Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Ed Bellis
Ed Bellis
Connect Directly
E-Mail vvv

Why Compliance Is No Longer King for Financial Services Cybersecurity

Financial services companies' experience in risk management serves them well when it comes to minimizing their cyber-risk.

Financial services has long been a compliance-driven industry. Nearly everything a bank or an investment adviser does is governed by some regulation. Usually, these rules are in place for consumer protection, but the rules the industry must follow extend to cybersecurity as well.

Unfortunately, auditors and other professionals tasked with compliance have historically developed their cybersecurity procedures in the dark. They don't always have a great view of what truly reduces risk to the organization. There's a box-checking mentality meant to assure regulators that cybersecurity procedures are in place, even when there's little guarantee that the procedures being audited add up to a secure environment.

Related Content:

A Call for Change in Physical Security

The Changing Face of Threat Intelligence

ISP Security: Do We Expect Too Much?

In the field of patching vulnerabilities, for example, compliance rules tend to force companies into closing security holes that pose little risk. And that's a problem, because there is no company on the planet with the resources to fix every vulnerability on its systems.

Fortunately, the finance sector has broad experience in risk management, and more and more of these companies are adopting risk-based vulnerability management approaches that rely on objective data rather than aged "best practices."

These two countervailing observations raise important questions. Are financial services companies investing their cybersecurity resources in the right areas? Are they truly reducing cybersecurity risk while still maintaining compliance?

How Financial Services Stacks Up
New research conducted by the Cyentia Institute and Kenna Security is providing important answers to these questions.

At first glance, Cyentia's research shows that financial services companies have big challenges. On average, financial institutions have four times more security vulnerabilities than companies in other industries. But thinking this through, it's not too surprising. The footprint of assets for these firms is not only large but made up of many general-purpose computing devices, which make them ripe for a wide array of vulnerabilities.

But as we have seen in previous research, not every vulnerability poses a significant risk. In fact, we see exploitation activity for only about 5% of these vulnerabilities "in the wild." This is good news because, on average, a typical company can fix just one out of 10 vulnerabilities.

In aggregate, the financial services sector does particularly well in focusing on high-risk vulnerabilities, patching nearly 85% of them. And some companies do better than others. That's impressive given their large digital footprint, especially noting that financial services outperformed most industries in our research.

Risk management is in the DNA of most financial services companies, and that accounts for much of their success in this area. We know that attackers tend to follow well-worn paths, reusing tools and abusing the same security gaps over and over. They often focus on certain operating systems and certain software publishers because they have higher market penetration. Likewise, they also tend to focus their efforts on a select group of vulnerabilities that can be leveraged for profit. 

Using tools and data science, companies can identify which vulnerabilities are more likely than not to be exploited by hackers. Risk-based vulnerability management programs are tailored to tackling these vulnerabilities first. 

This is all to say that tides are changing in financial services' security practices, and this is reason for optimism. What was once a pure focus on compliance is now shifting. More and more organizations are adopting better practices to improve security and lower risk, as Cyentia's data reflects. 

On the whole, the financial services industry does an impressive job of managing vulnerability risk. If they are as good at other cybersecurity disciplines as they are at vulnerability management, there's reason to be optimistic. Cybersecurity is often regarded as an expense rather than an investment, but done right, chaotic practices that never seem adequate can evolve into well-managed programs that provide real value for organizations.

Ed Bellis is a security industry veteran and expert and was once named Information Security Executive of the Year. He founded Kenna Security to deliver a data-driven, risk-based approach to remediation and help IT teams prioritize and thwart would-be security threats. Ed is ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...