Celebrating Cybersecurity Excellence: Forbes Most Cybersecure Banks, 2024

To recognize best-in-class consumer financial institutions and their Chief Information Security Officers (CISOs), Forbes just released its 2024 list of the top 50 consumer banks with the most robust cybersecurity. Together with Forbes, we are proud to recognize top CISOs and their dedication to safeguarding customer data. 

The methodology for Forbes’ rankings was enhanced with input from a panel of CISOs and based on SecurityScorecard’s free ratings, along with each company’s commitment to investing in cybersecurity talent and board oversight. While there is no such thing as 100% perfect cybersecurity, these commitments to talent, investment, and board oversight ensure these companies are well-positioned to reduce risk. View the complete Forbes methodology here. 

Debunking myths

The previous Forbes 2023 cybersecurity list sparked a lively debate within the cybersecurity community, but there was a lot of misinformation.  

Was last year’s list (or this year’s list) pay-to-play? Absolutely, 100% not.   

• As with all Forbes lists, companies do not pay any fee to be on the list. 
• Whether or not a company is a paying customer of SecurityScorecard has no bearing.
• Forbes considered any company that fit the criteria – again, it did not matter at all if the companies were SecurityScorecard customers or not.
• SecurityScorecard did not pay Forbes to partner together last year or this year and contributed its data at no cost.
• In addition, SecurityScorecard ratings are publicly available and free to all companies.

How did Forbes use SecurityScorecard ratings? 

• Like last year, SecurityScorecard’s publicly available, free security ratings were a key element of the Forbes methodology.
• This year, winning companies maintained at least a “B” (85+) SecurityScorecard rating for the past 12 months. 
• This year’s methodology was enhanced to include breach history, patching cadence (i.e., how quickly vulnerabilities were fixed), and the presence of a seasoned CISO.

Aren’t all of these companies just companies of SecurityScorecard? Again, no.

• In fact, the vast majority of the companies on last year’s list and this year’s list are NOT customers of SecurityScorecard
• The selection process is purely merit-based.

Is Forbes putting a “target” by publicly listing the names of these organizations? No.  

• According to Kerckhoff’s Principle, cybercriminals already know the victim’s attack surface and inner workings of your system. In addition, a survey of 500 anonymous participants that we conducted, said companies with good security ratings are less likely to get targeted by hackers if they know they are a hard target. 
• These organizations have the best security hygiene, which is based partly on their security rating but also on other factors, such as having a seasoned CISO.  
• Small and medium businesses are the top targets for cyberattacks because, unlike large organizations, they lack the resources to pay for sufficient cybersecurity resources.  
• In fact, companies with a “C” or below are 5x more likely to suffer a breach. 

Did sensitive data get shared with Forbes? No.

• SecurityScorecard ratings are publicly available to create a safer digital ecosystem. 
• A company’s SecurityScorecard rating over the past 12 months made up 50% of the Forbes methodology, which Forbes created in collaboration with a panel of CISOs.
• The methodology also considered other publicly available information:
  • Patching Cadence – Average number of days it takes to fix a potential vulnerability (10%)
  • Presence of a CISO (or executive cyber risk leader) for the past 12 months (15%)
  • CISO with an industry tenure of 10+ years (10%)
  • Cyber professional on the Board of Directors, demonstrating stringent cybersecurity oversight (10%) 
  • No publicly-reported ransomware incidents over the past 12 months (5%)

Is scoring cybersecurity accurately possible? Yes. 

• Cyber risk is dynamic and influenced by a wide range of variables. Therefore, quantifying it requires sophisticated, continuously updated monitoring.
• Recently, SecurityScorecard joined the Marsh and McLennan Global Cyber Risk Analytics Center to study how cybersecurity ratings can be used to understand cyber risk. 
• By analyzing security ratings and cyber insurance claims data, we identified seven factors most predictive of a breach: endpoint security, patching cadence, ransomware score, network security, DNS health, IP reputation, and cubit score. 
• In addition, cyber insurers are starting to give discounts for strong SecurityScorecard ratings. This is because our ratings are statistically proven to decrease the likelihood of a breach. 

Do security ratings have issues with false positives? No.

• SecurityScorecard leads the industry in eliminating false positives, and we have worked diligently to ensure that our rate for false positives is less than 1% so that customers and non-customers alike can be confident in their security ratings. 
• Anyone can view the refute rate in real time on our Trust Portal.

If you’re curious about other security rating myths, read this.

Collaboration: Our path to a safer digital world

At SecurityScorecard, we recognize that cybersecurity is a team effort. At the forefront of this battle are Chief Information Security Officers. CISOs shoulder the responsibility of safeguarding their customers’ data – navigating complex challenges with resilience and determination.

Forbes deserves a massive shoutout for championing cybersecurity excellence and celebrating the heroes keeping our digital economy secure and resilient. Together, let’s applaud these top performers and collaborate to create a safer world for all. 

At no cost, view and improve your security rating.