Whitepaper: Common Cybersecurity Shortcomings of FIs


Financial organizations represent a critical sector of business, and the reduction of risk from threats to confidentiality, integrity, and availability (CIA) should be the highest-priority undertaking for these organizations. The intrinsic liquidity of financial organizations makes them desirable targets of unauthorized parties wishing to gain quick capital from a breach.

To combat these threats, many organizations execute risk assessments to determine the risks within various aspects of their institutional structure. Once a reliable set of risk metrics has been established, the organization begins the process of implementing controls to achieve multiple objectives, the most crucial objective being mitigating residual risk.

The National Institute of Standards and Technology (NIST) regularly publishes Cybersecurity Frameworks (CSF) that can be paired with the suggestions of various regulatory and advisory bodies, such as the Federal Financial Institutions Examination Council (FFIEC), to create successful cybersecurity programs. Once an organization has applied the industry-recommended standards, regular audits by a third party, such as TraceSecurity, publisher of this paper, verify what implementations are lacking, ongoing, or forthcoming.

TraceSecurity audited a sample set of 16 financial organizations utilizing secondary, non-descriptive data collection throughout the 2019 calendar year. These findings highlight the most common NIST CSF controls deemed “Not Implemented” at the end of the auditing process. While the scope of this whitepaper may not be quantitatively comprehensive, our analysis points to timely trends, broad tendencies, and typical cybersecurity shortcomings exhibited in the financial sector.

Click here for the TraceSecurity whitepaper.