Information Security In Banking & Finance Industry: 3 Critical Vendor Risks

In a report focused on cybersecurity in the banking and financial sector, BitSight researchers examined the security performance of more than 5,200 organizations in the Legal, Technology, and Business Services industries. These organizations—monitored by Finance organizations on the BitSight Security Rating Platform—represent a critical part of the financial services supply chain. Our report shows a number of findings representative of information security in banking and financial industry.

The first information security risk in the banking and financial industry we’ve outlined targets the need to efficiently manage your vendor risk program. The risk is that the more outdated browsers and desktop operating systems a third party vendor has, the more susceptible the vendor is to a botnet infection. This indicates a patching gap: If a security team doesn’t update certain systems, data could be stolen, exfiltrated, or lost due to a botnet.

The next two major findings from the study on information security in banking and financial industry are centered around risks financial firms face if their vendors run outdated desktop software operating systems or outdated server software. We’ll look at each, in detail, below:

3 Ways to Make Your Vendor Lifecycle More Efficient

Learn to retarget your efforts and master program efficiency in three main areas of your third-party risk management system.

Read The eBook
Button Arrow

Outdated Operating System Risks

BitSight researchers honed in on two specific operating systems commonly used in the banking and financial industries, but are no longer supported by Microsoft software: XP and Vista. Because these systems are no longer supported, software providers no longer produce patches available for security vulnerabilities found on these operating systems, making them extremely vulnerable to infections and malware.

Business Services and Technology together represent a large part of a bank or financial institution’s supply chain—and BitSight researchers found in 2017 that nearly 20% of companies in these industries are still running Windows XP, and 10% or more are running Windows Vista.


What does this mean for information security in the banking and financial industry, exactly? For starters, if you’re going through the vendor risk assessment process and want to get a sense of their security posture, you’ll want to look specifically at the operating systems they are running. If they do have Vista or XP, or other outdated software still running on their networks, you’ll want to inquire about which machines those outdated operating systems are present on—and then ensure those particular machines do not interact with or come in contact with your data in any way. You will also want to establish a timeline with your vendors, even by including it in your vendor contract, to update their systems to ensure any further risk is mitigated.

Outdated Server Software Risks

For the final critical data point, BitSight researchers looked specifically at outdated versions of two server-based software packages: Apache and Windows IIS.

As you can see from the chart below, the financial industry actually had the highest amount of outdated Windows IIS systems—nearly 30%—indicating the industry needs to consider their own systems as they work to improve their vendors’ systems. But the rates of outdated server software across business services and technology aren’t negligible, and they should give those in the financial service industry pause.

Apache-ISS.pngAgain, what do these results mean regarding information security in banking and financial industry firms? First of all, if you’re sharing data with a third party, it may be stored on an on-premise server. In this case, if one of your vendors running outdated server software is breached, there’s a chance your data could be compromised.

To understand just how critical this risk is, consider the Panama Papers. There were numerous variables that played into that data leak, but notably, Mossack Fonseca—the Panamanian law firm at the center of this major breach—was running outdated versions of Drupal and WordPress. While those particular systems aren’t highlighted in this study, this breach serves as a powerful illustration of how software packages found in servers can be exploited.

Another great but lesser-known example of the criticality of this risk is the exploit known as “ExplodingCan.” This exploit—given to one of the many stolen NSA exploits leaked by the Shadow Brokers and used by hackers—capitalizes on flaws in Windows IIS and allows attackers to implant malware or ransomware on a server.

Download The Full Report Now

Becoming aware of the risks you may face if your vendors run outdated software—and, more broadly, understanding information security in the banking and financial industry—simply isn’t enough. Now that you’re aware of these risks, you have to take action. This BitSight Insights report outlines specific ways to shape third party vendor risk management for financial institutions, given the risks outlined above—download it today.