Microsoft Secure Score for Financial Executives

Every financial executive approves a larger cybersecurity budget each year. Far fewer can answer a simpler question with a single number: is the spending actually closing the gap? IBM's 2025 Cost of a Data Breach Report puts the average breach at a financial services firm at $5.56 million, the second-costliest of any industry behind healthcare. When the breach lands inside the United States, the average climbs to $10.22 million. The dollars are not abstract, and neither is the exposure that produces them.

Microsoft Secure Score turns that exposure into a measurement. It assigns a percentage grade to your Microsoft 365 tenant based on the security configurations, policies, and protections you actually have switched on. For banks, credit unions, and mortgage companies, that number is the closest thing to a vital sign your security program has. The real question is not whether Secure Score matters. It is what you do the morning after you finally see your number, because a measurement that nobody acts on is just a more precise way to describe a problem.

This guide is written for the people who answer to a board, a regulator, and an insurance underwriter. It explains what the score measures, why it belongs on your executive dashboard, where most institutions lose points without realizing it, and how the M365 Guardian operating model that ABT runs on top of your tenant turns a static grade into a continuous standard.

What Microsoft Secure Score Actually Measures

Secure Score evaluates your Microsoft 365 environment across four categories: Identity, Devices, Apps, and Data. Each category holds dozens of individual controls. Enforce multi-factor authentication for administrators in Microsoft Entra ID, and you earn points. Require device compliance through Microsoft Intune, more points. Block legacy authentication protocols that quietly sidestep MFA, more points again.

The headline number is a percentage of the maximum score available to you, and that maximum is not the same for every institution. It depends on which Microsoft licenses you own. A credit union running Microsoft 365 Business Premium has a different set of available controls than a bank running Microsoft 365 E5. That distinction matters at budget time, because two institutions can both report "82%" while measuring against very different ceilings.

The score is also a moving target. Microsoft regularly adds and revises the controls that feed it, which means your number can slip even in a week when your team changed nothing. A configuration that earned full marks two years ago may be only partially credited today. Staying above 90% is therefore a maintenance discipline, not a one-time hardening sprint you finish and forget.

Why Financial Executives Should Track Secure Score

For a regulated institution, Secure Score connects to four outcomes that live squarely at the executive level. None of them is an IT metric. Each one shows up in a budget, an audit, a policy, or a board deck.

Regulatory Compliance

The FTC Safeguards Rule requires non-banking financial institutions, including mortgage companies, to run an information security program with administrative, technical, and physical safeguards. Under the 2024 amendment, those institutions must report a breach affecting 500 or more consumers to the FTC within 30 days. A strong Secure Score is direct evidence that the technical-safeguard layer of your Microsoft 365 tenant is in place, and Microsoft Purview Audit produces the time-stamped trail that examiners ask to see. Banks answer to the FFIEC IT Examination Handbook, and credit unions answer to the NCUA. In every case, the regulator wants measurable controls. Secure Score supplies the measurement, and Microsoft Purview supplies the proof. For the deeper examiner-facing view, see our guide to FFIEC IT examination readiness for financial institutions.

Breach Cost Reduction

IBM's 2025 report puts the average financial services breach at $5.56 million, second only to healthcare at $7.42 million, with the United States average across all industries reaching $10.22 million per incident. A large share of those costs trace back to gaps that Secure Score names directly: stale administrator accounts that were never disabled, Conditional Access policies that still permit legacy authentication, MFA that covers people but not service accounts. Closing those gaps in Microsoft Entra ID raises your score and lowers your exposure in the same motion, while Microsoft Defender for Office 365 and Microsoft Defender for Endpoint absorb the email and endpoint attack paths that drive the largest losses.

Cyber Insurance Eligibility

Cyber insurance carriers now read Secure Score data during underwriting. They want evidence of MFA enforcement, email security controls, and endpoint compliance before they price a policy. A higher score with documented MFA, Microsoft Purview Data Loss Prevention, and Microsoft Defender coverage supports lower premiums, while a thin control set can trigger coverage exclusions or a steeper deductible. Your Secure Score has quietly become a financial document, not just a technical dashboard, and it gets read by someone whose job is to find the gap.

