In a nutshell: Financial institutions must transform cybersecurity from a reactive protective function into an active control unit by integrating compliance through automation directly into their control systems instead of conducting post-hoc manual audits.
A joint study by IDC and KPMG reveals significant control deficiencies at German financial service providers – 40 percent operate with incomplete asset inventories, 30 percent lack transparency over their IT environment. The missing visibility into systems and data flows makes it impossible to detect security incidents in a timely manner or fulfil regulatory requirements.
Financial institutions often still understand cybersecurity primarily as a reactive defense measure against external attacks. However, a real-world scenario illustrates the consequences of this perspective: A credit institution integrates a third-party provider for automated credit checks into its own systems. Weeks later, sensitive customer data is compromised via the partner’s cloud interface. The bank does not notice the data exfiltration because it has no insight into the service provider’s infrastructure and no system monitors the continuous data flow. The incident remains undiscovered for weeks.
The aforementioned IDC and KPMG study, which surveyed 150 executives from German companies – one-third of them from the financial sector – documents systematic blind spots: 40 percent of financial service providers maintain incomplete asset inventories, meaning they lack security hardware or software at critical points. 30 percent lack transparency over their IT environment. Particularly critical: 82 percent do not manage their detection and response capabilities through clear, integrated key performance indicators (KPIs). This means security measures remain ineffective because their effectiveness is not measured. Additionally, 42 percent can only monitor and evaluate security events to a limited extent because they lack sufficient capacity in their Security Operations Centers (SOCs) or Computer Emergency Response Teams (CERTs).
To remedy these deficiencies, security leaders must significantly expand independent risk monitoring – the so-called second line of defense. In an environment with cloud infrastructure and artificial intelligence, it is insufficient to check off a regulatory checklist quarterly. What is required is a modern second-line target operating model that defines clear roles and independent processes for the continuous monitoring of ICT risks. This creates a reliable data foundation for strategic management decisions.
Practical implementation is achieved through the “compliance by design” concept: Rather than manually verifying controls retrospectively, risk-oriented ICT control catalogs are embedded directly into internal control systems. Security leaders define uniform metrics both for performance (KPIs) and for risk (KRIs). Precision is essential in order to actually steer the effectiveness of measures.
Source: www.it-daily.net · Published 30 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.