Based on data from eight years of working to assess cyber risk at hundreds of companies across many sectors in dozens of countries, it is clear that the financial sector is one of the best prepared for an attack, reflecting years of improvements and investment. But, although it only lagged behind the industrial, cyber and manufacturing sectors, the financial sector still has a lot of work to do, we found in our soon-to-published research.

Not only does the financial sector need to guard the private details of millions of people, and stay functioning in order for other businesses to run, but an attack on it could also cause panic and chaos in global markets, undermining general stability. In fact, the U.S. Federal Reserve Chairman Jerome Powell has said that cyber attacks are his biggest worry. “That's really where the risk I would say is now, rather than something that looked like the global financial crisis,” Powell said.

In order to assess the maturity of cybersecurity in the financial and many other sectors, we examined the inside data and information we gathered from hundreds of real-life cybersecurity assessments we have carried out globally, and scored each sector on seven key elements of cybersecurity. The methodology was based on the U.S. Department of Defense’s Cybersecurity Maturity Model Certification, which is used to evaluate potential government contractors, giving them a score ranging from 0 to 5. 

Overall, we gave the banking and financial sector a score of 2.2, which is relatively low when the highest possible score is 5; but no sector scored higher than 2.5, and most came in under 2, again reflecting the progress and relatively good standing of the financial sector.  Here are some of the reasons behind the finance sector’s score, and some ideas for improvement.

Is compliance enough?
The financial services industry is one of the most tightly regulated, and in recent years has faced increased additional regulation related to cybersecurity. The industry has increased spending significantly, partly to comply with these regulations. There is, indeed, some correlation between cyber security readiness and the stringency of regulations; for example, strict privacy regulations offer some explanation for why our research found that Germany was the most mature country in terms of overall cybersecurity. Yet, compliance, while it helps, is not enough; banks and financial institutions are still being attacked. 

What does help is understanding the actual and real-time risks, including who are the potential hackers or kinds of cyber criminals that may attack. That requires a combination of visibility–being able to monitor and understand the scope of digital connections and assets– and threat analysis. Banks do seem on track to improve in this area: our research, based on our evaluations of hundreds of organizations, found that banks and financial institutions lead the way when it comes to security operations monitoring and incident-response, with most having departments and employees dedicated to this.  But it is increasingly important that these teams be tailored to the most relevant and significant threats. For example, with the rise in state-backed attacks, these teams should include professionals with experience in military or government cybersecurity. 

While compliance may encourage setting up certain policies and procedures for responding to and mitigating risk, these only actually prevent or minimize damage from attacks if a company has full visibility into potential attack surfaces and avenues and has the talent to respond effectively. The lack of sufficient and pro-active visibility is the leading underlying reason for cyber vulnerabilities that criminals can leverage.

Where banks really lag behind
The financial sector scored among the lowest in the category of application security. This stems partly from the massive increased use of banking and financial online and mobile  apps since the COVID pandemic began; many institutions struggled to keep their security measures up to speed as they saw rapid growth in digital users. With many people used to simple streamlined online experiences and expectations that they can handle all of their wealth with a few taps on their mobile phone, banks have faced challenges in balancing good user experiences with security measures.

But workarounds are emerging, including an increasing number of autonomous verification and security tools that work in the background to evaluate users without affecting their experience. It is also likely that consumers will begin to embrace increased security measures, such as multi-factor authentication, especially as other sectors are pushing for such steps. But in any case, this is where banks most need to make improvement; to find creative ways to offer secure yet user-friendly experiences. It should be noted that the best-scoring sector in this category was online gaming, as it sees its apps as absolutely essential to its core business–they are, in fact, the main product. Banks also need to start to think this way; to see their apps as assets core to their business, just as important as any other key business holding, like intellectual property or capital. 

Drills and war games raise public awareness
Israel, along with the IMF, recently led a 10-day long simulation of what would happen if the world’s financial systems were hit by a major cyber attack. At least 10 countries participated in this first-of-its-kind war game. We need to see more exercises like this mainly because they raise public awareness and provide a venue for figuring out how governments and the private sector can work together to minimize damage, especially as threats continue from state-level actors. 

Having said that, individual companies should not base their security decisions on simulations, but on understanding their real risk and how cybersecurity risk translates to business risk. In fact, businesses, including banks and financial institutions, should be vigilant about conducting routine ethical hacking tests on themselves, not simply to meet standards and regulations and to create long lists of vulnerabilities, but to find out if their defenses are focused on the places most essential to their business. When looking to implement any of the new and promising cybersecurity solutions and tools that are increasingly emerging to protect large institutions like banks, organizations need to make sure to prioritize protecting those assets that are most key to their business.

As attacks continue, the stakes are only growing for financial institutions. On an individual business level, the price tag is large for attacks both in terms of reputational and financial damage, especially as cyber security insurance providers will likely cut back on their coverage, or at least raise premium rates, this coming year. But on a macro level, guarding against attacks, or at least mitigating damage from attacks on the financial system, is increasingly essential for global stability. Being among the best-prepared sectors is no longer enough, especially when they all have such a long way to go and the stakes are so high.