Server security misconfigurations: 34.9% in the financial services industry (versus 27.9% average in other industries).

Sensitive data exposure: 10.5% in the financial services industry (versus 8.0% average in other industries).

Components with known vulnerabilities: 6.1% in the financial services industry (versus 5.5% average in other industries).

Approximately one-third of serious issues are never resolved by the organizations in the financial services industry, contributing to backlog and systemic risk.

The Median Time to Remediation (MTTR) for serious findings is 61 days in the financial services industry. This ranks financial services 11th of 13 industries measured.

78% of financial services firms report fixing critical vulnerabilities in business-critical assets within 14 days, indicating they narrowly meet strict internal SLA requirements.

70% of financial services firms report that delays in scheduling pentests sometimes impact compliance or business timelines.

76% of financial services leaders highlight third-party software vulnerabilities as a top concern.

The half-life for serious findings is 147 days in the financial services industry. This metric, which accounts for unresolved vulnerabilities, places FS ninth overall out of the thirteen measured industries.

Cross-site scripting (Web/API): 5.0% in the financial services industry (versus 9.7% average in other industries).

Industries like hospitality resolve serious findings significantly faster than the financial services industry (61 days vs 20 days).

The financial services industry resolves about two-thirds (66.7%) of serious findings. This ranks the industry 10 out of the 13 industries Cobalt researched.

Financial services firms demonstrate strengths in avoiding common, code-level flaws due to mature security programs and automated scanning (SAST/DAST). However, they struggle with vulnerabilities that require human-led testing.

Business logic flaws: 2.9% in the financial services industry (versus 2.3% average in other industries).

Server-side injection (Web/API): 4.2% in the financial services industry (versus 5.3% average in other industries).

68% of financial services leaders highlight GenAI-related risks as a top concern.

46% of financial services leaders highlight insider threats as a top concern.

Healthcare resolved only 57.4% of serious pen test findings. This ranks healthcare 11th of 13 industries. By comparison, transportation led with 80.2%.

Just 13.3% of healthcare pentest findings qualify as “serious”. This ranks healthcare 6th-best out of 13 industries.

43% of healthcare organizations resolve critical findings in business-critical assets in one to three days.