The half-life for serious findings is 147 days in the financial services industry. This metric, which accounts for unresolved vulnerabilities, places FS ninth overall out of the thirteen measured industries.

Components with known vulnerabilities: 6.1% in the financial services industry (versus 5.5% average in other industries).

Approximately one-third of serious issues are never resolved by the organizations in the financial services industry, contributing to backlog and systemic risk.

76% of financial services leaders highlight third-party software vulnerabilities as a top concern.

Financial services firms demonstrate strengths in avoiding common, code-level flaws due to mature security programs and automated scanning (SAST/DAST). However, they struggle with vulnerabilities that require human-led testing.

Business logic flaws: 2.9% in the financial services industry (versus 2.3% average in other industries).

Server-side injection (Web/API): 4.2% in the financial services industry (versus 5.3% average in other industries).

68% of financial services leaders highlight GenAI-related risks as a top concern.

46% of financial services leaders highlight insider threats as a top concern.

The Median Time to Remediation (MTTR) for serious findings is 61 days in the financial services industry. This ranks financial services 11th of 13 industries measured.

70% of financial services firms report that delays in scheduling pentests sometimes impact compliance or business timelines.

Server security misconfigurations: 34.9% in the financial services industry (versus 27.9% average in other industries).

91% of payment leaders express concern regarding the risks associated with AI.

Nearly half of financial services organizations (49%) operate without formal AI policies.

60% of payment leaders find the current AI fraud detection tools ineffective.

The average duration business operations were affected by ransomware in financial services was 33 days.

Between 2019 and 2023, financial services experienced large losses primarily from data breaches (40.9%) and ransomware (40.9%), followed by other causes (18.2%).

Unapproved GenAI usage rates are highest in technology (40%), financial services (32%), and government (38%).

Banks experienced a +149% rise in synthetic voice attacks in 2024.

Retail fraud doubled, with the sector experiencing an average of one fraud attempt in every 127 calls in 2024. This is five times higher than financial institutions.