Why the Financial Sector Faces AI-driven Cybersecurity Debt

Share
Veracode reports on the finance sector grappling with software security debt
Veracode says financial organisations carry long-standing security flaws, posing risks as AI-powered cyber attacks evolve and regulatory pressures mount

The global financial services industry finds itself at a critical juncture as it navigates an increasingly complex cybersecurity landscape.

As financial institutions worldwide accelerate their digital transformation efforts, they face a growing array of sophisticated cyber threats.

The rise of AI-powered attacks, coupled with a rapidly evolving regulatory environment, has created unprecedented challenges for the sector.

Against this backdrop, recent research from Veracode, a provider of application security solutions, has shed light on a pervasive issue plaguing the financial services sector: the accumulation of security debt.

This concept, analogous to financial debt, refers to long-standing security flaws in software applications that remain unaddressed for extended periods, potentially exposing organisations to significant risks.

The implications of security debt are far-reaching, particularly in the financial sector where the stakes are exceptionally high.

As financial institutions continue to innovate and adopt new technologies to meet customer demands and maintain competitiveness, they must also grapple with the challenge of securing legacy systems and addressing vulnerabilities in their rapidly expanding digital infrastructure.

Security vulnerabilities persist in financial applications

Veracode's report, which analysed data from over a million applications across various industries, reveals a concerning trend in the financial services sector.

According to the study, 76% of financial organisations carry security debt, defined as flaws that remain unfixed for longer than a year.

"The high rate of security debt in the financial sector poses significant risks to organisations and their customers if not addressed quickly.”

Chris Wysopal, Chief Security Evangelist at Veracode

Even more alarming is the finding that 50% of these organisations harbour critical security debt – high-severity flaws that pose substantial risks to applications and require immediate attention.

While the financial sector performs slightly better than the cross-industry average, with 40% of applications carrying security debt compared to 42% across all sectors, the report indicates that financial applications tend to accumulate more security debt over time.

This trend is particularly worrying given the sensitive nature of financial data and the potential consequences of a breach in the sector.

The persistence of security debt in financial applications can be attributed to various factors, including resource constraints, competing priorities, and the complexity of legacy systems.

As financial institutions continue to innovate and adopt new technologies, they must also grapple with the challenge of maintaining and securing existing infrastructure.

Chris Wysopal, Chief Security Evangelist at Veracode

Chris Wysopal, Chief Security Evangelist at Veracode, emphasised the gravity of the situation: "As AI-driven cyber-attacks continue to grow in strength and numbers, and organisations struggle to keep up with evolving regulations due to existing security debt, the current landscape allows threat actors to exploit vulnerabilities at an alarming, unprecedented rate".

First-party and third-party code vulnerabilities

The research also highlights the need for financial services organisations to address security debt in both first-party and third-party code.

While 84% of all security debt affects first-party code, the majority (79.6%) of critical security debt stems from third-party dependencies.

This finding underscores the importance of comprehensive security measures that encompass not only an organisation's proprietary code but also the open-source and third-party components integrated into their applications.

Distribution of all flaws based on severity rating and security debt status (image credit: Veracode)

The study also revealed significant disparities in remediation timelines between first-party and third-party flaws.

Financial organisations typically fix half of first-party flaws within nine months, compared to 13 months for third-party flaws.

Additionally, 52% of third-party flaws turn into security debt, while 44% of first-party flaws do so.

These findings highlight the challenges financial institutions face in managing and updating third-party dependencies, which often require coordination with external developers or vendors.

The prevalence of security debt in third-party code emphasises the importance of initiatives such as the Cybersecurity and Infrastructure Security Agency's Open Source Software Security Roadmap and Secure by Design Pledge.

The reliance on third-party code and open-source components has become increasingly common in software development, allowing organisations to accelerate innovation and reduce costs.

Key facts from the report:
  • 76.2% of Financial Services have security debt
  • 69.6% of others have security debt
  • 49.8% of financial services have critical security debt
  • 45.0% of others have critical security debt

However, this approach also introduces new risks that must be carefully managed. Financial institutions must implement robust processes for vetting, monitoring, and updating third-party dependencies to mitigate potential vulnerabilities.

The way forward

Addressing security debt requires a multi-faceted approach that involves not only technical solutions but also organisational and cultural changes.

Financial institutions must prioritise cybersecurity as a core business function rather than treating it as a mere compliance requirement.

One key strategy is to implement a continuous security testing and remediation process.

By integrating security checks throughout the software development lifecycle, organisations can identify and address vulnerabilities earlier, preventing the accumulation of security debt. 

Youtube Placeholder

This approach aligns with the growing trend towards DevSecOps practices, which emphasise the integration of security into the development process from the outset.

Additionally, financial institutions should invest in advanced security tools and technologies, including AI-powered solutions that can automate the detection and prioritisation of vulnerabilities.

These tools can help security teams manage the sheer volume of potential threats and focus their efforts on the most critical issues.

Chris Wysopal concluded with a call to action for the industry: "It has never been more important for the financial services sector to stay ahead of evolving cybersecurity threats, particularly with increasingly sophisticated AI-driven attacks threatening the security of their assets.

“I urge financial institutions to prioritise timely security debt reduction by adopting AI-powered remediation and Application Security Posture Management tools which can detect, prioritise and fix vulnerabilities within seconds".


Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024 and Cyber LIVE 2025

 


Cyber Magazine is a BizClik brand

Share

Featured Articles

Helvetia & Coinnect Join to Make Cyber Insurance Proactive

Swiss insurance group Helvetia partnership with cyber risk management platform Coinnect will help customers be proactive in their cybersecurity posture

Thales and the Tangible Link Between Cyber Expansion and ROI

Thales has announced they are expecting growth of US$31.6bn driven largely by their strong cybersecurity portfolio

Amazon: How MOVEit Supply Chain Attack Left Echoing Effects

Although it occurred in 2023, the MOVEit hack is still bearing fruit as Amazon announced fresh news of its staff details having been leaked online

Zscaler: Powering a New Era of Zero Trust with Segmentation

Network Security

Rakuten Viber: Tackling the Surge in Messaging App Scams

Cyber Security

Good Pay, Poor Sleep: CIISec on UK Cyber Sector Issues

Cyber Security