Financial services executives face a growing paradox. Cybersecurity threats hit all-time highs in 2025, with U.S. organizations absorbing an average breach cost of $10.22 million. Yet most mortgage companies, credit unions, and banks still lack a clear way to measure whether their defenses are keeping pace.
Microsoft Secure Score gives you that measurement. It assigns a percentage grade to your Microsoft 365 tenant based on security configurations, policies, and protections you have in place. Organizations scoring above 80% experience 67% fewer security incidents. The question isn't whether Secure Score matters. The question is what you do once you know the number.
Secure Score evaluates your Microsoft 365 environment across four categories: Identity, Devices, Apps, and Data. Each category contains dozens of individual controls. Enable multi-factor authentication for all admins? Points. Require device compliance through Intune? Points. Block legacy authentication protocols? More points.
The total score is a percentage of your maximum achievable score. That maximum varies by organization because it depends on which Microsoft licenses you own. A company running Business Premium has different available controls than one running E5.
Here is what the score does not measure: third-party tools, employee awareness, physical security, or custom applications outside the Microsoft ecosystem. Secure Score is specific to your Microsoft 365 tenant configuration. Treat it as one vital signal in a broader security picture.
For regulated financial institutions, Secure Score connects directly to four business outcomes that matter at the executive level.
The FTC Safeguards Rule requires mortgage companies to maintain an information security program with administrative, technical, and physical safeguards. Under the 2024 amendment, non-banking financial institutions must report breaches affecting 500 or more customers to the FTC within 30 days. A strong Secure Score demonstrates that your Microsoft 365 tenant meets the technical safeguard requirements. It creates documented evidence for auditors.
Banks face FFIEC IT Examination Handbook requirements. Credit unions answer to NCUA. In each case, regulators want to see measurable security controls. Secure Score provides that measurement.
IBM's 2025 Cost of a Data Breach Report found that financial firms carry the second-highest breach costs of any industry, trailing only healthcare. When 50 million or more records are compromised, average costs reach $375 million for both sectors. Malicious attacks account for 51% of financial sector breaches, but IT failures and human error combine for 49%.
Many of those IT failures map directly to Secure Score controls. Stale admin accounts that were never disabled. Conditional Access policies that allow legacy authentication. MFA gaps that leave service accounts exposed. Fixing these pushes your score up and your risk down.
Cyber insurance carriers now evaluate Microsoft Secure Score data during underwriting. Carriers want evidence of MFA enforcement, data loss prevention policies, and endpoint compliance. A score above 80% can translate to lower premiums. A score below 60% may trigger coverage exclusions or higher deductibles. Your Secure Score has become a financial document, not just a technical dashboard.
Board members ask one question about cybersecurity: "Are we protected?" Secure Score gives you a number to answer with. It tracks over time, showing whether security posture is improving or degrading. That trend line tells a story no narrative report can match.
The average Microsoft 365 tenant scores between 30% and 50% out of the box. Default configurations leave critical protections disabled. Most financial institutions that haven't gone through a deliberate hardening process sit in this range.
Three patterns explain the gap.
IT teams enable security controls during initial deployment, then never revisit them. Microsoft releases new capabilities quarterly. Conditional Access policies that were strong in 2023 may be incomplete in 2026. Secure Score reflects this drift before attackers exploit it.
Many organizations pay for Microsoft Business Premium or E5 but only use a fraction of the included security features. Intune device compliance, Defender for Office 365, and Purview Data Loss Prevention are included in the license cost. Not deploying them means paying for protection you never activate.
When no single person owns the Secure Score, nobody tracks it. IT handles devices. Compliance handles policies. Security handles incidents. The score spans all three domains. Without an owner, improvement stalls.
Improving your score follows a predictable sequence. Start with the highest-impact actions that affect the most users, then work toward the long tail of specialized controls.
Identity is where most organizations gain the most points fastest. Start here.
Devices that access your Microsoft 365 data must meet baseline security standards.
Data protection controls address the regulatory requirements that financial institutions face daily.
The final category covers application-level controls and continuous monitoring.
