ACA Global

2024 Cybersecurity Benchmarking Survey


The 2024 Cybersecurity Benchmarking Survey was conducted by ACA Aponix®  — part of ACA Group — and the National Society of Compliance Professionals (NSCP) to help firms better manage increasing expectations and uncertainty around cybersecurity risk. This report reveals the results of this survey. 


Download our report

The online survey was conducted between January and February 2024. This year's survey covered a wide range of topics and involved the participation of compliance professionals at 308 financial services firms of various sizes. 

Notable findings include:

  • Regulatory preparedness and concerns: 44% of respondents surveyed said they are uncertain about how the SEC will enforce the rules, while 36% of compliance professionals cited concerns with complying with cyber incident reporting requirements and timeframes.  
  • AI risk management: While 38% of respondents have yet to identify AI as a cybersecurity risk, and 27% don’t consider AI relevant to cybersecurity, nearly half (49%) said they are in the early stages of exploring AI as a tool for cybersecurity risk management.
  • Cybersecurity threats: Respondents cited the following as the top three cyber threats they are most concerned about: Payment fraud/business email compromise (70%); ransomware (67%); and privacy threats and risk to personal identifiable information (52%). Respondents are least concerned about deepfakes, with just 5% citing them as a concern.
  • Cybersecurity preparedness: Approximately 79% of compliance professionals expressed confidence in their firm’s ability to respond to a cyber breach. Only 40% have done an external test of the firms’ response plan.
  • Cyber insurance: Approximately 83% are confident in their ability to respond to an unforeseen system outage. Most respondents (85%) who have cyber insurance say it is viewed as a key risk management tool.
  • Vendor cybersecurity: Despite clear concerns over how vendor due diligence is performed, more than half (51%) of firms have not renegotiated any vendor contracts with additional cybersecurity provisions in the last 24 months.