May 6, 2026
The financial services organizations that handle cybersecurity well aren't necessarily spending more than their peers. They just have clearer visibility into their risk — and the tools and practices in place to do something about it.
Every organization is different, and no cybersecurity expert worth their salt would start prescribing tools and policies without first understanding what you already have, how you work, and what expertise exists in-house. That said, here's the guidance I'd offer most financial organizations when it comes to addressing risk.
What the Stakes Actually Look Like
A breach in most industries means downtime and recovery costs. In financial services, it also triggers regulatory notification windows, client disclosure requirements, and potential civil liability — all while your team is still in incident response mode.
That complexity is part of why the regulatory environment exists in the first place. GLBA, PCI DSS, SOX, and others are, unfortunately, broad — they can't prescribe a specific set of tools or policies any more than I can without knowing your organization.
But they DO overlap, and for a good reason: they're all essentially trying to protect the public. The organizations that handle this well understand that intent and build their security programs around it, rather than treating compliance as a documentation exercise — which means translating those regulations into controls that actually reduce risk.
The Baseline Cybersecurity That Every Financial Organization Should Have in Place
Most financial services organizations have some version of these in place. The ones that hold up under pressure have all of them — configured correctly, maintained consistently, and reviewed regularly.
Multifactor Authentication — Everywhere
Multifactor authentication (MFA) is a baseline requirement for cyber insurance and a standard expectation from regulators. The gap I see most often isn't whether it's enabled — it's whether it's enabled everywhere. Privileged accounts, remote access, cloud applications, and administrative portals all need to be covered. One unprotected access point is a risk.
Endpoint Detection and Response
Antivirus tools still have a role, but they were built to catch known threats. Modern attacks move laterally and evade signature-based detection in ways traditional tools weren't designed to handle.
Endpoint detection and response (EDR) monitors behavior rather than known signatures, giving your security team visibility to catch threats before they escalate. But technology alone isn't enough — someone has to act on what it finds.
That's where managed detection and response (MDR) comes in. MDR pairs EDR technology with a team of security experts who monitor your environment around the clock, investigate alerts, and respond to threats in real time. For financial services organizations that don't have the in-house capacity to staff a 24/7 security operation, MDR closes that gap — providing enterprise-grade threat response without requiring an enterprise-sized security team.
Patch Management on a Schedule
Unpatched systems are a persistent vulnerability. In financial environments, patching is rarely as straightforward as it sounds — legacy systems, narrow maintenance windows, and the real risk of a patch breaking something critical all create legitimate hesitation.
But a documented plan with defined timelines and accountability turns it from a reactive scramble into a predictable process. The window between a patch being released and attackers exploiting the gap is shorter than most IT teams realize — which is exactly why ad hoc patching isn't enough.
My advice would be to patch rapidly wherever possible, but also to architect your systems so their security doesn’t depend on patch availability, especially as AI continues to accelerate zero-day discovery far beyond reasonable response times.
Email Security and Phishing Awareness Training
Business email compromise is one of the most financially damaging attack types I see — and it usually doesn't require technical sophistication, just a convincing message and an employee in a hurry.
A secure email gateway filters threats before they reach inboxes, but good email security goes beyond the gateway — how your team is trained to respond matters just as much as the tools in place.
Access Control and Least Privilege
Role-based access controls and regular access reviews limit the blast radius of any compromised account. In my experience, offboarding is where this breaks down most often — deprovisioning needs to happen immediately, not eventually.
Your Print Network Is Part of Your IT Network
Printers and multifunction devices process, store, and transmit account statements, loan documents, and regulatory filings every day. Without device hardening, unique passwords, and secure decommissioning practices, they're a vulnerability most security programs overlook. Print environments in financial institutions carry more risk than most organizations account for.
Where I Often See Financial Organizations Fall Short
Even well-run security programs have predictable blind spots. These are the ones I encounter most often:
Inadequate Contingency Planning
Many organizations have plans on paper. Far fewer have run a tabletop exercise to see how any of them holds up. A real incident isn't the time to find out a key contact left eight months ago.
In addition to having an up-to-date Incident Response Plan (IRP), Disaster Recovery Plan (DRP), and Business Continuity Plan (BCP), they should all be validated through regular tabletop exercises.
Third-Party and Vendor Risk
Every software provider, payment processor, and technology partner is a potential entry point. A formal vendor risk management program — including periodic assessments of third parties — is no longer optional.
GRC Visibility
Without a centralized way to track compliance obligations and audit evidence, organizations rely on spreadsheets and institutional knowledge that walks out the door. GRC software creates a single source of truth and makes regulatory conversations considerably less painful.
Breach Readiness vs. Breach Prevention
Prevention gets most of the attention. Breach readiness — documented procedures, practiced response capabilities, and on-demand access to an incident response team — gets deferred. For most organizations I work with, the assumption that prevention will always hold will eventually be wrong.
How To Assess Your Cybersecurity Quickly
Taking a look at how CIS controls apply to your organization is always a practical place to start. But if you’d like more targeted information about where your gaps are and where you’re in a good place, the entire cybersecurity team at Marco put their heads together and created an interactive checklist built on the NIST CSF framework that takes about five minutes to complete.
Click the link below to go straight there.
