Security
The Hidden Dangers of Unchecked Risk in Banking: A Yearlong Case Study
During April, a significant VPN vulnerability led to data breaches at over seventy financial institutions utilizing Marquis Software’s infrastructure. This incident, as reported by American Banker, highlighted the impact of a single vulnerability on a large scale. Despite the existence of a patch and recent penetration tests, the exposure persisted and spread across the institutions affected.
The vulnerability in the system lies in the gap between annual external penetration tests. While these tests typically last two to three weeks, they leave approximately 345 days of operational reality unvalidated, providing ample time for potential threats to exploit vulnerabilities.
According to Mandiant’s M-Trends 2026 report, the median dwell time for security breaches in 2025 was fourteen days, signifying a concerning trend. Furthermore, CrowdStrike’s 2026 Global Threat Report identified financial services as the fourth most targeted sector for interactive intrusions, highlighting the need for continuous vigilance.
Regulatory Standards and Testing Frequency
Regulatory bodies such as PCI DSS, FFIEC, and NYDFS emphasize the importance of penetration testing in their guidelines. However, the focus is shifting towards continuous testing rather than relying solely on annual assessments.
PCI DSS 4.0 Requirement 11.3.1 now mandates external penetration testing after significant infrastructure changes, recognizing the need for proactive security measures. Similarly, the FFIEC IT Examination Handbook views penetration testing as an ongoing process integral to vulnerability management, not just a one-time event. NYDFS Section 500.05 also requires annual testing alongside continuous monitoring to adapt to evolving threats.
These regulatory frameworks acknowledge the dynamic nature of modern banking infrastructure, shaped by digital transformations, cloud migrations, fintech integrations, and M&A activities. The focus is no longer on annual testing but on testing the evolving attack surface effectively.
Financial institutions operate in a constantly changing environment, necessitating continuous testing to stay ahead of emerging threats.
Discover how continuous testing aligns with regulatory expectations and enhances security measures.
Build the Business Case
Case Study: The Impact of Gaps in Testing
An engagement at a regional bank revealed a critical vulnerability in a customer-facing mortgage origination portal operated by a third-party vendor but fronted by the bank’s subdomain. This vulnerability allowed unauthorized access to sensitive information, posing a significant risk to data security.
The exposure stemmed from an API endpoint with lax security measures, enabling the extraction of confidential data from multiple financial institutions using the same platform. The breach could lead to fraudulent activities and compliance issues, highlighting the importance of thorough and continuous testing.
Benefits of Continuous Testing
Continuous testing addresses the limitations of annual testing by actively monitoring and assessing the evolving attack surface. By identifying vulnerabilities in real-time and responding promptly, institutions can mitigate risks effectively.
Automation plays a vital role in surfacing potential threats, but human intervention is essential to validate and understand the true impact of vulnerabilities. Continuous testing ensures that security measures align with the current infrastructure and address emerging threats proactively.
Adopting a continuous testing model, as advocated by Sprocket Security, enables institutions to stay ahead of evolving threats and maintain compliance with regulatory standards.
Closing the Gap: Embracing Continuous Testing
The 345-day gap in traditional annual testing models underscores the need for a paradigm shift towards continuous testing. By prioritizing ongoing assessments that align with infrastructure changes, institutions can enhance their security posture and protect against evolving threats effectively.
In conclusion, the key to robust cybersecurity in the financial sector lies in embracing continuous testing practices that adapt to the dynamic nature of modern banking infrastructure.
Explore how continuous testing can strengthen your security framework in the financial industry.
Presented by Sprocket Security.
Golden Dreams: The Luxurious Paint of the Pagani Utopia
Amazon’s Rise: Ousting Walmart as Fortune 500 Leader After 13 Years
The Hidden Dangers of Unchecked Risk in Banking: A Yearlong Case Study
Respecting the Unknown: Navigating the Dangers of The Lost Wild with Alien Isolation’s Lead Designer
Ultimate Weather Hub: SwitchBot Weather Station with E-Ink Display, Calendar Syncing, and Smart Home Integration
Edinburgh-based Legal AI Platform Secures €60.2 Million in Series B Funding to Expand Services for In-House Teams
People react to the iPhone 11
AI’s Aquatic Dilemma: Can Google’s Proposed Solution Save the Day?
Revolutionizing the Grid: E.ON’s Integration of SAP S/4HANA and AI
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Breaking Updates: Meta Connect 2025 Unveils Latest Developments
People react to the iPhone 11
Asus ROG Phone 2 UNBOXING – Fastest smartphone on Earth.
Huawei P30 Pro EXTREME Day in the Life.
How KaiOS is catching up with Android.
The Ultimate Samsung Galaxy Comparison.
Smartphones are changing…
I switched to a £99 Smartphone – here’s what I found out.
Samsung Galaxy Note 10 – 20 Things you need to know!
Your Smartphone is too thin. Here’s why.
-
Facebook7 months agoEU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
-
Facebook8 months agoWarning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
-
Facebook6 months agoFacebook’s New Look: A Blend of Instagram’s Style
-
Facebook8 months agoFacebook Compliance: ICE-tracking Page Removed After US Government Intervention
-
Facebook6 months agoFacebook and Instagram to Reduce Personalized Ads for European Users
-
Facebook8 months agoInstaDub: Meta’s AI Translation Tool for Instagram Videos
-
Facebook6 months agoReclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
-
Apple8 months agoMeta discontinues Messenger apps for Windows and macOS
