The financial services industry has long prided itself on stringent security and regulatory compliance. Banks, investment firms, and insurance companies face some of the most demanding oversight in the business world, with regulators scrutinizing everything from capital reserves to data handling practices. Yet beneath this veneer of security consciousness lies a troubling reality: the vast majority of financial institutions are sitting on mountains of unresolved security vulnerabilities.

Veracode’s 2025 State of Software Security report, released in late 2025 with a specific focus on financial services, paints a sobering picture. The research analyzed data from more than 1.3 million applications and 126 million security findings, providing authoritative insights into the state of application security across the sector. The findings should alarm every compliance officer, CISO, and board member in the financial industry.

The Numbers Tell a Disturbing Story

At the heart of the report is a simple but damning metric: 77% of financial services organizations carry security debt, defined as unresolved security flaws that have persisted for more than one year. This figure slightly exceeds the cross-industry average of 74%, a concerning finding for an industry that handles some of the world’s most sensitive financial data.

Even more alarming is the prevalence of critical security debt. Fully 63% of financial firms harbor high-severity vulnerabilities that have gone unfixed for over a year. This figure stands 13 percentage points higher than the cross-industry average, suggesting that financial services organizations are paradoxically worse at addressing their most dangerous flaws than companies in other sectors.

The report introduces the concept of “flaw half-life”—the time required to remediate 50% of discovered vulnerabilities. For financial services, this half-life stands at 276 days, nearly nine months from discovery to partial remediation. This is almost a full month slower than the cross-industry average of 252 days.

Perhaps most concerning is what happens to the flaws that don’t get fixed quickly. Two years after initial discovery, approximately 30% of security flaws in financial applications remain unresolved. These lingering vulnerabilities represent ticking time bombs that could be exploited by threat actors at any moment.

Why Security Debt Accumulates in Financial Services

Understanding why security debt accumulates requires examining the unique pressures facing financial services development teams. Several factors contribute to this growing backlog of unfixed vulnerabilities.

The Innovation Imperative

Financial institutions are locked in fierce competition to deliver new digital products and services. Mobile banking apps, payment platforms, investment tools, and insurance portals must evolve constantly to meet customer expectations. This pressure for rapid innovation often means security fixes get deprioritized in favor of new feature development.

Development teams operate in an environment where delivering the next product release takes precedence over addressing vulnerabilities in existing code. Security work, while critical, doesn’t directly generate revenue or attract new customers. The result is a systematic underinvestment in remediation efforts.

Legacy Code Complexity

Financial services organizations often maintain vast portfolios of legacy applications, some dating back decades. These older systems were frequently developed before modern secure coding practices existed and may rely on outdated frameworks or deprecated libraries. Fixing vulnerabilities in such systems can be extraordinarily complex and risky, as changes might introduce new bugs or break critical functionality.

The larger and older an application portfolio becomes, the more security debt it tends to accumulate. Veracode’s research confirms this pattern, finding that security debt is concentrated in older, larger applications where it mirrors other forms of technical debt that reduce efficiency and resilience.

The Open Source Challenge

Third-party and open-source components represent a particularly thorny challenge for financial institutions. Veracode found that nearly 17% of all security debt in financial services originates from third-party code. When focusing specifically on critical security debt, that figure rises dramatically to over 82%.

Open-source vulnerabilities take approximately 50% longer to remediate than flaws in internally developed code. Organizations often lack visibility into their complete software supply chain and may not consistently use software composition analysis tools to identify vulnerable components. Once a vulnerable library is embedded across multiple applications, remediation becomes a sprawling enterprise affecting numerous systems.

Resource Constraints and Prioritization Failures

Even well-staffed security teams struggle to address the volume of vulnerabilities their scanning tools uncover. Without clear prioritization frameworks, teams may spend time on lower-risk issues while critical vulnerabilities linger. The report found that leading organizations distinguish themselves by fixing flaws several times faster than their peers—not because they have more resources, but because they prioritize more effectively.

Compliance Implications: When Security Debt Becomes Regulatory Risk

The accumulation of security debt isn’t merely a technical concern—it has profound implications for regulatory compliance. Financial institutions operate under multiple overlapping regulatory frameworks that explicitly or implicitly require timely vulnerability remediation.

PCI DSS: The 30-Day Clock is Ticking

The Payment Card Industry Data Security Standard (PCI DSS) governs any organization that processes, stores, or transmits credit card data. With version 4.0 now fully in effect as of March 2025, the requirements have become more stringent.

Requirement 6.3.3 mandates that organizations install security patches to protect against exploitation of known vulnerabilities. Critical and high-severity vulnerabilities must be addressed within 30 days of patch availability. PCI DSS also requires that external vulnerabilities with a CVSS score of 4.0 or higher be addressed within a three-month scan window to achieve a passing Approved Scanning Vendor (ASV) assessment.

When financial institutions carry security debt with an average half-life of 276 days, they are mathematically certain to be violating PCI DSS requirements. The 30-day remediation window for critical vulnerabilities stands in stark contrast to the industry’s actual performance. An organization taking nine months to fix half its flaws cannot possibly be meeting these requirements across its vulnerability portfolio.

