Why Financial Firms Must Prioritize Software Bill of Materials (SBOM) for Cybersecurity

Supply chain attacks are rising

After a 431% spike in supply chain related cyberattacks between 2021-2023, and a year-over-year increase in weekly cyberattacks of 179% over 2024 from breaches related to a vendor, policymakers pricked up their ears at the thorny trend. This is another ramification of the exploding technological complexity of our business systems, a byproduct of digital transformation.

• 2020: The SolarWinds cyberattack put supply chain vulnerabilities center stage, as a compromised software update led to widespread security breaches in government agencies and Fortune 500 companies.
• 2021: A flaw in the Log4j open-source logging library exposed millions of devices to remote code execution attacks.
• 2021: The Executive Order on Improving the Nation’s Cybersecurity acknowledged the increasing number of software security risks throughout the supply chain and included recommendations on SBOM.
• 2023: A software vulnerability in the managed file transfer software MOVEit, affected thousands of organizations from the Louisiana Office of Motor Vehicles to British Airways and the US Department of Energy, and almost 100 million individuals.
• 2025: While there have been no widely publicized supply chain attacks of this scale in 2025 so far, it’s important to remember that new vulnerabilities in libraries and dependencies are constantly being discovered and disclosed. For many organizations, the most significant risks may be attributable to a smaller-scale disclosure in a dependency uniquely important for that organization.

Why SBOMs matter for cybersecurity in financial services

In the highly regulated financial sector, asset managers, hedge funds, and capital markets participants naturally feel the pressure to protect their data, their partners’ information, and clients’ financial data, data that translates into dollars and livelihoods. One of the many regulatory frameworks that apply to capital markets is cybersecurity rules and guidelines. We at Arcesium occupy a spot in the value chain, so we take our own data security responsibilities as a technology provider with utmost urgency.

Financial regulators have tuned in to the interdependency of financial systems, like trading systems, treasury, clearing, carrying, settlement functions, payroll, anti-money laundering, and so on.

• With its Cybersecurity Rules for Investment Advisers (2023), the SEC raised the bar for hedge funds and asset managers, making cybersecurity disclosures as important as financial disclosures.
• FINRA: “Since 2023, FINRA has observed an increase in cyberattacks and outages at third-party providers used by member firms. The financial industry’s reliance on third-party providers to support several key systems or covered functions aggravates the risk to member firms.”
• The New York Department of Financial Services Cybersecurity Regulation leveled strict rules for hedge funds, private equity firms, and asset managers operating in New York, including hiring a CISO and performing annual risk assessments and penetration testing.
• In 2024, the SEC adopted changes to Regulation S-P, which requires incident response programs establish, maintain, and enforce written policies and procedures that oversee service providers, including through due diligence and monitoring.

Get information on our cutting-edge regulatory reporting tool tailored for hedge funds and asset managers.

Primer for an effective SBOM strategy

You might think the usage of SBOMs, or software bills of materials would be on the tip of every IT professional’s tongue, given the growing interconnectedness of digital business.

However, the industry is still on a maturity journey before SBOMs make it to tech table stakes. The first objective is to make sure your firm has visibility on all the systems you're using in your tech environment.

A tech stack can be towering. So if you're not aware that you're using a solution, you're not going to be aware of your risk if or when it becomes vulnerable.

The IT or cybersecurity leader will need to collect the details of each tool, like where it lives and how it’s used in the environment. CISA recommends that an SBOM should contain some combination of the following baseline information:

• Author name
• Supplier name
• Component name
• Version string
• Component hash
• Unique identifier
• Relationship

Licensing, pedigree, and provenance should also be included, if available. Our goal is to map everything, including internally developed code, open-source components, and third-party libraries.

Mitigate cyber-risk with SBOM

Maintaining a SBOM is essential to identify vulnerabilities and manage risks within your software stack. A bill of materials also represents an important foundational pillar of sound data security. Third-party risks can emerge through data breaches, service disruptions, and noncompliance with regulatory requirements. The development of a SBOM is a critical first step in NIST’s supply chain risk management framework. It involves drawing a detailed mapping of the entire supply chain, including third- and fourth-party relationships, to identify vulnerabilities and dependencies, as the NIST observes, “similar to food ingredient labels on packaging.”

