Information Security In Banking & The Financial Industry: 3 Critical Risks Posed By Vendors

CERT-LatestNews ThreatsStrategic

In a new report on cybersecurity in the banking and financial sector, BitSight researchers examined the security performance of more than 5,200 organizations in the Legal, Technology, and Business Services industries. These organizations—monitored by Finance organizations on the BitSight Security Rating Platform—represent a critical part of the financial services supply chain. Our report shows a number of findings important for understanding information security in banking and financial industry.

The first critical risk, outlined in this article, is that the more outdated browsers and desktop operating systems a third party vendor has, the more susceptible the vendor is to a botnet infection. This indicates a patching gap: If a security team doesn’t update certain systems, data could be stolen, exfiltrated, or lost due to a botnet.

The next two major findings from the study are centered around risks financial firms face if their vendors run outdated desktop software operating systems or outdated server software. We’ll look at each, in detail, below:

Outdated Operating System Risksfinance cybersecurity

BitSight researchers honed in on two specific operating systems no longer supported by Microsoft: XP and Vista. Because these systems are no longer supported, there are rarely any patches available for security vulnerabilities found on these operating systems, making them extremely vulnerable to infections and malware.

Business Services and Technology together represent a large part of a bank or financial institution’s supply chain—and BitSight researchers found that nearly 20% of companies in these industries are still running Windows XP, and 10% or more are running Windows Vista.


What does this mean for financial service firms, exactly? For starters, if you’re going through the risk assessment process of your vendors and want to get a sense of their security posture, you’ll want to look specifically at the operating systems they are running. If they do have Vista or XP on their networks, you’ll want to inquire about which machines those outdated operating systems are running on—and then ensure those particular machines do not interact with or come in contact with your data in any way. You will also want to establish a timeline with your vendors to update their systems to ensure any further risk is mitigated.

Outdated Server Software Risks

For the final critical data point, BitSight researchers looked specifically at outdated versions of two server-based software packages: Apache and Windows IIS.

As you can see from the chart below, the financial industry actually had the highest amount of outdated Windows IIS systems—nearly 30%—indicating the industry needs to consider their own systems as they work to improve their vendors’ systems. But the rates of outdated server software across business services and technology aren’t negligible, and they should give those in the financial service industry pause.


Again, what do these results mean for financial service firms? First of all, if you’re sharing data with a third party, it may be stored on an on-premise server. In this case, if one of your vendors running outdated server software is breached, there’s a chance your data could be compromised.

To understand just how critical this risk is, consider the Panama Papers. There were numerous variables that played into that data leak, but notably, Mossack Fonseca—the Panamanian law firm at the center of this major breach—was running outdated versions of Drupal and WordPress. While those particular systems aren’t highlighted in this study, this breach serves as a powerful illustration of how software packages found in servers can be exploited.

Another great but lesser-known example of the criticality of this risk is the exploit known as “ExplodingCan.” This exploit—given to one of the many stolen NSA exploits leaked by the Shadow Brokers and used by hackers—capitalizes on flaws in Windows IIS and allows attackers to implant malware or ransomware on a server.

Download The Full Report Now

Becoming aware of the risks you may face if your vendors run outdated software—and, more broadly, understanding information security in the banking and financial industry—simply isn’t enough. Now that you’re aware of these risks, you have to take action. Our latest Insight report outlines specific ways to shape third party vendor risk management for financial institutions, given the risks outlined above—download it today.