Deep Dive: How Do Banks Score on Privacy and Security?

Deep Dive: How Do Banks Score on Privacy and Security?

In April 2019 the Internet Society’s Online Trust Alliance published its 10th annual Online Trust Audit & Honor Roll assessing the security and privacy of 1,200 top organizations. The Banking sector includes the top 100 banks in the U.S., based on assets according to the Federal Deposit Insurance Corporation (FDIC). Banks had a standout year, with a dramatic increase in scores across the board. Let’s take a closer look.

Overall, 73% of banks made the Honor Roll, putting the banking sector 4th behind the News and Media (78%), Consumer Services (85%), and the U.S. Federal Government (91%) sectors. In the previous Audit, only 27% made the grade. This large jump is due to improvements in all three scoring categories: email authentication, site security, and privacy.

Banks, like most sectors, came close to 100% adoption in the two main email security technologies studied in the Audit: SPF (93%) and DKIM (87%). In addition, banks saw a marked improvement in how many sites implemented both both technologies at 87% in 2018, up from 60% in 2017. This puts banks among the most improved sectors in this area.

DMARC builds on SPF and DKIM results, provides a means for feedback reports and adds visibility for receivers on how to process messages that fail authentication. Banks also did well in DMARC adoption, with the second highest adoption rate (70%) of any sector, second only to the U.S. Federal Government (93%).

Site Security

Though banks did well in overall site security (and led in areas such as lowest occurrence of cross-site scripting), there were a few areas for improvement. They had by far the highest rate of malware on the sites (10%, vs an overall average of 2%). They also had one of the lowest adoption rates for presence of a vulnerability reporting mechanism (6% vs an overall average of 11%). In light of recent large data breaches, it is especially important to provide a way for security researchers to report vulnerabilities in an efficient way.