Banking regulation has an effect on Hackability

Banks are known for their strong security efforts and better-than-average protection from hacking. As we discussed previously when introducing a metric to compare the Hackability of different organizations, banks are among the top three ...
A picture of a fingerprint on an optical scanner that depicts banks are known for their strong security efforts and better-than-average protection from hacking

Banks are known for their strong security efforts and better-than-average protection from hacking. As previously discussed when introducing the Hackability metric, banks rank among the top three industries with the highest level of protection according to the SRLabs Hackability Score.

Bank security could be driven by evolution or by compliance

Banks’ security advantage has two potential root causes:

  • Either banks are under increased hacking pressure and hence have more reason and opportunity to learn from hacking attempts (security evolution)
  • Or banks are under additional scrutiny from their regulators, who enforce security measures which security evolution would not naturally bring about (security compliance)

The difference between these two drivers is measurable in the sub-scores of the SRLabs Hackability Score:

  • Security evolution, on the one hand, would bring about a higher overall level of security as hackers are excellent at exposing weak links
  • Banking regulation, on the other hand, would focus on certain areas at the expense of drawing attention away from other areas, thereby leading to an uneven distribution among the Hackability sub-scores

We find this unevenness in our measurement, confirming that compliance to banking regulation is a driver behind banks’ security advantage:

The Hackability of banks arises mostly from missing patches
Regulation has measurable effects in skewing attention

Banks perform better than other industries in hardening their Internet-exposed assets. You can achieve asset hardening through checklists and top-down compliance.

Security operations excellent including patching, is more difficult to achieve through check lists and compliance, making issues arising from bad security operations less responsive to regulation. As expected, banking, which faces higher regulation compared to other industries, disproportionately lacks patches.

In absolute terms, banks have fewer issues relative to other industries. However, banks also invest significantly more into information security than other industries. The resulting gap between banks and non-banks security is smaller than the differences in security budget would suggest.

There could be many additional factors contributing to the higher than expected Hackability of banks, but the trend is clear; while banks’ protection are better on average, something keeps their attention away from security maintenance tasks such as patching. We think that regulation is partly responsible for this attention skew.

Banking regulation does have a measurable effect, but not necessarily a positive one:  Banks appear to spend their large security budgets on comprehensive hardening. Beyond this core topic of security compliance, banks have surprisingly average security levels. For example, banks’ performance around credential and authentication management,  and limiting the exposure of management interfaces to the Internet is underwhelming. These weaker links of the protection chain determine the overall security level.

Our research data suggests that if banks would spend their large security budgets more similarly to those in other industries who typically follow security evolution over security compliance, their efforts in lowering Hackability would be more effective.

If you are curious to learn more, you can subscribe to be notified about new blog posts, or start exploring our research data directly.


Asset Management

Vulnerability Assessment