We strive to be transparent about our own tech environment at Arcesium. When a critical vulnerability appears in a major open-source library, such as Log4J, security teams can use the existing SBOM to determine where the risks are, and based on analysis of how the software is used, the highest risk areas to target with mitigations. It’s important to incorporate both internal review and external notifications into the vulnerability management process.

We view our systems as extensions of our clients’ operating environments. Being transparent about our response processes helps demonstrate we are on top of the issues of the day and are good stewards of their data. Understanding which open-source tech we use also enables users to independently monitor issues that can impact their software and even their own systems. If a hedge fund’s CISO sees a critical vulnerability is announced in one of their solution provider’s open-source systems like Quantconnect or Backtrader, they can connect with their provider to understand how their platform is impacted and how to handle it. Many SBOM tools support standardized formats such as CycloneDX or SPDX which can also help facilitate data sharing between organizations. This desire for transparency and visibility should be universal.

How SBOMs help identify and manage software risks

Establishing SBOM processes is the first stage of conducting a cyber risk assessment. After creating a SBOM, the next step is to scan the components to determine if they are up to date and have any known vulnerabilities. Scanning helps prioritize updates by identifying high-risk vulnerabilities and assessing their reachability within the environment. This allows firms to determine whether an update is a fire drill or can be scheduled as part of a routine update. A number of commercial and open-source tools are available to maintain the SBOM and scan for vulnerabilities. Two popular open-source tools often seen in this space are Dependency Track and Dependency Check.

Outdated systems, firmware and software, is one of the top causes of cybersecurity vulnerabilities, including a major threat vector for ransomware. In the Log4j incident, unpatched systems were widely exploited across the internet in what was arguably one of the largest upgrade fire drills of all time. You don’t want to be gathering this information for the first time during such a drill; the SBOM will be a guide to what applications need patching or updating. As a side effect, the process of maintaining the SBOM can raise the visibility of deprecated dependencies no longer required that can be removed to reduce the organization’s attack surface.

In addition to managing software security risks, an SBOM catalogue also helps to manage legal risks by allowing teams to perform license compliance scanning against the SBOM map. Licenses can be routinely scanned and confirmed as appropriate for the use of the software.  A well-maintained SBOM helps the CISO to take steps in avoiding known vulnerabilities, enables them to quantify and manage licenses, and helps identify both security and license compliance requirements.

SBOM goes beyond a sound cybersecurity posture

The benefits of creating a SBOM don’t stop at cybersecurity. Insurance companies have been willing to reward firms with advanced security measures. A firm is lowering operating costs with sustained SBOM practices, preventing resource intensive cybersecurity hiccups or worse, business interruptions. The use of an SBOM creates a heightened sense of an organization’s software footprint across every department.

SBOMs have been a standard practice in industrial supply chains for decades. Since we are talking about transparency and communication between capital markets participants up and down the value chain, standardization is key. CISOs should ensure that SBOMs received from third-party suppliers conform to industry standard formats to enable the automated ingestion and monitoring of versions. In terms of our increasingly digital market ecosystem, we really are all in it together.

The willingness to be transparent about data security to business partners and suppliers will go a long way toward the reduction of damaging data breaches and ransomware attacks.

Key Takeaways

1. What is an SBOM and why is it important?

An SBOM is a detailed inventory of software components, including open-source and third-party elements. It helps provide a map of dependencies for organizations to identify vulnerabilities, manage risks, and improve software security.

2. How do SBOMs help financial firms enhance cybersecurity?

Financial firms rely on complex software stacks, making them vulnerable to supply chain attacks. SBOMs provide visibility into software dependencies, enabling proactive risk management and compliance with cybersecurity regulations.

3. What major cyber incidents highlight the need for SBOMs?

The SolarWinds attack (2020), Log4j vulnerability (2021), and MOVEit breach (2023) demonstrated how compromised software components can lead to widespread security failures.

4. What regulations are pushing financial firms to adopt SBOMs?

Regulations like the SEC Cybersecurity Rules (2023), FINRA guidance, NYDFS Cybersecurity Regulation, and updated SEC Regulation S-P mandate stronger oversight of third-party software risks.

5. How can financial firms implement an SBOM strategy?

Firms should start by cataloging all software components,  formalizing data collection for SBOMs, scanning for vulnerabilities, and ensuring compliance with industry standards for security and licensing.