While all industries must ensure appropriate data protection safeguards are in place, the financial services industry must be especially vigilant for a variety of reasons. These include the value of the data to attackers, the need to comply with difficult regulations and prevent costly fines and the importance of maintaining the trust and confidence of consumers. The purpose of this research is to understand the threats to financial technology and software and steps taken to minimize the risks.
Sponsored by Synopsys, Ponemon Institute surveyed 414 IT and IT security practitioners in all sectors of the financial services industry including banking, insurance, mortgage lending/processing and brokerage.
All participants in this research are involved in assessing the security of financial applications within their organizations. Their roles include installation and implementation of financial applications, development and manufacture of financial applications, provider of services to the financial industry.
(Visit Synopsys for the full study; the results are summarized here.)
Financial service companies worry about the third-party risk. We asked respondents to rate their concern about the cybersecurity posture of financial software systems developed by their organization or supplied by a third party from a scale of 1 = not concerned to 10 = very concerned. Figure 1 shows the most concerned responses (7+ on the ten-point scale).
According to respondents, 74 percent of respondents are very concerned about the security of financial software and systems supplied by a third party. However, only 43 percent of respondents require contractors, business parties and other third parties to adhere to their cybersecurity requirements. Fewer respondents (62 percent) are very concerned about the financial software and systems developed by their organizations.
Part 2. Key findings
In this section, we provide a deeper dive into the findings of the research. The complete audited findings are presented in the Appendix of the report. We have organized the research into the following topics.
- The cybersecurity posture of financial services companies
- Risks to financial software and applications
- Security practices in the design and development of financial service software and technologies
The cybersecurity posture of financial services companies
Most companies are effective in detecting and containing cyberattacks. Respondents were asked to rate their effectiveness in preventing, detecting and containing cyberattack from a scale of 1 = ineffective to 10 = very effective. The majority of respondents are confident in their effectiveness in detecting (56%) and containing (53%) attacks but less so in preventing an attack (only 31%).
Most organizations have a cybersecurity program or team. Sixty-seven percent of respondents say their organizations have a cybersecurity program or team. Some 60 percent of respondents say cybersecurity is part of the traditional IT cybersecurity team and more than half (51 percent of respondents) say the cybersecurity team is decentralized, with cybersecurity experts attached to specific product development teams. Only 23 percent of respondents say cybersecurity is the responsibility of product development.
Pen testing and dynamic security testing/DAST are considered the most effective in reducing cybersecurity risks. Some 65 percent of respondents say pen testing and 63 percent of respondents say dynamic security testing/DAST are the most effective activities in reducing cybersecurity risks. Also effective are security patch management, system debugging and threat modeling.
Organizations need more resources and in-house expertise to mitigate cybersecurity risks. Only 45 percent of respondents say they have adequate budget to address cybersecurity risks and only 38 percent of respondents say their organizations have the necessary cybersecurity skills.
Respondents are more concerned about the cybersecurity posture of the financial services industry than the difficulty in complying with regulations. Respondents were asked to indicate their concern about cybersecurity risks on a scale of 1 = no concern to 10 = very concerned. Some 65 percent of respondents are very concerned about the cybersecurity posture of the financial services industry. Despite new regulations, such as NYDFS, 61 percent of respondents say regulatory requirements in the financial services industry are not keeping pace with changing financial technologies.
Risks to financial software and applications
Cloud migration tools pose the greatest cybersecurity risk. Of the software and technologies that pose the greatest cybersecurity risk to financial services companies, 60 percent of respondents say cloud migration tools followed by blockchain tools (52 percent of respondents) create the greatest risk.
The threat of malicious actors is motivating companies to apply cybersecurity-related controls in financial software and technologies. Some 84 percent of respondents say their organizations are very concerned (7+ on a scale of 1 = not concerned to 10 = very concerned) that a malicious actor may target the financial software and technology developed by or used by their organizations. As a result, 83 percent of respondents say there is a very high urgency (7+ on a scale of 1 = low urgency to 10 = high urgency) to apply cybersecurity-related controls in financial software and systems. Only 25 percent of respondents are confident that security vulnerabilities in financial software and systems can be detected before going to market (7+ on a scale of 1 = not confident to 10 = very confident).
To read the rest of the results, and more comprehensive analysis, visit the Synopsys website.