Banking regulation has an effect on Hackability

Banks are known for their strong security efforts and better-than-average protection from hacking. As we discussed previously when introducing a metric to compare the Hackability of different organizations, banks are among the top three best-protected industries according to the SRLabs Hackability Score.

Bank security could be driven by evolution or by compliance

Banks’ security advantage has two potential root causes:

• Either banks are under increased hacking pressure and hence have more reason and opportunity to learn from hacking attempts (security evolution)
• Or banks are under additional scrutiny from their regulators, who enforce security measures which security evolution would not naturally bring about (security compliance)

The difference between these two drivers is measurable in the sub-scores of the SRLabs Hackability Score:

• Security evolution, on the one hand, would bring about a higher overall level of security as hackers are excellent at exposing weak links
• Banking regulation, on the other hand, would focus on certain areas at the expense of drawing attention away from other areas, thereby leading to an uneven distribution among the Hackability sub-scores

We find this unevenness in our measurement, confirming that compliance to banking regulation is a driver behind banks’ security advantage:

‍Regulation has measurable effects in skewing attention

‍Banks perform better than other industries in hardening their Internet-exposed assets. Asset hardening can be achieved through checklists and top-down compliance.

Security operations excellent including patching, is more difficult to achieve through check lists and compliance, making issues arising from bad security operations less responsive to regulation. As expected, banking, which is highly regulated compared to other industries, has a disproportionally high share of missing patches.

In absolute terms, banks have fewer issues relative to other industries. However, banks also invest significantly more into information security than other industries. The resulting gap between banks and non-banks security is smaller than the differences in security budget would suggest.

There could be many additional factors contributing to the higher than expected Hackability of banks, but the trend is clear; while banks are better protected on average, something keeps their attention away from security maintenance tasks such as patching. We think that regulation is partly responsible for this attention skew.

Banking regulation does have a measurable effect, but not necessarily a positive one:  Banks appear to spend their large security budgets on comprehensive hardening. Beyond this core topic of security compliance, banks have surprisingly average security levels. For example, banks’ performance around credential and authentication management,  and limiting the exposure of management interfaces to the Internet is underwhelming. The overall security level is determined by these weaker links of the protection chain.

Our research data suggests that if banks would spend their large security budgets more similarly to those in other industries who typically follow security evolution over security compliance, their efforts in lowering Hackability would be more effective.