Banking regulation has an effect on Hackability

January 9, 2025 - 5 Min Read

Banking regulation has an effect on Hackability

Banking regulation has an effect on Hackability

Banks are known for their strong security efforts and better-than-average protection from hacking. According to Autobahn Security’s previous Hackability Score calculation, banks ranks among the top three industries with the highest level of protection.

Bank security could be driven by evolution or by compliance

Banks’ security advantage has two potential root causes:

  • Either banks are under increased hacking pressure and hence have more reason and opportunity to learn from hacking attempts (security evolution)
  • Or banks are under additional scrutiny from their regulators, who enforce security measures that security evolution would not naturally bring about (security compliance)

The difference between these two drivers is measurable in the sub-scores of the Autobahn Hackability Score:

  • Security evolution, on the one hand, would bring about a higher overall level of security as hackers are excellent at exposing weak links
  • Banking regulation, on the other hand, would focus on certain areas at the expense of drawing attention away from other areas, thereby leading to an uneven distribution among the Hackability sub-scores

We find this unevenness in our measurement, confirming that compliance with banking regulation is a driver behind banks’ security advantage:

The Hackability of banks arises mostly from missing patches

Regulation has measurable effects in skewing attention

Banks perform better than other industries in hardening their Internet-exposed assets. You can achieve asset hardening through checklists and top-down compliance.

Security operations including patching, are more difficult to achieve through checklists and compliance, making issues arising from bad security operations less responsive to regulation. As expected, banking, which faces higher regulation compared to other industries, disproportionately lacks patches.

While it’s true that, in absolute terms, the frequency and severity of publicly disclosed cybersecurity incidents might paint a picture of banks experiencing fewer overt issues compared to certain other industries, this surface-level observation masks a far more complex reality. It’s crucial to acknowledge that banks operate within a highly regulated and scrutinized environment, demanding an unparalleled level of vigilance and proactive defense. This necessity translates into significantly larger investments in information security infrastructure, personnel, and cutting-edge technologies than are typically seen in other sectors.

However, despite these considerable investments, the resulting gap in actual security posture between banks and non-bank entities is often surprisingly narrow, far smaller than the sheer magnitude of the budgetary differences would initially suggest. This disparity highlights several key factors:

  1. The complexity and interconnectedness of modern financial systems create a wider attack surface, demanding a proportionally greater security effort.
  2. Secondly, the rapidly evolving threat landscape necessitates continuous adaptation and innovation, requiring banks to constantly reinvest in new technologies and strategies.
  3. Thirdly, the inherent value of the data held by banks makes them a prime target, attracting the most sophisticated and persistent adversaries.

There could be many additional factors contributing to the higher-than-expected Hackability of banks, but the trend is clear; while banks’ protection are better on average, something keeps their attention away from security maintenance tasks such as patching. We think that regulation is partly responsible for this attention skew.

Banking regulation does have a measurable effect, but not necessarily a positive one:  Banks appear to spend their large security budgets on comprehensive hardening. Beyond this core topic of security compliance, banks have surprisingly average security levels. For example, banks’ performance around credential and authentication management,  and limiting the exposure of management interfaces to the Internet is underwhelming. These weaker links of the protection chain determine the overall security level.

Our research data suggests that if banks spent their large security budgets more similarly to those in other industries who typically follow security evolution over security compliance, their efforts in lowering Hackability would be more effective.

If you are curious to learn more, check ou new blog posts, or start explroring our research data directly.‍