Why Vulnerability Management is Foundational to Cybersecurity in Financial Services

The ability to effectively manage vulnerabilities in an efficient and strategic manner is critical for companies. The ongoing practice of identifying, classifying, prioritizing, and fixing software vulnerabilities should be a key component of the development process. If it’s not, teams might turn out applications that contain vulnerabilities with consequences ranging from mild annoyances to disastrous security breaches.

This post is the first of a series in which we will look at the importance of vulnerability management in five different sectors: financial services, healthcare, critical infrastructure, manufacturing, and retail.

While there are a number of commonalities among these industries when it comes to defending against cybersecurity threats, each has its own specific concerns and requirements, and vulnerability management can play a key role in addressing those.

Considerations for Vulnerability Management in Financial Services

Let’s first look at financial services. This is one of the most targeted sectors when it comes to attacks given the number of monetary transactions and personal financial information involved. Any software produced for the purpose of providing or supporting financial transactions will likely be an attractive target for weaknesses that can be exploited by cybercriminals.

IT services and consulting firm Accenture Security, in its 2021 Future Cyber Threats report, identified five main threat areas for the financial sector: supply chain attacks targeting essential software and services; cyber fraud; insider threat schemes; extortion attacks; and emerging technologies that continue to reinvent the threat landscape.

In addition to security concerns, financial services firms need to ensure that they are compliant with government regulations and industry standards. The industry is one of the most heavily regulated, and many of those rules are centered on data protection and privacy.

For example, the Gramm Leach Bliley Act (GLBA) governs the protection of customers’ personal information held by banks, insurance companies, and other financial services firms. And the Payment Card Industry Data Security Standard (PCI DSS), a security standard for organizations that handle branded credit cards from the major card providers, is mandated by the card brands and administered by the Payment Industry Security Standards Council. It was created to increase controls around cardholder data to reduce fraud.

For a variety of reasons, including fines and other penalties, bad publicity, and possible lost business, firms don’t want to be non-compliant with regulations and standards.

Developing Secure Applications and Products in Financial Services

Vulnerability management, along with a strong DevSecOps program, can help financial services firms develop the most secure applications without sacrificing innovation or quality. It enables them to proactively find and remediate vulnerabilities, applying fixes before attackers can exploit vulnerabilities and use them to launch attacks.

Industry research has found widespread security inadequacies and protection failures in consumer financial mobile apps, leading to the exposure of source code, sensitive data stored in the apps, and access to back-end servers.

Banks and other financial firms can’t afford to let insecure software go into production. That’s where vulnerability management and DevSecOps can play a key role. These programs, when done in a secure and collaborative way, can assist security leaders with ensuring compliance, reducing the attack surface, and cutting costs and inefficiencies.