IT Brief UK - Technology news for CIOs & IT decision-makers
United Kingdom

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Secure bank building digital locks shields clock delayed response financial sector
#
DevOps
#
Application Security
#
APM

Financial services strong in prevention but slow on threat fixes

Thu, 2nd Oct 2025
Author image
By Shannon Williams, Journalist

New research from Cobalt reveals that while the financial services sector prevents more critical cybersecurity vulnerabilities than most other industries, it is slower to resolve those that do arise, creating a backlog that could result in systemic risks.

Prevention versus remediation

The State of Pentesting in Financial Services 2025 report highlights that financial services organisations are highly effective at stopping serious vulnerabilities from surfacing in the first place, ranking near the top compared with 12 other industries.

Despite this strength in prevention, the industry is significantly slower in resolving existing threats. Cobalt's data shows a median time to remediation (MTTR) of 61 days for the sector, ranking 11th out of 13 industries studied. This is in stark contrast with industries such as hospitality, which resolves serious vulnerabilities in a median of 20 days.

The industry also maintains a half-life of 147 days for serious findings - a measure that reflects not just resolution time, but also how long vulnerabilities persist without being fixed. This places financial services ninth among the sectors analysed, pointing to a notable backlog.

Resolution challenges and security debt

Financial services firms resolve roughly two-thirds (66.7%) of serious vulnerability findings. However, this places them 10th out of 13 industries for resolution rates, highlighting persistent challenges in remediation. According to the report, a considerable portion of vulnerabilities-amounting to a third-remain unresolved, increasing systemic risk.

The longer vulnerabilities remain unaddressed, the greater the potential for exploitation or breach. As the report outlines, this unresolved security debt leaves organisations exposed to various threats, despite their strong preventive practices.

Automation and its limitations

The financial services sector has invested in mature application security (AppSec) programmes and automated scanning tools such as Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). These measures have resulted in lower rates of certain vulnerabilities compared to other sectors; for example, financial services have seen cross-site scripting in just 5.0% of tested web applications and APIs, compared to an average 9.7% elsewhere. Similarly, server-side injection appears at 4.2% in financial services tests versus a 5.3% average in other industries.

Nonetheless, the report identifies areas where human-led penetration testing uncovers issues automation cannot detect. These include higher rates of sensitive data exposure (10.5% compared to 8.0% in other sectors), business logic flaws (2.9% versus 2.3%), server security misconfigurations (34.9% versus 27.9%), and components with known vulnerabilities (6.1% versus 5.5%).

Financial services organizations have some of the most advanced security programs in the world, which is why they see relatively few serious vulnerabilities surface in testing. The challenge is not prevention, but remediation. Too often, critical findings linger far longer than they should. This backlog of unresolved vulnerabilities creates systemic risk that automation alone cannot solve. As financial institutions adapt to new pressures, like genAI and evolving regulatory scrutiny, closing the gap between discovery and remediation will be essential to maintaining customer trust and resilience.

According to Gunter Ollmann, Chief Technology Officer, Cobalt, these vulnerabilities often require human-led penetration testing because they involve complex data flows, legacy systems, and business-specific logic that automated scanners cannot effectively interpret.

Pentesting practices and operational pressures

Despite slower remediation times on average, 78% of financial services firms report meeting their internal service level agreement (SLA) targets by fixing critical vulnerabilities in business-critical assets within 14 days. This suggests a prioritised approach when it comes to the most vital areas of business operations.

However, operational challenges persist, with 70% of organisations stating that delays in scheduling pentests can affect compliance or business timelines. These delays can result in potential issues remaining unaddressed for longer periods, further complicating the risk landscape.

External and internal threats continue to amplify the risks posed by slow remediation. Financial services security leaders highlight third-party software vulnerabilities (76%), risks associated with generative artificial intelligence (68%), and insider threats (46%) among their top concerns.

Research methodology

The report is based on 10 years of Cobalt pentesting data and survey data compiled by Emerald Research, encompassing insights from 500 security leaders and practitioners in organisations ranging from 500 to 10,000 employees.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
AI leaders surge ahead in growth & profitability
NCSC warns AI prompt injection could drive huge UK data breaches
Orq.ai raises EUR €5m to scale enterprise AI agents
From fantasy to function: Key considerations for building enterprise-ready AI agents
Synology adds Acronis backup to Bee series storage

Top stories

Gartner warns of AI slowdown & divide among carmakers
NiCE’s 2024 ESG report shows gains in climate & ethics
Gallagher Security maps global growth & 2026 focus
Exclusive: DocuWare's Marcin Pichur on AI-powered IDP evolution
Denmark launches sovereign AI on Gefion to boost public sector