Financial and Insurance

Financial Entities

For banking and financial companies, the cybersecurity threat landscape is significant — “easy money” for the cyber criminal. In a recent research note, the financial services industry was identified as the biggest target by cyber criminals, across 26 different industries. In addition, according to United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI), cybersecurity threats to the financial sector have been identified as the most common form of cyber criminal activities across our electronic infrastructure.

Contrary to popular belief, the financial services industry in the US is far more aware and better prepared for cyber attacks. However, financial institutions and banks operate on a global scale and an overseas financial partner amplifies their risk and compliance exposure (e.g., notification and other requirements of the GDPR, and states, counties, cities in the US). In addition, the financial services industry relies on third-party vendors to manage their IT systems, and provide management and product assistance. This is a significant problem since small financial sector vendor so not have the resources nor budget to address their own cybersecurity/data breach exposure. In the past, third parties and the parent company relied on a cybersecurity “self-certification”, but it has proven to be inconsistent and unreliable. Currently, vendor IT assessment and compliance efforts are driven by US (states, Counties, cities) and foreign laws/rules/regulations; but, in the long-run, financial companies need to be more cognizant and proactive in driving vendor testing and compliance efforts.

In this regard, see the Securities and Exchange Commission (SEC) report at, where Voya Financial Advisors Inc. (Des Moines, IA), was charged and fined $1 million for maintaining deficient cybersecurity procedures in relation to its vendors.


Cyber attacks against financial services companies, including insurance companies, are becoming increasingly frequent and sophisticated. Insurance firms often store and control sensitive data such as personal information and protected health information that makes them a prime target for cyber attacks.

The insurance industry often uses legacy systems that are not up to data on information security and pose potential weakness and exposure. In addition, third-party vendors are not managed consistently across the company or the industry. While large companies may have well-defined procedures for vendor IT assessment, smaller companies often rely of vendors’ “self-certification” that is less reliable and often problematic.

At Armolon, we offer managed security solutions as well as virtual Chief Information Security Officer (vCISO) services for small companies. For large insurance carriers, we are often engaged on a need basis such as penetration testing or cybersecurity consulting on a monthly retainer.