Guardian is ABT's security operating model for Microsoft 365 tenants. It isn't a separate product you install. It's the continuous cycle of hardening, monitoring, insight delivery, and response that surrounds your tenant.
For Secure Score, Guardian operates across four functions:
Hardening applies the high-impact security configurations that push your score upward. Conditional Access policies, Intune compliance baselines, email authentication (SPF, DKIM, DMARC), and DLP rules. Guardian follows a 90-day hardening sprint that targets 80%+ Secure Score as a baseline.
Monitoring tracks your score continuously. When Microsoft adds new controls, Guardian evaluates and implements them. When configuration drift occurs, Guardian flags it before your score drops.
Security Insights translates your Secure Score into executive-level reporting. Category breakdowns for Identity, Devices, Apps, and Data. Trend lines that show progress over weeks and months. Risk prioritization that tells your team which actions deliver the most protection per hour invested.
Response handles the incidents that even a high Secure Score cannot prevent. When a sign-in anomaly or suspicious email bypasses automated defenses, Guardian's response process activates remediation.
Each regulatory body that oversees financial institutions maps to specific Secure Score categories.
FTC Safeguards Rule (Mortgage Companies): Requires a designated Qualified Individual, risk assessments, access controls, encryption, MFA, and incident response. Secure Score controls for Identity and Data map directly to these requirements.
FFIEC IT Examination Handbook (Banks): Covers information security, business continuity, and IT audit. Secure Score's Device and App categories address device management, endpoint protection, and application security requirements from the handbook.
NCUA Cybersecurity Requirements (Credit Unions): Focuses on member data protection, access controls, and incident response. Secure Score's Identity controls (MFA, Conditional Access) and Data controls (DLP, sensitivity labels) map to NCUA expectations.
GLBA (All Financial Institutions): The Gramm-Leach-Bliley Act applies to everyone. Its Safeguards Rule provisions require administrative, technical, and physical safeguards. A strong Secure Score demonstrates the technical safeguard layer.
Set clear benchmarks tied to your business reality.
The goal is sustained performance above 80%. Not a one-time achievement. A continuous operating standard that Guardian maintains through ongoing monitoring and adjustment.
A score above 80% indicates strong security posture for mortgage companies. Most tenants using default configurations score between 30% and 50%. Organizations above 80% experience 67% fewer security incidents according to Microsoft data. Financial institutions should target 80% as a minimum and maintain it through continuous monitoring to satisfy FTC Safeguards Rule requirements.
Cyber insurance carriers now evaluate Secure Score data during underwriting for financial institutions. A score above 80% with documented MFA enforcement and data loss prevention can lead to lower premiums. Scores below 60% may trigger coverage exclusions or higher deductibles. Carriers specifically look for MFA compliance, endpoint protection, and email security controls within the score breakdown.
Secure Score addresses the technical safeguard requirements of the FTC Safeguards Rule but does not cover administrative or physical safeguards. It demonstrates MFA enforcement, access controls, encryption, and data loss prevention configurations. Financial institutions need Secure Score plus documented policies, risk assessments, a designated Qualified Individual, and incident response plans to achieve full compliance.
Most financial institutions can reach 80% within 90 days through a structured hardening sprint. Identity controls like MFA and blocking legacy authentication provide the fastest gains in weeks one through four. Device compliance and data protection follow in weeks five through twelve. Maintaining the score requires continuous monitoring because Microsoft adds new controls quarterly and configuration drift can erode progress.
Guardian is ABT's security operating model that wraps around your Microsoft 365 tenant. It uses Secure Score as one of several measurement tools within a continuous cycle of hardening, monitoring, insight delivery, and incident response. Guardian applies the configurations that raise your score, monitors for drift that would lower it, and delivers executive reporting that translates the score into business risk language.
Your Secure Score exists right now in your Microsoft 365 admin portal. Knowing that number is the first step toward improving it. ABT's Security Grade Assessment provides a detailed breakdown of your current posture, identifies the highest-impact actions for your specific environment, and maps your controls to the regulatory frameworks that govern your institution.
Talk to ABT about your Secure Score and find out where you stand relative to the financial institutions that trust us to maintain their security posture.