Internet Risk Surface in the Financial Sector

Risk management is the foundation of the financial industry, yet the digital era presents novel challenges that cross traditional perimeters. This study benchmarks digital risk factors specifically for financial services, comparing them to other sectors like healthcare and energy. We delve into five key dimensions—hosts, providers, geography, asset value, and findings—to determine if the industry is successfully “mitigating and managing” its internet-facing risk.

The analysis shows that Finance leads the pack in security hygiene, boasting the lowest rate of high and critical security exposures among all sectors. This report rewards the click by unmasking imbalances within the sector: for example, the rate of severe findings in the smallest commercial banks is 4 times higher than that of the largest banks. Furthermore, high-value assets in the cloud exhibit an exposure rate 3.5 times higher than those hosted on-premises.

The research highlights specific subsector vulnerabilities as well. Securities and Commodities firms show a disconcerting combination of having the largest deployment of high-value assets alongside the highest rate of critical security exposures. Conversely, credit card issuers exhibit the largest internet footprint while maintaining the lowest rate of findings. This study serves as a critical benchmark for CISOs to ground their risk modeling in sector-specific empirical realities.

Key Findings

• Sector Security Lead: The financial sector maintains the lowest rate of high and critical security exposures compared to all other industries.
• The 4X Size Disparity: Commercial banks with the lowest revenues have 4 times as many severe security exposures as the largest $10B+ revenue banks.
• Cloud Exposure Penalty: The rate of severe security findings in high-value financial cloud assets is 3.5 times higher than those hosted on-premises.
• Credit Card Issuer Performance: Credit card issuers manage the largest average internet footprint while achieving the lowest overall rate of severe findings.
• Securities Risk Concentration: Securities and Commodities firms have the highest percentage of high-value assets and the highest rate of critical findings in the sector.
• Credit Union Struggles: Credit unions exhibit the smallest internet-facing footprint but harbor the highest prevalence of findings among banking institutions.
• Narrow Performance Variation: Finance shows the least variation between its best and worst performers, indicating a high industry-wide floor for security control.