Requirement 11.4.4 requires organizations to conduct periodic penetration testing and demonstrate that all exploitable vulnerabilities found have been addressed. Long-standing security debt may surface during these tests, creating documentation of non-compliance that could be discovered during a breach investigation or regulatory audit.

The consequences of PCI DSS non-compliance include fines ranging from $5,000 to $100,000 per month, increased transaction fees, mandatory external assessments, and in severe cases, loss of the ability to process card payments entirely.

SOX Section 404: Security Controls Under Scrutiny

The Sarbanes-Oxley Act (SOX) requires public companies to maintain effective internal controls over financial reporting. While SOX is often viewed through an accounting lens, IT general controls—including security controls—fall squarely within its scope.

Section 404 requires management to assess and report on the effectiveness of internal controls, with external auditor attestation for larger companies. Unpatched vulnerabilities in systems that process, store, or transmit financial data represent control deficiencies that must be disclosed.

A significant security vulnerability in a financial reporting system that goes unaddressed for over a year would likely constitute a material weakness in internal controls. Such findings require disclosure in the company’s annual report and can trigger SEC scrutiny, shareholder lawsuits, and significant reputational damage.

The presence of critical security debt in 63% of financial services organizations suggests that many public companies may be maintaining deficient controls without appropriate disclosure. As regulatory examination of cybersecurity controls intensifies, this gap between actual practice and compliance requirements will face increasing scrutiny.

GLBA Safeguards Rule: “Reasonable” Isn’t 276 Days

The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive information security program with administrative, technical, and physical safeguards appropriate to their size and complexity.

The revised Safeguards Rule, fully effective since June 2023, added specific requirements including risk assessments, access controls, encryption, and continuous monitoring of information systems. Financial institutions must maintain an information security program designed to ensure the security and confidentiality of customer information, protect against anticipated threats or hazards, and guard against unauthorized access or use.

Carrying 77% security debt while taking 276 days to address half of vulnerabilities cannot be reconciled with maintaining “reasonable” safeguards. The FTC, which enforces GLBA for non-bank financial institutions, has increasingly viewed inadequate vulnerability management as evidence of an unreasonable security program.

Recent FTC enforcement actions have specifically cited failure to patch known vulnerabilities as violations of GLBA requirements. Organizations that experience breaches traced to long-standing vulnerabilities face not only regulatory penalties but potential class action litigation from affected customers.

Financial regulators are paying increasing attention to cybersecurity and vulnerability management practices. Several trends suggest enforcement will intensify in the coming years.

OCC and FDIC: Heightened Supervision

The Office of the Comptroller of the Currency (OCC) and Federal Deposit Insurance Corporation (FDIC) have both published cybersecurity guidance emphasizing the importance of timely vulnerability remediation. The OCC’s annual Cybersecurity and Financial System Resilience Report specifically addresses systemic risks from inadequate security practices.

Bank examiners increasingly focus on vulnerability management programs during safety and soundness examinations. Findings of significant unaddressed vulnerabilities can result in Matters Requiring Attention (MRAs), Matters Requiring Immediate Attention (MRIAs), or formal enforcement actions.

The Federal Reserve’s SR 11-7 guidance on model risk management has been interpreted to include security testing processes, meaning inadequate vulnerability management could affect regulatory capital requirements under some interpretations.

SEC Cybersecurity Disclosure Requirements

The Securities and Exchange Commission’s cybersecurity disclosure rules, effective since December 2023, require public companies to disclose material cybersecurity incidents within four business days. Companies must also describe their processes for assessing, identifying, and managing cybersecurity risks.

Organizations with substantial security debt may struggle to accurately represent their risk management posture. If a breach occurs due to a long-known vulnerability that was not addressed, disclosure filings could trigger SEC enforcement for inadequate prior disclosures about cybersecurity risks.

The SEC has already brought enforcement actions against companies for inadequate disclosure of known cybersecurity weaknesses. As awareness of security debt grows, regulators may specifically target organizations that fail to disclose the extent of unaddressed vulnerabilities.

State Attorneys General: A Growing Threat

State attorneys general have emerged as aggressive enforcers of data security requirements, particularly following breaches. The New York Department of Financial Services (NYDFS) Cybersecurity Regulation requires covered entities to maintain procedures for the timely destruction of nonpublic information that is no longer necessary for business operations.

Several states have implemented their own cybersecurity regulations modeled on NYDFS or building upon it. These regulations typically require risk assessments, vulnerability management programs, and timely remediation of identified weaknesses.

Following breaches, state AGs frequently investigate whether organizations maintained adequate security practices. Long-standing known vulnerabilities provide clear evidence of security failures and can result in significant settlements and mandatory security improvements.

How to Prioritize Remediation: Lessons from Leading Organizations

The Veracode report identifies a stark divide between leading and lagging financial services organizations. Understanding what sets leaders apart provides a roadmap for improving remediation performance.

