A recent survey by Synopsys further reinforced the challenge the financial services industry is having with maintaining its cybersecurity and other matters related to fraud and the compromising on consumer data.
Based on a survey of global financial services organizations conducted by Ponemon Institute, Synopsys’ report highlighted the industry’s security posture and its ability to address security-related issues.
The study found that more than half of the surveyed organizations have experienced theft of sensitive customer data or system failure and downtime because of insecure software or technology.
The report titled, The State of Software Security in the Financial Services Industry, also noted that many organizations are struggling to manage cybersecurity risk in their supply chain and are failing to assess their software for security vulnerabilities before release.
“While the financial services industry is relatively mature in terms of their software security posture, organizations are grappling with a rapidly evolving technology landscape and facing increasingly sophisticated adversaries,” said Drew Kilbourne, managing director of security consulting for the Synopsys Software Integrity Group. “There is no single right approach to software security, but this study clearly shows that there is a significant need for improvement in supply chain risk management.
“There is also an opportunity for many organizations to expand the scope of their software security programs to cover all their business-critical applications and shift their efforts further left in the software development life cycle (SDLC),” Kilbourne continued.
Synopsys commissioned Ponemon Institute, a leading IT security research organization, to examine current software security practices and risks in the financial services industry (FSI). Ponemon surveyed more than 400 IT security practitioners in various sectors of the financial services industry, including banking, insurance, mortgage lending/processing, and brokerage firms.
The respondents’ roles included development, installation, and implementation of applications for the financial services industry.
Other key findings from the study included:
—The majority of FSI organizations are ineffective at preventing cyberattacks.
More than half of respondents have experienced system failure or downtime (56%) or theft of sensitive customer data (51%) due to insecure software or technology. The study showed that more organizations are effective in detecting (56%) and containing (53%) cyberattacks than in preventing attacks (31%).
—Many FSI organizations are struggling to manage cybersecurity risk in their supply chain.
Nearly three-quarters (74%) of respondents were concerned or very concerned about the security posture of third-party software and systems. Despite this concern, only 43% of respondents said their organizations impose cybersecurity requirements on third parties involved in developing financial software and systems. Furthermore, only 43% of respondents said they have a formal process for inventorying and managing the open source code in their software portfolios.
—FSI organizations are failing to assess their software for security vulnerabilities before release.
While most organizations follow a secure software development life cycle (SDLC) process, respondents reported that their organizations test, on average, only 34% of all financial software and technology developed or in use by their organization for cybersecurity vulnerabilities. For the software and technology that is tested for vulnerabilities, only 48% of respondents reported that security testing occurs in the pre-release phases of the SDLC, such as the requirements and design phase or the development and testing phase.
To download a free copy of the report, go to this website.
Kilbourne and Larry Ponemon of the Ponemon Institute also are hosting a free webinar to discuss the report in more detail. The event is set for Sept. 12 at 1 p.m. ET. Registration for the session can be completed here.