A survey conducted by the Ponemon Institute in the US has revealed that half of global financial services organisations have suffered theft of sensitive customer data or system failure and downtime because of insecure software or technology.

Synopsys commissioned the study, which found that many organisations are struggling to manage cyber security risk in their supply chain and are failing to assess their software for security vulnerabilities before release.

Ponemon surveyed over 400 IT security practitioners in various sectors of the financial services industry, including banking, insurance, mortgage lending/processing and brokerage firms. The respondents’ roles included development, installation and implementation of applications for the financial services industry.

More than half of respondents experienced system failure or downtime (56 per cent) or theft of sensitive customer data (51 per cent) due to insecure software or technology. More are effective in detecting (56 per cent) and containing (53 per cent) cyber attacks than in preventing them (31 per cent).

Nearly three-quarters (74 per cent) of respondents were concerned or very concerned about the security posture of third-party software and systems.

Despite this, only 43 per cent said their organisations impose cyber security requirements on third parties involved in developing financial software and systems. Furthermore, only 43 per cent of respondents said they have a formal process for inventorying and managing the open source code in their software portfolios.

While most follow a secure software development life cycle (SDLC) process, respondents reported that their organisations test, on average, only 34 per cent of all financial software and technology developed or in use by their organisation for cyber security vulnerabilities.

For the software and technology that is tested for vulnerabilities, only 48 per cent of respondents reported that security testing occurs in the pre-release phases of the SDLC, such as the requirements and design phase or the development and testing phase.

“While the financial services industry is relatively mature in terms of their software security posture, organisations are grappling with a rapidly evolving technology landscape and facing increasingly sophisticated adversaries,” said Drew Kilbourne, managing director of security consulting for the Synopsys Software Integrity Group.

“There is no single right approach to software security, but this study clearly shows that there is a significant need for improvement in supply chain risk management.”

Share Story: