Cyber threats are rising, but is the finance sector securing the right layer?
In this article
Summary
Our Finance signals 2025 report takes a deep dive into security in the Financial Services Industry (FSI). While FSI is ahead of other industries in terms of security, 44% of systems still have an average or below-average security rating, leaving them exposed to potential breaches.
On average, systems contain 19 critical security flaws, creating major operational and compliance risks. We also found a clear link between security rating and maintainability: well-built systems are twice as likely to meet strong security standards.
Open-source vulnerabilities are another major concern: 50-60% of enterprise systems contain at least one risky dependency each month, and 30% have a critically vulnerable dependency.
Read the full report to see how financial organizations can strengthen security and stay ahead of evolving threats.
Introduction
Cyber threats are growing more sophisticated, and financial institutions are a prime target. In an industry built on trust, software security is non-negotiable, but our research shows that nearly half of FSI systems still fall short of recommended security standards.
Too often, security is treated as a final checkpoint rather than something built into the development process from the start. This reactive approach leaves organizations exposed to breaches, compliance issues, and expensive last-minute fixes.
A common misconception is “We do penetration testing, so we’re secure.” While pentesting is an important security measure, it’s not enough. Since it usually happens late in development, vulnerabilities are only caught when they’re difficult and costly to fix.
A better approach is Security by Design: a proactive approach that bakes security into every stage of the software development lifecycle (SDLC). Shifting from reactive to proactive security practices is key to reducing risk and building long-term resilience.
A multi-layered approach to cybersecurity
A strong cybersecurity posture requires a layered approach combining multiple security measures. When it comes to software security testing, there are three key methodologies to be aware of:
| Security Testing Method | Description |
|---|---|
|
Penetration Testing (Pentest) |
Simulates external attacks to uncover vulnerabilities. |
|
Static Application Security Testing (SAST) |
Analyzes source code to detect weaknesses before deployment. |
|
Software Composition Analysis (SCA) |
Scans third-party open-source libraries and dependencies for known vulnerabilities. |
No single method is enough on its own. Software Improvement Group’s security assessment covers SAST and SCA, complementing penetration testing rather than replacing it. Each approach catches vulnerabilities that the others might miss, making them stronger together.
At our recent Avoiding a False Sense of Cybersecurity webinar, SIG security consultant Asma Oualmakran compares software security to protecting a house. Penetration testing is like checking if your front door is locked. It helps assess overall security from the outside.
But what happens if someone gets in? That’s where SAST comes in, identifying weak spots inside the system that an attacker could exploit. Meanwhile, SCA examines external libraries, ensuring you’re not unknowingly bringing vulnerabilities into your system.
By combining these techniques, organizations can take a proactive approach to security, reducing risks, staying compliant, and ensuring software is built securely from the start.
44% of FSI systems have an average or below-average security rating
While it’s reassuring to see that FSI organizations are performing better than the average across industries, 44% of FSI systems still fall into the average or below-average security category. This leaves them vulnerable to compliance risks, fraud, and reputational damage.
Stronger software, stronger security
Our benchmark data shows that systems with above-market-average build quality are twice as likely to achieve strong security compliance. The data is clear: poor software quality correlates with more security vulnerabilities.
We can see that systems with 3-star maintainability score have a 54% higher security rating than those with 2 stars. Systems with 4 stars outperform even further, with a 108% higher security rating.
Why does this happen? Poorly structured software is harder to understand, modify, and test. This makes it more difficult to spot vulnerabilities, implement security measures across all critical areas, and maintain those protections over time.
Common issues like outdated dependencies, weak encryption, and coding errors all create entry points for attackers. And while firewalls, intrusion detection, and threat monitoring are valuable, they can’t make up for weak foundations.
By embedding secure coding practices and software quality management into the core of the software development lifecycle, FSI organizations can proactively reduce risk, detect vulnerabilities early, and prevent costly breaches.
Yiannis Kanellopoulos, Founder & CEO at code4thought, highlighted the importance of secure coding and early vulnerability detection in our recent Avoiding a False Sense of Cybersecurity webinar: “The sooner you fix security issues in your development lifecycle the cheaper it will get and the more secure you’re going to make your system.”
The scale of security findings
How many security risks exist in a typical software system? Based on our data, we estimate that an average-sized system contains 19 critical security findings, a concerning number for financial organizations handling sensitive data.
Not every security flaw turns into a breach, but with the average breach globally costing $4.88 million, why take the risk? Catching vulnerabilities early in the development process can help FSI organizations prevent breaches, avoid costly disruptions, and protect their reputation.
And the earlier, the better. Fixing security issues later in development, or worse, after deployment, is exponentially more expensive.
Yiannis Kanellopoulos emphasizes this point: “We are working together with them in order to educate them of what secure coding means, what are the main elements and the main aspects, and then what is the proper tooling that will help them.”
The open-source dilemma
Open-source software (OSS) is becoming a key part of FSI organizations’ digital transformation strategies. According to the 2024 State of Open-Source Report nearly 60% of FSI organizations are increasing their use of OSS. And it’s easy to see why: OSS helps cut costs, speed up development, and allows for greater customization.
But it also comes with hidden risks.
Our 2023 Benchmark Report showed that 50-60% of enterprise systems contain at least one vulnerable open-source dependency each month, and 30% have a critically vulnerable dependency. And these vulnerabilities can have real financial consequences.
Take the Okta hack in 2023, where a security breach wiped out more than $2 billion in market cap. This incident shows just how damaging security flaws in widely used software can be. This example was shared during our recent AMA on security and Open Source, where we discussed why relying on OSS without proper security measures is a high-risk game.
To manage these risks, SCA is essential. SCA scans open-source dependencies for vulnerabilities, licensing issues, and legal risks, helping financial organizations stay secure while tapping into the benefits of OSS.
Building a resilient cybersecurity framework
As we’ve learned, cybersecurity is a lot more than just firewalls and monitoring. It starts with the code itself. FSI organizations must adopt a secure-by-design approach, integrating security into every stage of software development rather than just testing after deployment.
This means implementing SAST to detect security flaws directly in the source code and using SCA to identify vulnerabilities in third-party and open-source components.
By improving software maintainability, addressing vulnerabilities early, and managing open-source dependencies effectively, FSI organizations can build more resilient software and maintain customer trust despite inevitable cyber threats.
These insights come from our latest report, Finance SIGNALS 2025, packed with exclusive IT insights from our benchmark research and 25 years of expertise in optimizing financial IT. It’s a must-read for CIOs, CTOs, and technology leaders looking to make informed, strategic decisions.
