S TAT E O F

FINANCIAL
SERVICES
CYBERSECURITY
Your guide to the financial services
threat landscape
Banks and financial institutions hold some of the largest collections of sensitive, private, and valuable
information in the world, not to mention the money that banks hold. Everything from personally
identifiable information (PII) to check routing data and global stock and investment algorithms — these
records have a long shelf life, and cyber attackers can use them to conduct identity theft and fraud. The
loss of this data and intellectual property could have a major effect on a bank’s brand reputation and
customer loyalty.

No financial system or application is safe from attack.

• Cyberattacks cost financial services firms more to address than firms in any other industry at $18
million per firm (vs. $12 million for firms across industries).

• Financial services firms also fall victim to cybersecurity attacks 300 times more frequently than
businesses in other industries.

• While the typical American business is attacked 4 million times per year, the typical American
financial services firm is attacked a staggering 1 billion times per year.

The financial services market has been one of the most heavily targeted industries for years. As financial
organizations continue developing, deploying and managing highly-connected and distributed products,
combating external threats continues to be a major challenge.

• As attack surfaces become more complex, attackers are upping their intensity and resourcefulness
to capitalize on security vulnerabilities.

• The pressure on short time-to-market delivery timelines continues to increase.

• Hiring and training internal resources is more and more difficult as the cybersecurity job
deficiency grows.

• Traditional security methods are falling short, as proof of major data breaches amongst financial
services and banking companies in the past few years.

By recognizing that hackers will find vulnerabilities and exploit them, leaders can improve the way they
design and deliver services, manage risks, and train their teams.

1 | STATE OF FINANCIAL SERVICES CYBERSECURITY

State of the Financial Services Landscape
This data is collected from Financial Services programs running January 1, 2017 to March 31, 2019.

Vulnerabilities Submitted Bugcrowd's expert

triage team takes care
of this noise so all
you see are the valid
vulnerabilities.

At 95%, Bugcrowd
offers the best
signal-to-noise ratio
in the industry.

From 2017 to 2018, we saw a significant increase of vulnerability

submissions — 106.9%. While we see an uptick in submissions
in Q2 year-on-year, we are on track to see a steady increase in
vulnerabilities again this year.
The criticality scale for a submission ranges from Priority 1 (P1) to Priority 5 (P5), 1 being the most critical,
5 being the least critical. This scale provides researchers and organizations a baseline for prioritization
of a fix and potential reward amount. Our Vulnerability Rating Taxonomy rates the priority of
vulnerabilities by type.

Valid Submissions by Criticality Over Time

Valid Submissions by Criticality

Across programs run by financial services
organizations, more than 8% of all submissions are
classified by the organization as P1 submissions,
the most critical vulnerabilities, and the majority of
the vulnerability submissions fall in the P4 level of
criticality, just over 37%.

Valid Submissions by Targets

Financial services
programs see the
majority, nearly 70%
of submissions against
website targets.

3 | STATE OF FINANCIAL SERVICES CYBERSECURITY

Bounty payout volume and average bug cost are correlated to the overall health of programs
and the severity of vulnerabilities submitted. Total payouts in Q1 2019 increased by 69.8% compared to
Q1 2018. Financial Services organizations running crowdsourced security programs are increasing their
security maturity and criticality levels, therefore increasing the market rate for vulnerabilities.

Vulnerability Payouts

For Financial Services companies, the average payout for Q1 2019

was $887.84 per vulnerability, the highest it’s ever been for the
industry — 82% year-on-year.

Average Payouts

STATE OF FINANCIAL SERVICES CYBERSECURITY | 4

Average Payouts by Criticality

The average payout for a critical vulnerability (P1) in Q1 2019 is $3,184.62, which is higher than any other
year combined. As the year goes by, we’ll see that number slightly decrease with more vulnerabilities
reported. In 2018, the average payouts for P1 was $1,653.83.