Board-Level Reporting

Boards ask one durable question about security: are we protected? Secure Score gives you a number to answer with and a trend line to defend it. A score that climbs from 48% to 91% over two quarters tells a story no narrative summary can match, and it reframes the board conversation from anxiety to evidence. For the surrounding reporting cadence that NCUA and FFIEC examiners expect, see our breakdown of credit union board IT reporting.

Where Most Financial Institutions Fall Short

A fresh Microsoft 365 tenant typically scores between 30% and 50% out of the box. The defaults favor convenience over protection, so an institution that has not run a deliberate hardening process almost always sits in that range, regardless of how much it spends elsewhere. Three patterns explain why the gap persists.

Configuration Drift

Teams switch on the right controls during deployment and then never revisit them. Because Microsoft keeps adding capabilities, a Conditional Access posture that was strong in 2023 can be incomplete by 2026 without anyone touching it. Secure Score surfaces that drift before an attacker does, which is the entire point of watching a trend line rather than a single annual snapshot.

License Waste

Many institutions pay for Microsoft 365 Business Premium or E5 and then activate a fraction of the security value inside it. Microsoft Intune device compliance, Microsoft Defender for Office 365, and Microsoft Purview Data Loss Prevention are already included in that license. Leaving them dormant means paying for protection you never switch on, which is the most expensive line item nobody puts on a budget.

Siloed Responsibility

When no single person owns the Secure Score, no one moves it. IT manages devices, compliance manages policy, and security manages incidents, but the score spans all three. Without a named owner who reports the number up the chain, improvement stalls in the seams between departments.

A Practical Roadmap to a Higher Score

Raising the number follows a predictable sequence. Start with the high-impact controls that touch the most users, then work outward to the long tail of specialized settings. Most institutions reach 90% inside 90 days when they run the phases in order rather than chasing scattered quick wins.

Phase 1: Identity Controls (Weeks 1-4)

Identity is where most institutions earn the most points the fastest, so start here.

• Enforce MFA for every user in Microsoft Entra ID, including administrators, service accounts, and break-glass accounts. Microsoft reports that multi-factor authentication blocks more than 99.9% of account-compromise attacks, and as of 2025 Microsoft requires MFA for administrator access across tenants. Phishing-resistant methods raise the bar further, which is why FFIEC, NCUA, and OCC examiners now expect them: see our guide to phishing-resistant MFA for financial institutions.
• Block legacy authentication protocols that bypass MFA entirely. POP3, IMAP, and SMTP AUTH remain the most common paths for credential stuffing against financial inboxes.
• Disable stale accounts. Any account inactive for 90 or more days should be disabled or removed. A dormant account with valid credentials is a free entry point that earns an attacker nothing but time.
• Deploy Conditional Access in Microsoft Entra ID for location, device compliance, and sign-in risk, so access decisions adapt to context rather than trusting a password alone.

Phase 2: Device Compliance (Weeks 5-8)

Any device that reaches your Microsoft 365 data has to meet a baseline before it gets there.

• Enroll devices in Microsoft Intune and define policies for encryption, operating-system currency, and security baselines.
• Deploy Microsoft Defender for Endpoint on every managed device. It extends your Secure Score and feeds the same detection telemetry examiners reference when they probe your incident-response readiness.
• Block non-compliant devices with a compliance policy. A laptop three months behind on patches has no business opening loan files or member records.

Phase 3: Data Protection (Weeks 9-12)

Data controls map most directly to the regulations financial institutions face every day.

• Configure Microsoft Purview Data Loss Prevention so sensitive data cannot leave through email, Teams, or SharePoint. For lenders that means non-public information, loan files, and wire-instruction templates each get a dedicated policy rather than a single generic rule. Our Microsoft 365 DLP configuration guide for financial services walks through the exact policy set examiners look for.
• Enable Microsoft Purview sensitivity labels so staff can classify documents that hold borrower data, member records, or compliance materials.
• Restrict external sharing in SharePoint and OneDrive to approved domains rather than the open default.

Phase 4: App Protection and Monitoring (Ongoing)

The final category covers application-level controls and the continuous monitoring that keeps the score from sliding.

• Enable Microsoft Defender for Office 365 with Safe Links and Safe Attachments. For any institution that handles customer correspondence by email, this is the single largest moveable line in the score: see the anti-phishing configuration examiners expect.
• Set app consent policies so users cannot grant standing permissions to malicious third-party applications.
• Alert on score changes. A sudden drop is an early warning that a control was removed or a policy changed, and it deserves an investigation, not a footnote.

