Many financial firms have high-severity software security flaws over a year old

Autonomous finance
(Image credit: Shutterstock / MK photograp55)

New research from Veracode has revealed over three-quarters (76%) of financial institutions have ‘Security debt’, which it defines as any flaw that has gone unfixed for longer than a year - and shockingly, 50% have ‘critical security debt’ from high severity flaws.

The financial sector is facing a rising number of cyberattacks, and critical infrastructure is proving to be a top target for threat actors.

The average cost of a data breach in the financial sector has hit a staggering $6.08 million, Veracode says - so any security flaw could be costly.

AI driven attacks

Of all applications in the industry, 40% have security debt, but just 5.5% are flaw-free, so the clock is ticking. The flaws primarily come from financial organizations own code (84%), however the critical flaws overwhelmingly come from third party dependencies (78%).

Whilst security teams do fix half of the first-party flaws within nine months, the flaws stick around longer in third party code, only being fixed after an average of 13 months. Of those, only 44% of first party flaws turn into security debt compared to 52% from third parties.

“The high rate of security debt in the financial sector poses significant risks to organizations and their customers if not addressed quickly," said Chris Wysopal, Chief Security Evangelist at Veracode.

“As AI-driven cyber-attacks continue to grow in strength and numbers, and organizations struggle to keep up with evolving regulations due to existing security debt, the current landscape allows threat actors to exploit vulnerabilities at an alarming, unprecedented rate."

This trend is one we’ve seen repeated across the board, with AI changing the cybersecurity landscape on both sides. Cybercriminals show no signs of relenting, so even minor flaws could end up costing your organization millions.

More from TechRadar Pro

Ellen Jennings-Trace
Staff Writer

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.