BitSight Research Highlights Financial Services Security Ratings in the UK

Alex Campanelli | July 13, 2018 | tag: Security Ratings

Over the last several years, cybersecurity regulations (like NYDFS and GDPR) have placed pressure on the financial services industry to build and enforce some of the strongest risk management programs across any industry. These programs focus not only on internal security performance, but also on managing third party risk. Financial service organizations are both highly regulated and handle extremely sensitive personally identifiable information (PII), and as a result typically have higher security budgets when compared to other industries.

Financial services companies also tend to perform towards the higher end of the scale from a cybersecurity perspective. Leveraging data from BitSight Sovereign Security Ratings which look at security performance at a national and industry level, we examined the security performance of the finance sector in the United Kingdom. Our researchers analyzed  UK Financial Services security performance for the month of May 2018 to determine whether the security posture of this industry falls where expected. 7.13-Blog-1

Figure 1

BitSight’s research shows that the average security rating for the United Kingdom — when compared to the average security rating for other European countries — is highest in Insurance, Credit Unions, and Real Estate, with Finance coming in 4th place. This is positive, given that each of these industries deal with very sensitive client information that could be extremely harmful if compromised.

This image also shows that some of the overall lowest average security ratings in the UK are in Retail, which is concerning given that retail companies work many third parties who handle customer data. There have been several instances of some very public retail breaches in the last few years. Working with third parties has a big impact on retailers’ business bottom line, so they should be proactively working to improve the cybersecurity of their supply chains.


Figure 2

The average security rating for the Financial Services industry itself in the UK is highest among credit unions (just below 800), and lowest among financial institutions (just below 750).7.15-Blog-3

Figure 3

When examining the security posture of the UK’s financial sector, it helps compare its security performance relative to other major European financial powers for context. This image illustrates the average security ratings among these countries broken down by industry. Germany has the highest security rating among credit unions, and France possesses the lowest security ratings among financial institutions.

As shown above, the UK’s financial institutions are undoubtedly a clear leader in terms of security performance. UK financial firms tend to have sophisticated risk management programs, which is reflected well in their high level of security performance.

Despite this fact, the challenge remains in closing the security performance gap between financial institutions and their third parties, who pose a significant risk to their security posture. GDPR, which is now in effect, mandates that all organizations that collect personal data must have rigorous due diligence processes to ensure the appropriate technical and organizational controls are in place before sharing data with third parties. These organizations should establish a process for regularly testing their third parties.

As the threat landscape becomes more complex and risk of breach increases, it’s more critical than ever for organizations to be aware of their own security posture as well as the vulnerabilities in their supply chain. In a recent BitSight Insights report, The Buck Stops Where: Assessing the Cyber Performance of the Finance Supply Chain, we showcase more of BitSight’s research surrounding the Finance industry and their supply chain as well as proactive recommendations for organizations to strengthen the security of their networks.

Learn more about the benefits of security ratings for financial services.

Suggested Posts

Celebrating 10 Years of BitSight: A Co-Founder Looks Back

It’s hard to believe, but BitSight is celebrating our 10 year anniversary this week! I co-founded BitSight in 2011 with my friend and grad school classmate, Nagarjuna Venna. When I think back at our original idea of creating a global...


Use the right cybersecurity analytics to make a business case for risk management

Not long ago, corporate executives would give only passing thoughts to their organization’s cybersecurity postures. Leadership and board members would take notice in the wake of a major data breach, for example, or a couple of times a...


A response to Security Ratings - Love, Loathe or Live With Them

A week ago (which seems like a world ago given everything that’s happened with SolarWinds) Phil Venables -- formerly CISO of Goldman Sachs and now CISO of Google Cloud -- posted an interesting expose on security ratings this week. Phil...


Get the Weekly Cybersecurity Newsletter.