How M365 Guardian Turns the Score Into an Operating Standard

M365 Guardian is ABT's security operating model for Microsoft 365 tenants. It is not a product you install. It is the continuous cycle of hardening, monitoring, insight, and response that surrounds the tenant so the controls behind your score stay in force instead of decaying into orphaned settings. ABT manages your Microsoft 365 tenant under the Tier-1 Direct-Bill CSP relationship, which means the Microsoft Entra ID, Microsoft Defender, Microsoft Purview, and Microsoft Intune controls that drive your Secure Score all run inside one operating model rather than scattered across an internal team's working memory.

For Secure Score specifically, M365 Guardian operates across four functions.

Run together, those four functions turn a quarterly scramble to chase the number into a steady operating rhythm that holds it. That is the difference between a one-time hardening project and a standard the institution can defend to a board or an examiner at any point in the year.

The gap between having a Secure Score and acting on it is exactly where most financial institutions lose ground. M365 Guardian closes that gap by turning the number into a continuous operating standard.

Underneath that operating model sits a specific stack of Microsoft 365 products, and each one moves a different part of the score. The next breakdown shows which tool carries which category.

The four pillars of Microsoft Secure Score mapped to the M365 Guardian control set for regulated financial institutions

Secure Score and the Regulatory Frameworks That Govern You

Each regulator that oversees financial institutions maps to specific Secure Score categories. The 2025 regulatory landscape also shifted underneath everyone: the FFIEC retired its long-standing Cybersecurity Assessment Tool in August 2025 and declined to update it for newer standards, and in September 2025 the NCUA released an updated Automated Cybersecurity Examination Tool aligned to NIST Cybersecurity Framework 2.0. The measurement tools changed, but the underlying expectation did not. Examiners still want demonstrable, documented controls, and our breakdown of the FFIEC CAT retirement and the NIST CSF 2.0 gap covers what that transition means in practice.

FTC Safeguards Rule (mortgage companies). Requires a designated Qualified Individual, risk assessments, access controls, encryption, MFA, and an incident response plan. The Identity and Data categories of Secure Score map directly onto those technical requirements, and the 2024 amendment added the 30-day, 500-consumer breach-notification obligation that raises the stakes on detection and evidence.

FFIEC IT Examination Handbook (banks). Covers information security, business continuity, and IT audit. The Device and App categories of Secure Score address device management through Microsoft Intune, endpoint protection through Microsoft Defender for Endpoint, and the application-security expectations the handbook lays out.

NCUA cybersecurity requirements (credit unions). Center on member-data protection, access controls, and incident response, including 72-hour incident notification. With ACET now aligned to NIST CSF 2.0, the Identity controls (MFA and Conditional Access in Microsoft Entra ID) and Data controls (Microsoft Purview DLP and sensitivity labels) map cleanly to what an examiner will test.

GLBA (all financial institutions). The Gramm-Leach-Bliley Act applies across the board, and its Safeguards provisions require administrative, technical, and physical safeguards. A strong Secure Score demonstrates the technical layer, and Microsoft Purview Audit ties that layer back to the written policy an examiner expects to find.

The business case for moving from default Microsoft 365 configurations to the M365 Guardian-hardened Secure Score standard

Measuring Progress: What Good Looks Like

Set benchmarks tied to your reality, then report against them on a fixed cadence so the number means the same thing every quarter.

• Below 40%. Critical risk. The tenant is running defaults and most protections are off. Prioritize immediate hardening.
• 40-60%. Below average. Core controls are partially deployed, with common gaps in inconsistent MFA, missing Microsoft Intune compliance policies, and absent Microsoft Purview DLP rules.
• 60-80%. Progressing. The foundation is in place and the work shifts to advanced protections and closing the remaining gaps.
• 80-90%. Strong. You have deployed the controls that matter most. The focus moves to the long tail and to holding the line.
• 90%+. The M365 Guardian standard. Continuous monitoring prevents drift, regulatory conversations become evidence-based, and insurance carriers see the documentation they expect.

A foundational score is the start of the program, not the finish. Once the number is healthy, the harder discipline is building the response capability and human judgment that a percentage can never capture, which is the argument we make in Beyond Secure Score: building a real security program for financial institutions.

Frequently Asked Questions