Our banks and insurance carriers hold all our most personal information—social security numbers, addresses, and, of course, bank accounts. If you’re looking for a new bank or insurance vendor, what are your priorities in choosing who to work with? Are you trusting a bank that recently had a massive ransomware attack? Probably not.

The finance and insurance industries are built on the principle of trust, but cyberattacks threaten to erode that trust. In today’s landscape, a single breach can cost millions and destroy customer confidence overnight.

The Problem

Unfortunately, because of the high amount of trust that we place in these institutions, they have a target on their back. According to Security Today, 62% of insurance organizations detected a cyberattack in the past year. Financial Times found that 45% of financial services organizations experienced a ransomware attack. This indicates a real problem—how do these institutions maintain their clients’ trust, ensure compliance, and secure their organization when they’re being actively preyed upon?

Yes, It Could Actually Happen to You...

Many organizations don’t take their security seriously beyond baseline compliance. It’s understandable—resources and labor can be costly, and it’s one of those things where you’re constantly asking yourself, “Do I really need this?” By adopting continuous penetration testing, organizations are able to glean a comprehensive understanding of potential exploits and threats to their systems. Periodic testing is already mandatory for these businesses under regulations such as PIC DSS, FFIEC, and 23 NYCRR 500—but what if organizations started going above and beyond?

Ironically, cybersecurity is exactly like insurance—you hope you never need it, but man, is it nice to have when you do. And in this ever-evolving digital age where hackers are getting savvier and sneakier, it’s becoming a matter of if you’ll face an exploit, not when. Here are a couple real-world examples of organizations facing this exact dilemma:

Equifax Breach of 2017

This is a well-known case in the finance industry, as it is estimated that over 40% of the American population was potentially impacted by this data breach. Equifax failed to address critical vulnerabilities in their infrastructure, leading to names, DOBs, social security information, driver's licenses, and credit card numbers being compromised.

A well-known vulnerability (CVE-2017-5638) was actively ignored by Equifax despite the patch being available for months, and hackers were able to access servers and wreak havoc. Plus, Equifax was shady: they didn’t announce the breach for over a month, denying those who were compromised with this essential information. It got worse when it was revealed that top executives sold company stock before the breach was publicized, which led to accusations of insider trading.

Geico and Travelers Indemnity Breach of 2020

In just the last few months, New York State took action against Geico and Travelers Indemnity to the tune of $11.3 million. The fine came after data breaches during the COVID-19 pandemic that compromised over 120,000 people. Between 2020 and 2021, Geico was exploited via credential stuffing, where hackers take information from previous breaches and plug them in until something clicks. Driver’s license numbers were leaked, threatening the personal security of 116,000 individuals and breaking the trust of Geico’s clients.

In April 2021, Travelers Indemnity was hacked—this time affecting 4,000 people. The company didn’t use multi-factor authentication, and attackers were able to steal employee credentials.

These cyberattacks led to disaster, but they could have been avoided. There is a common denominator—vulnerabilities that were there in the open. But these organizations, whether through carelessness or a lack of visibility, allowed these vulnerabilities to be exploited. What could they have done differently?

...But It Doesn’t Have To

Every time you make any update to your IT infrastructure, your attack surface changes. New exploits pop up, and annual or periodic testing can lead to these vulnerabilities going unnoticed until the next pentest—months, maybe a full year later. Continuous pentesting addresses this problem by identifying threats in real-time and providing actionable insight for remediation.

Here are just a few examples of how continuous penetration testing has benefitted our clients in the finance and insurance industry:

Farmers Insurance

Farmers Alliance Insurance is committed to protecting the futures of rural communities and recognizes the sensitive data that they house. As a means to strengthen their security posture and enhance their compliance, they partnered with Sprocket Security. Here’s what Scott St. Peter, IT Infrastructure Manager, had to say about adopting continuous pentesting:

  • “One of the main goals of an insurance company is to help customers transfer or avoid or mitigate risk. I feel like Sprocket helps insurance companies like us do the same thing.”

Read the full case study here.

Citizens Bank

As a financial institution, Citizens Bank is aware of their need to identify vulnerabilities and protect their network assets. Scott Noles, VP Information Security Officer, had this to say about investing in continuous penetration testing:

  • “I get to work with Sprocket Security to help me identify the things that can be exploited, the things that can have a direct impact on my network, and collaborate to find solutions to resolve them and protect all of our network assets.”

Read the full case study here.

These organizations are leading the way in cybersecurity resilience by making continuous penetration testing a core part of their strategy. The question isn’t whether you should follow suit—it’s whether you can afford not to.

Ready to take action? Learn more about how continuous penetration testing can fortify your cybersecurity strategy.