Security Ratings

BitSight Research Highlights Financial Services Security Ratings in the UK

Alex Campanelli | July 13, 2018

Over the last several years, cybersecurity regulations (like NYDFS and GDPR) have placed pressure on the financial services industry to build and enforce some of the strongest risk management programs across any industry. These programs focus not only on internal security performance, but also on managing third party risk. Financial service organizations are both highly regulated and handle extremely sensitive personally identifiable information (PII), and as a result typically have higher security budgets when compared to other industries.

Financial services companies also tend to perform towards the higher end of the scale from a cybersecurity perspective. Leveraging data from BitSight Sovereign Security Ratings which look at security performance at a national and industry level, we examined the security performance of the finance sector in the United Kingdom. Our researchers analyzed  UK Financial Services security performance for the month of May 2018 to determine whether the security posture of this industry falls where expected. 7.13-Blog-1

Figure 1

BitSight’s research shows that the average security rating for the United Kingdom — when compared to the average security rating for other European countries — is highest in Insurance, Credit Unions, and Real Estate, with Finance coming in 4th place. This is positive, given that each of these industries deal with very sensitive client information that could be extremely harmful if compromised.

This image also shows that some of the overall lowest average security ratings in the UK are in Retail, which is concerning given that retail companies work many third parties who handle customer data. There have been several instances of some very public retail breaches in the last few years. Working with third parties has a big impact on retailers’ business bottom line, so they should be proactively working to improve the cybersecurity of their supply chains.


Figure 2

The average security rating for the Financial Services industry itself in the UK is highest among credit unions (just below 800), and lowest among financial institutions (just below 750).7.15-Blog-3

Figure 3

When examining the security posture of the UK’s financial sector, it helps compare its security performance relative to other major European financial powers for context. This image illustrates the average security ratings among these countries broken down by industry. Germany has the highest security rating among credit unions, and France possesses the lowest security ratings among financial institutions.

As shown above, the UK’s financial institutions are undoubtedly a clear leader in terms of security performance. UK financial firms tend to have sophisticated risk management programs, which is reflected well in their high level of security performance.

Despite this fact, the challenge remains in closing the security performance gap between financial institutions and their third parties, who pose a significant risk to their security posture. GDPR, which is now in effect, mandates that all organizations that collect personal data must have rigorous due diligence processes to ensure the appropriate technical and organizational controls are in place before sharing data with third parties. These organizations should establish a process for regularly testing their third parties.

As the threat landscape becomes more complex and risk of breach increases, it’s more critical than ever for organizations to be aware of their own security posture as well as the vulnerabilities in their supply chain. In a recent BitSight Insights report, The Buck Stops Where: Assessing the Cyber Performance of the Finance Supply Chain, we showcase more of BitSight’s research surrounding the Finance industry and their supply chain as well as proactive recommendations for organizations to strengthen the security of their networks.

Learn more about the benefits of security ratings for financial services.

Suggested Posts

Content Security Policy Limits Dangerous Activity… So Why Isn’t Everyone Doing It?

Online services, e-commerce sites, videoconference, delivery services, and all other kinds of services are growing exponentially, exposing users and data to new risks and threats.  Users expect that the sites and services they rely on are...


Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


Do You Need to Create Segmented Networks to Protect Critical Assets?

Network segmentation — the act of dividing a network into multiple smaller, isolated networks that are not visible from the outside — has long been used to reduce cyber risk. At its core, segmentation assumes a “zero trust” approach to...


Subscribe to get security news and updates in your inbox.