A Synopsys survey of global financial services organisations conducted by Ponemon Institute found that more than half of the surveyed organisations have experienced theft of sensitive customer data or system failure and downtime because of insecure software or technology.
The study also found that many organisations are struggling to manage cybersecurity risk in their supply chain and are failing to assess their software for security vulnerabilities before release.
Ponemon surveyed over 400 IT security practitioners in various sectors of the financial services industry, including banking, insurance, mortgage lending/processing, and brokerage firms. The respondents’ roles were from the development, installation, and implementation of applications for the financial services industry.
Key findings from the study include:
The majority of FSI organisations are ineffective at preventing cyberattacks.
More than half of respondents have experienced system failure or downtime (56%) or theft of sensitive customer data (51%) due to insecure software or technology. Unsurprisingly, the study shows that more organisations are effective in detecting (56%) and containing (53%) cyberattacks than in preventing attacks (31%).
Many FSI organisations are struggling to manage cybersecurity risk in their supply chain.
Nearly three-quarters (74%) of respondents were concerned or very concerned about the security posture of third-party software and systems. Despite this concern, only 43% of respondents said their organisations impose cybersecurity requirements on third parties involved in developing financial software and systems. Furthermore, only 43% of respondents said they have a formal process for inventorying and managing the open source code in their software portfolios.
FSI organisations are failing to assess their software for security vulnerabilities before release.
While most organisations follow a secure software development life cycle (SDLC) process, respondents reported that their organisations test, on average, only 34% of all financial software and technology developed or in use by their organisation for cybersecurity vulnerabilities. For the software and technology that is tested for vulnerabilities, only 48% of respondents reported that security testing occurs in the pre-release phases of the SDLC, such as the requirements and design phase or the development and testing phase.