Get a demo

Physical security risk management for financial services

Your institution prices credit risk, market risk, and operational risk in dollars, and then decides physical security with a five-point rating scale. Holtium brings your branches, campuses, trading floors, and data centers into one place, puts a dollar figure on the risk at each site, and helps your team decide what to fix first.

Inherent risk exposure across your footprint 214 sites
Branch network$9.2MHigh
Corporate campuses$6.4MMedium
Trading floors$12.8MCritical
Data centers$4.1MLow
Cash operations$7.6MHigh
Executive offices$3.3MMedium
Recomputed today $43.4M total
Branch robbery Insider risk Executive protection Civil unrest Cash-in-transit Workplace violence Duty of care Trading floor continuity

The stakes

$17.4M

average annual cost of insider risk per organization, up from $16.2M two years earlier, in the sector where trust is the product.

Ponemon Institute, 2025 Cost of Insider Risks Global Report.

$8B

in insured losses from strikes, riots, and civil commotion between 2020 and 2024, up from negligible levels a decade earlier. Street-level branch networks sit in the middle of that exposure.

Swiss Re; Allianz Commercial, 2026.

$130,468

median value of executive security disclosed by S&P 500 companies in 2025 proxy filings, up 20 percent in a year, with over a third of companies now disclosing it.

Equilar, 2026.

The problem

Yours is the one risk function in the building without a number

A bank runs on quantified risk. Credit has models, market risk has limits, operational risk has capital held against it, and the insurers and examiners who look over your shoulder think in the same terms. Then the conversation turns to physical security, and the evidence becomes a rating scale that calls everything medium and a budget defended by judgment alone.

That gap has a cost. When the board risk committee asks why the security budget should grow while branches close, or an examiner asks how the program matches the threat, the security team is the only function answering in a different language than the rest of the institution. That is the gap this page is about.

The risks

Business risk through a physical security lens

Bank robbery has fallen 83 percent from its early-1990s peak, but the FBI still recorded 1,362 robberies of financial institutions in 2023, roughly 26 a week (FBI Bank Crime Statistics).

Each one carries a safety response cost, staff who need support or do not return, and a reputation cost in the community the branch serves. The Bank Protection Act has also made this a regulatory matter since 1968: it requires a designated security officer and minimum physical security measures, and examiners still check.

Branch consolidation keeps accelerating, with net closures jumping from 21 to 148 in a single quarter (S&P Global Market Intelligence, Q1 2025).

The branches that remain run with thinner staffing while absorbing the customers, and the frustration, of the ones that closed. Every incident carries a safety response cost, and duty of care that cannot be evidenced compounds into legal exposure.

Insider risk now costs organizations an average of $17.4M a year (Ponemon Institute, 2025), and few industries place more trust in more people than this one.

Physical access is part of the insider pathway: vaults, cash rooms, trading floors, and data halls are where privileged access turns into loss. The damage rarely stays a replacement cost; it shows up as legal exposure and as competitive advantage that never appears on an incident report.

Over a third of S&P 500 companies disclosed executive security spending in their 2025 proxy filings, with the median value up 20 percent in a year (Equilar, 2026).

Financial services leaders are among the most publicly visible executives in any economy, and boards now ask directly whether the program is sized to the threat. That question deserves an evidenced answer, sized to the exposure rather than to the most recent headline, and the cost of getting it wrong spans safety, leadership continuity, and reputation at once.

Insured losses from strikes, riots, and civil commotion passed $8B between 2020 and 2024, and civil unrest ranks as the top political violence concern for more than half of companies surveyed (Swiss Re; Allianz Commercial, 2026).

A branch network is a street-level footprint in the city centers where unrest concentrates. The losses arrive as property replacement, closed sites and lost productivity, and the safety of the people inside them.

Incident response — Branch 041, Elm St
Silent alarm triggered
09:14
Response coordinated, staff safe
09:16
Incident logged, support and reporting begin
09:41
What Holtium does

The platform your security team runs the program on, in the language your institution already uses

Holtium brings your risks, controls, locations, and spending into one place, helps your team decide what to do next, and measures it all in dollars so leadership can act on it. A Holtium team works alongside yours, so you get the analysis without building it.

Your risk register covers the risks this industry actually carries: violence and robbery across the branch network, insider risk in high-trust environments, targeted violence against executives, unrest exposure at street level, and the protection of cash operations. Build it in the platform, or bring in the one you already have.

The number

A number built the way your institution already builds them

Your risk committee will not accept a figure it cannot interrogate, and it should not. We start with your baseline, the risk each site would face with nothing but doors, walls, and locks, then subtract what your current controls already prevent. What remains is your exposure today, broken into the losses behind it, such as the safety response an incident triggers, the legal exposure when duty of care cannot be evidenced, and the reputation cost of an event at a branch.

It is built on recognized standards and loss data, the same quantitative discipline used in cyber, operational risk, and engineering, which is to say the discipline your institution already trusts everywhere else. It begins as a range rather than a false-precise figure and sharpens as we verify your controls, and every figure traces back to what drove it, through the same assumptions an examiner or an internal model validation team would want to see.

Each quarter, leadership gets an executive risk report that reads like finance: where exposure stands across the footprint, what moved it, and what comes next. It is written to sit inside a board risk committee pack, next to the quantified reporting every other risk function already delivers.

Exposure breakdown
Inherent Risk Exposure
Losses Avoided
Residual Risk Exposure

Inherent, losses avoided, and residual risk exposure, split into loss types. Financial services sample data.

[Approved quote pending]

Chief Security Officer, publicly traded financial institution
Low lift

Your branch assessments and guard contracts are the input, not wasted work

You share what you already track, in any format: partner provider assessments, branch security surveys, guard post orders, insurance schedules. We map it to your risks and sites for you, and most teams are up and running within weeks. Your job is to review and confirm, not to do the heavy lifting.

FAQ

Questions financial services teams ask

How do you put a dollar figure on risk across a branch network?

We model each risk at each branch, campus, and data center using recognized standards and loss data, the same quantitative discipline used in cyber, operational risk, and engineering. The figure starts as a range, sharpens as your controls are verified, and always traces back to what drove it. It is built to stand next to the quantified reporting your board risk committee already receives from every other risk function.

Does this help with the Bank Protection Act and examiner expectations?

Holtium is not a compliance tool, but it keeps the evidence examiners ask about in one place: which controls exist at which branches, what condition they are in, what is on the roadmap, and which risks leadership formally accepted and why. Teams use that record to answer examiners with documentation instead of recollection.

We already have branch assessments from a partner provider. Do we start over?

No. Existing assessments are exactly the input the platform wants. We ingest them, map the findings to risks, controls, and sites, and your team reviews and confirms. The work you have paid for becomes the starting picture instead of a drawer of PDFs.

How long until we see a risk picture across the whole network?

Most teams are up and running within weeks. You share what you already track, we structure and map it, and the first quantified picture covers your full footprint, from the branch network to the data centers, rather than one pilot site.

Does this cover ATM attacks?

Yes. ATM fleets and vestibules are modeled as part of your footprint, and attacks such as skimming, hook and chain pulls, and vestibule assaults are priced like any other risk: likelihood, loss types, and the controls that reduce them. That puts ATM hardening on the same roadmap as every other investment, compared in dollars.

See what your exposure is worth across the network

You stay in charge of the program. We do the analysis, so you get the evidence without building it.