Leaders vs. Laggards: A Performance Gap

Leading organizations:

  • Achieve a flaw half-life of just 2.5 months (versus 276 days industry average)- Maintain security debt in fewer than 26% of applications- Fix over 9% of open flaws every month- Embed security into the software development lifecycle

Lagging organizations:

  • Require over 12 months to remediate half of their flaws- Carry security debt in over 85% of applications- Address only 0.1% of open flaws each month- Treat security as separate from development

The gap is not primarily about resources—it’s about process maturity and prioritization.

Strategy 1: Implement Risk-Based Prioritization

Not all vulnerabilities are created equal. Organizations should prioritize remediation based on:

Exploitability: Is there a known exploit in the wild? Is the vulnerability being actively targeted?

Asset criticality: Does the affected system handle regulated data (PCI, personal financial information, PHI)?

Exposure: Is the vulnerability in an internet-facing system or an internal application?

Age: How long has the vulnerability been known? Older, unfixed vulnerabilities may indicate systemic remediation failures.

Risk-based prioritization ensures that limited remediation resources address the most dangerous vulnerabilities first, reducing the likelihood of a breach while working through the backlog.

Strategy 2: Shift Security Left

Leading organizations integrate security testing earlier in the development lifecycle. By identifying and fixing vulnerabilities during development rather than after deployment, they prevent security debt from accumulating.

Implement Static Application Security Testing (SAST) in CI/CD pipelines so developers receive immediate feedback on security issues. Make security fixes a prerequisite for code promotion, treating them with the same urgency as functional bugs.

Train developers on secure coding practices to reduce the introduction of new vulnerabilities. When developers understand common vulnerability patterns, they write more secure code from the start.

Strategy 3: Establish Clear SLAs and Accountability

Define specific remediation timelines aligned with regulatory requirements:

  • Critical vulnerabilities: 30 days or less (aligning with PCI DSS)- High vulnerabilities: 60 days- Medium vulnerabilities: 90 days- Low vulnerabilities: 180 days (with risk acceptance for longer delays)

Assign clear ownership for vulnerability remediation and track progress against SLAs. Executive dashboards should show remediation performance trends, with aging vulnerabilities escalated to senior leadership.

Strategy 4: Control Open Source Risk

Given that over 82% of critical security debt stems from open-source components, controlling the software supply chain is essential.

Implement Software Composition Analysis (SCA) tools to maintain visibility into all third-party components. Evaluate open-source packages before adding them to the codebase, considering their security track record and maintenance activity.

Consider using a “package firewall” approach that blocks known-vulnerable components from entering the codebase entirely. This prevents the introduction of security debt rather than trying to remediate it later.

Strategy 5: Leverage ASPM for Visibility

Application Security Posture Management (ASPM) solutions aggregate findings from multiple security tools, deduplicate results, and provide unified visibility into the vulnerability landscape. This enables more effective prioritization and tracking of remediation progress.

ASPM tools can also correlate vulnerabilities with business context, identifying which flaws affect the most critical applications or data flows. This intelligence supports risk-based decision-making and resource allocation.

The Path Forward: From Security Debt to Security Maturity

The Veracode findings should serve as a wake-up call for financial services organizations. Carrying critical security debt while regulators intensify their focus on cybersecurity creates an unsustainable risk profile.

Organizations that continue current practices will face:

  • Increasing regulatory scrutiny and potential enforcement actions- Higher likelihood of breaches that could have been prevented- Greater difficulty obtaining cyber insurance at reasonable rates- Reputational damage if security failures become public

The alternative is to treat security debt remediation as a strategic priority. This requires investment in people, processes, and technology—but the return on investment is substantial when measured against regulatory penalties, breach costs, and reputational harm.

Leading financial institutions prove that rapid, effective vulnerability remediation is achievable. They fix flaws in months rather than years, maintain minimal security debt, and continuously improve their security posture. Their success demonstrates that the problem is not intractable—it requires commitment and systematic effort.

As Chris Wysopal, Chief Security Evangelist at Veracode, noted in the report: “Trust is everything in financial services, yet our data reveals a silent, growing risk for the sector created by unresolved security debt. With AI-driven attacks surging and compliance requirements tightening, finance leaders must prioritize strategic risk reduction, starting with targeted remediation of critical software flaws.”

The 276-day average remediation time is not a technical constraint—it’s a choice. Financial institutions that choose differently will find themselves better protected, more compliant, and better positioned for the future.

Key Takeaways

  1. 77% of financial services firms carry security debt (flaws unresolved for over a year), with 63% harboring critical security debt—13 points above the cross-industry average.2. 276 days is the average time to remediate half of discovered vulnerabilities, nearly a month slower than other industries.3. Over 82% of critical security debt originates from open-source components, which take 50% longer to fix than first-party code.4. PCI DSS, SOX, and GLBA all require timely remediation—the industry’s actual performance cannot be reconciled with regulatory requirements.5. Leading organizations achieve a 2.5-month half-life for remediation, proving that dramatic improvement is possible with the right approach.

For more information on the Veracode 2025 State of Software Security Financial Services report, visit veracode.com.