press release announcing the report.

“More importantly,” it continued, “the results identify the discrepancies around 'perceived' and 'actual' authentication security.”

An “alarming” (if not shocking — given recent headlines) 85% of the financial organization respondents faced a cyber breach in the past 12 months, according to findings. However, perhaps more astonishing, more than 7 out of 10 (72%) experienced multiple breaches within the same timeframe. And yet, 9 out of 10 of these breached enterprises still insist that their existing authentication approach is secure, “despite data proving otherwise.”

Despite this seeming disconnect, financial services veterans in IT security still maintain that the industry can and will regain its edge in terms of improving authentication, and thereby reduce the success and impact of subsequent cyberattacks.

“The finance industry is at the forefront of cybersecurity,” David Reilly, security and financial services strategic advisor and former CIO and CTO for Bank of America, said in Hypr’s prepared release. “As one of the most targeted sectors for attack, financial services companies have an impressive track record of adopting new, innovative defense technologies to deliver the protection that clients need.”

The report’s additional major findings include: 36% of respondents reported phishing as the “most prevalent type of attack,” followed by malware and credential stuffing, which each accounted for 31% of breaches; and push notification attacks, which accounted for 29%. The study also uncovered that nearly one-third of these organizations “lost customers to their competitors,” while 29% lost at least one employee and roughly one-quarter (26%) of them have lost customer data after they were breached.

More promising, nearly 9 out of 10 study respondents (89%) said that they“believe that passwordless MFA offers the highest level of authentication security.”

“While improvements in perimeter, network and behavioral analytics have advanced, authentication security has not moved at the same pace,” Reilly added in his statement. “We now have the opportunity to make a step-function change and improve authentication security by removing the risk of static passwords and credentials which can be learned and leveraged by attackers. Eliminating the static password risk is the strategic path forward.”

The report was based on interviews with 500 IT security decision-makers in the financial sector based in the United States, United Kingdom, France and Germany.