NIS2 and Financial Services: Asset Control for Banks and Insurers

In December 2019, Travelex, the world’s largest foreign exchange company, suffered a Sodinokibi ransomware attack that paralyzed operations across 30 countries for weeks. Airport kiosks stopped working, partner banks couldn’t process currency exchanges, and the company eventually entered administration. The vector: unpatched Pulse Secure VPN servers with a known vulnerability that had been public for months.

In financial services, every uncontrolled IT asset is an open door to million-dollar losses and regulatory sanctions.

Why NIS2 applies to financial services

NIS2 classifies banking and financial market infrastructure as essential entities (Annex I). Additionally, the DORA regulation (Digital Operational Resilience Act) reinforces specific obligations for the sector. Financial entities must comply with both:

• ICT asset inventory: DORA explicitly requires a register of all ICT assets (Article 8)
• ICT risk management: covering identification, protection, detection, response, and recovery
• Incident reporting: initial reports within 4 hours (DORA) and 24 hours (NIS2)
• Resilience testing: advanced penetration tests (TLPT) requiring knowledge of all in-scope assets
• Fines: NIS2 up to 10 million euros; DORA allows additional sector-specific sanctions from financial supervisors

Real incidents in financial services

• Bangladesh Bank (SWIFT), 2016: North Korean hackers stole $81 million from the central bank by manipulating SWIFT terminals. Attackers installed malware on workstations not in the bank’s security inventory.
• Capital One, 2019: A misconfigured AWS firewall exposed data of 106 million customers. The entity lacked complete visibility over its cloud infrastructure and misconfigured assets.
• Ion Group (UK), 2023: The financial software provider suffered a LockBit attack affecting derivatives operations in London and Chicago markets. Dozens of banks had to process trades manually for days.

Why exhaustive asset control is essential

• Financial assets are highly distributed. ATMs across hundreds of locations, POS terminals in merchants, branch terminals, cloud infrastructure. Without a centralized inventory, visibility is fragmented.
• DORA requires an updated ICT asset register. This is not optional: Article 8 mandates a complete, up-to-date register of all ICT information assets and systems, including third-party ones.
• Every uncontrolled asset is a fraud vector. An uninventoried trading terminal, a dev server with production access, an employee laptop with banking credentials — any can be the weak link.
• Resilience tests need a complete inventory. The TLPT tests required by DORA need knowledge of all in-scope assets. Without inventory, tests are incomplete and results unreliable.

What you need to control

• ATMs: Location, software version, patch status, network connection
• Point-of-sale terminals: PCI-DSS compliant devices at merchants and branches
• Trading infrastructure: Bloomberg/Reuters terminals, execution servers, matching systems
• Servers and cloud: On-premise, public cloud, hybrid environments with configurations
• Branch equipment: PCs, printers, scanners, network devices per office
• Employee devices: Laptops, corporate mobiles, authentication tokens

Metrica Control provides the centralized ICT asset register that NIS2 and DORA demand. Every ATM, terminal, and server documented with location, owner, configuration, and complete incident history.