Internet Risk Surface in the Financial Sector

RiskRecon and the Cyentia Institute published the Internet Risk Surface and Cloud Risk Surface reports in mid-2019. These studies analyzed data from RiskRecon spanning over five million Internet-facing hosts from ~20,000 organizations as well as major hosting providers around the world. The primary goal was to explore dimensions of interconnectivity, interdependence, and risk exposure that define the era of digital transformation.

We recently released a new report in collaboration with RiskRecon that leverages the same dataset and methodology as those publications but focuses exclusively on the Financial sector. It’s a good place to start because risk management is the foundation upon which financial institutions are built.

But is every firm managing cyber risk well across internal infrastructure and third-party relationships? It doesn’t take in- depth research beyond the myriad of breach headlines to learn the answer to that question. But many important questions remain: What are key dimensions of the financial sector Internet risk surface? How does that surface compare to other sectors? Which specific industries within Financial Services appear to be managing that risk better than others? We take up these questions and more in this report. Here’s a preview of findings:

• The financial sector boasts the lowest rate of high and critical security exposures among all sectors. This indicates they’re doing a good job managing risk overall.
• But not all types of financial service firms appear to be managing risk equally well. For example, the rate of severe findings in the smallest commercial banks is 4x higher than that of the largest banks.
• It’s not just small community banks struggling, however. Securities and Commodities firms show a disconcerting combination of having the largest deployment of high-value assets AND the highest rate of critical security exposures.
• Others appear to be exceeding the norm. Take credit card issuers: they typically have the largest Internet footprint but balance that by maintaining the lowest rate of security exposures.
• Many other challenges and risk factors exist. For instance, the industry average rate of severe security findings in critical cloud-based assets is 3.5x that of assets hosted on-premises.

The figure below from the report compares financial subsectors along key dimensions of the Internet risk surface. At the top, we see that Insurance Carriers generally maintain a large Internet surface area (hosts, providers, countries), but a comparatively lower ranking for asset value and security findings. The Credit Intermediation subsector (the NAICS designation that includes banks, brokers, creditors, and processors) follows a similar pattern. This indicates that such organizations are, by and large, able to maintain some level of control over their expanding risk surface.

A leading percentage of high-value assets and a leading percentage of highly critical security findings for the Securities and Commodities subsector is a disconcerting combination. It suggests either unusually high risk tolerance or ineffective risk management (or both), leaving those valuable assets overexposed. The Funds and Trusts subsector exhibits a more risk- averse approach to minimizing exposures across its relatively small digital footprint of valuable assets.

Download the full report from RiskRecon.