Over the last few years, crowdsourced cybersecurity has seen increased adoption in financial services.
Security operations centers (SOCs) of financial industries are seeing value in working with the ethical
hacking community to actively find and remediate vulnerabilities within their respective infrastructures
and systems. The thought is that the sooner you can locate the sign of a vulnerability in your system,
the sooner you can combat them. While they know it’s necessary, not all banks or financial services
organizations have the resources or can find the talent to perform in-house testing.

Crowdsourced security programs provide smaller security teams access to hundreds of thousands of
the best ethical hackers in the world, and allow large security teams to focus on what matters most, like
serving customers and managing funds. With the rise of online and mobile banking, cryptocurrency,
and the legal liability and brand reputation implications that come from a breach, Bugcrowd is here to
help, uncovering complex, creative vulnerabilities that a standard vulnerability scanner or traditional
pen test cannot.

5 | STATE OF FINANCIAL SERVICES CYBERSECURITY

Bugcrowd leverages a global Crowd of trusted, vetted, and experienced hackers and pen testers
to find vulnerabilities inside financial systems before adversaries can. Combine that with a powerful,
intelligent platform that can streamline the remediation, management, and reporting, and you have a
scalable cybersecurity team on your side.

Crowdsourced Security Adoption

The scope of cybersecurity continues to expand as attackers and defenders develop new strategies and
tactics. The result? Cyber adversaries are constantly finding new ways to penetrate businesses’ defenses.
Moreover, the targeted nature of many cyberattacks increases the need for organizations to take proactive
measures.

The evolving threat landscape and the ever-widening security skills gap are giving rise to community-based
programs such as crowdsourced cybersecurity, an important evolution that’s fast becoming a foundational
element of any organization’s cybersecurity program.

ADOPTION IS AT AN ALL TIME HIGH THE BENEFITS UNLOCK ROI

87% of companies ( 90% of enterprise companies) are already Paying for valid results rather than time or efforts, continuous
running or plan to run a crowdsourced security program in the application coverage, varied skills and expertise, are the
next 12 months. top 3 benefits CISO see with crowdsourced security

NEXT GEN PEN TESTS ARE THE FUTURE
93% of organizations see benefit in crowdsourced security solutions
for pen testing. The addition of next gen pen testing leads to better
outcomes for businesses, including faster remediation of severe
vulnerabilities and lower average testing cost
MEET COMPLIANCE REQUIREMENTS
Crowdsourced programs aim to satisfy requirements
from auditors and reviewers with security standards in
mind. Align cybersecurity programs with best practices,
as defined by the US Government, NIST, DOJ, FDA, and
others.

Data pulled from Enterprise Strategy Group research "Security Leadership Study – Trends in Application Security, March 2019

What Bucrowd customers are saying:

• 71% of surveyed financial services organizations solved challenges with a lack of awareness of
application security issues with Bugcrowd.

• 86% of surveyed financial services organizations report Crowdsourced Security Testing as their top
application security tool.

• 33% of surveyed financial services organizations saved $50,000-$100,000 per month with
Bugcrowd versus traditional testing methods.

• 34% of surveyed financial services organizations saved 75-105 hours per month with Bugcrowd
versus traditional testing methods.
Impact
Financial institutions must assume the risk. Crowdsourced security programs are fundamentally changing
the way financial services organizations approach the security of the Internet — moving from the realm
of novelty towards best practice.

From NIST to the Federal IT Modernization Report, and the Data Security and Breach Notification Act,
having a crowdsourced security program in place is quickly becoming an adhered-to standard for most
industries. State regulations mandate annual penetration tests and bi-annual vulnerability assessments.
While this is good, continuous assessments are best. Protecting customers’ personal assets and data on
a constant basis should be a top priority — consumers today demand it.

Protect valuable assets and maintain trust by more quickly detecting unauthorized transactions, fraud, or
money laundering. Bugcrowd helps you identify the risks before cyber thieves can exploit them, stealing
money and valuable assets.

Trusted by Leading Companies Around the World

Learn why industry leaders have turned

to Bugcrowd: bugcrowd.com/get-started

STATE OF FINANCIAL SERVICES CYBERSECURITY | 7