Over the last several years, cybersecurity regulations (like NYDFS and GDPR) have placed pressure on the financial services industry to build and enforce some of the strongest risk management programmes across any industry. These programmes focus not only on internal security performance, but also on managing third party risk. Financial service organisations are both highly regulated and handle extremely sensitive personally identifiable information (PII), and as a result typically have higher security budgets when compared to other industries.
Financial services companies also tend to perform towards the higher end of the scale from a cybersecurity perspective. Leveraging data from BitSight Sovereign Security Ratings which look at security performance at a national and industry level, we examined the security performance of the finance sector in the United Kingdom. Our researchers analysed UK Financial Services security performance for the month of May 2018 to determine whether the security posture of this industry falls where expected.
BitSight’s research shows that the average security rating for the United Kingdom — when compared to the average security rating for other European countries — is highest in Insurance, Credit Unions, and Real Estate, with Finance coming in 4th place. This is positive, given that each of these industries deal with very sensitive client information that could be extremely harmful if compromised.
This image also shows that some of the overall lowest average security ratings in the UK are in Retail, which is concerning given that retail companies work many third parties who handle customer data. There have been several instances of some very public retail breaches in the last few years. Working with third parties has a big impact on retailers’ business bottom line, so they should be proactively working to improve the cybersecurity of their supply chains.
The average security rating for the Financial Services industry itself in the UK is highest among credit unions (just below 800), and lowest among financial institutions (just below 750).
When examining the security posture of the UK’s financial sector, it helps compare its security performance relative to other major European financial powers for context. This image illustrates the average security ratings among these countries broken down by industry. Germany has the highest security rating among credit unions, and France possesses the lowest security ratings among financial institutions.
As shown above, the UK’s financial institutions are undoubtedly a clear leader in terms of security performance. UK financial firms tend to have sophisticated risk management programmes, which is reflected well in their high level of security performance.
Despite this fact, the challenge remains in closing the security performance gap between financial institutions and their third parties, who pose a significant risk to their security posture. GDPR, which is now in effect, mandates that all organisations that collect personal data must have rigorous due diligence processes to ensure the appropriate technical and organisational controls are in place before sharing data with third parties. These organisations should establish a process for regularly testing their third parties.
As the threat landscape becomes more complex and risk of breach increases, it’s more critical than ever for organisations to be aware of their own security posture as well as the vulnerabilities in their supply chain. In a recent BitSight Insights report, The Buck Stops Where: Assessing the Cyber Performance of the Finance Supply Chain, we showcase more of BitSight’s research surrounding the Finance industry and their supply chain as well as proactive recommendations for organisations to strengthen the security of their networks.