May 29, 2018 By Douglas Bonderud 2 min read

Financial institutions are prime targets for cybercriminals. According to a February 2018 report from management consulting firm Accenture, the number of breaches in the financial services sector tripled in the last five years. Meanwhile, the Journal of Cyber Policy noted recently that 89 percent of survey respondents say their existing information security (InfoSec) tools and policies don’t meet current needs.

During a recent Senate Banking Committee hearing, witnesses addressed both sides of the issue: the increasing scope of cybersecurity threats facing financial institutions and the steps that can be taken to limit the impact. Ideally? Clearer regulations, more accountability and recognition of critical risk.

Risk Is Our Business? Cybersecurity Threats

Cybercriminals are looking for maximum profit with minimum effort. As banks make the switch from storing physical currency to moving and investing money online, attackers have prioritized financial targets. Bob Sydow, a principal at professional services firm Ernst & Young, was straightforward about the state of financial cybersecurity at the Senate hearing, noted Politico.

“Keeping up with known threats and vulnerabilities is difficult enough, but the scope of unknown cyber risks seems much larger than other, more traditional risk domains,” Sydow said.

Financial institutions must also acknowledge the role of employees in securing or exposing networks to risk. According to Financial News, 58 percent of cyber claims stem from employee behavior, with the financial sector facing the highest annual cost per year for cybercrime — intentional or not.

Thirty-five percent of companies say their data protection policies are “ad hoc or nonexistent” and 12 percent have no breach detection solutions in place, according to Ernst & Young’s latest data, Global Information Security Survey.

It’s clear there’s a gap between current financial InfoSec and practices and the impact of cybersecurity threats.

Industry Investment to Protect Personal Data

According to Forbes, Senate Banking Committee Chair Mike Crapo and his democratic counterpart Sherrod Brown both agree the financial sector needs better legislation when it comes to protecting consumers’ personal data. Brown describes a bill with provisions that hold companies accountable for data loss but doesn’t know exactly what form that would take — although he does say record bank profits could be used for more cybersecurity investment.

During the recent hearing, however, Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center (FS-ISAC) argued that “despite a dynamic and ever-changing cyberthreat environment, the financial sector has invested heavily to protect the sector’s assets and consumers’ information from adversaries and cybercrime,” noted Politico. For Nelson, improved financial sector security includes government action to harmonize conflicting regulations, more cybercrime prosecutions and Congress-defined responses to specific types of cybersecurity threats.

To Spend and Secure

The recent Senate hearing makes it clear: Financial institutions are spending on cybersecurity, but the scope and nature of threats make it difficult to keep up. While more monetary investment remains a priority, increased legislative follow-through and government streamlining of existing regulations also play a critical role in reducing cyber risk.

More from

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today