Cybersecurity risks for financial services firms

The 2024 CrowdStrike outage and the ransomware attack on NHS partner Synnovis hit mainstream news and highlighted the fragility of ICT supply chains and the risks posed by cyber incidents. With all of us now firmly ensconced in the digital world, companies face a wide range of cyber threats comprising both malicious attacks and outages arising from incidents affecting the ICT supply chain, with many nation-state threat actors and cyber criminals also using AI to increase the volume and heighten the impact of cyberattacks. Financial services firms are uniquely exposed to cyber risk, not least given the volume of confidential and personal data and transactions they handle. These threats are not new –the IMF’s 2024 Global Financial Stability Report and accompanying blog state that “the financial sector has suffered over 20,000 cyberattacks, causing $12 billion in losses, over the past 20 years” – but the risks of cyberattack and the resultant extreme losses have increased sharply. In this article, we consider what these risks look like in 2025 and ways that financial services firms can proactively manage them.

Authors

Geraldine Scali

Anna Blest

Samantha Paul

Published date

30 Jan 2025

Print

Scale of cyber threat

The Bank of England’s latest Systemic Risk Survey Results from 2024 H2 cites cyber attacks alongside geopolitical risk as the most frequently mentioned risks, with 80% of respondents listing cyber attacks as a top-five risk, an increase of 10% from 2024 H1.

A cyber incident can lead to regulatory scrutiny, customer dissatisfaction, and significant financial impact for financial services firms, as well as wider systemic consequences. No doubt this is why financial services firms and the regulators are so focused on this threat.

The dual challenge of cyber incidents and associated data breach also exposes firms to serious financial crime risks. The UK National Cyber Security Centre (NCSC) highlights that AI is being used by threat actors for reconnaissance, social engineering, and analysis of exfiltrated data, increasing the risk of financial crime. The NCSC Annual Review for 2024 reveals that last year the NCSC handled 1,957 cyberattack reports, a significant increase from 2023. These were triaged into 430 incidents requiring NCSC support, up from 371 in 2023. Of these, 89 were nationally significant, with 12 being severe, a three-fold increase from 2023.

IBM’s 2024 Cost of Data Breach Report estimates the cost of a data breach at nearly $5 million, excluding regulatory fines. And IBM’s earlier 2023 report found that data leaks accounted for 64% of cyberattacks in the financial sector, with attackers exploiting network vulnerabilities. Risks are heightened when data is stored in unmanaged, "shadow" data sources. AI and automation can help reduce these costs (see our Exploring Themes article on AI-usage in financial crime compliance), but there is no doubt that these remain significant and evolving risks.

Regulatory risks

Internationally, financial services firms face complex and multi-faceted regulatory risks from cyber incidents.

In the UK, both the FCA and PRA emphasise the importance of robust cybersecurity measures to protect against operational disruption and financial crime. The FCA requires firms to maintain adequate systems and controls to prevent breaches and ensure consumer protection and market integrity. Non-compliance can lead to substantial fines and enforcement actions. The PRA focuses on the financial stability aspect, ensuring firms manage their operational resilience and cybersecurity risks effectively. Additionally, the Senior Managers and Certification Regime holds senior managers accountable for cybersecurity, making it a critical area of focus for compliance teams.

Firms must also comply with the UK’s operational resilience framework, which integrates cybersecurity into broader resilience planning. Operational resilience has been firmly in focus for several years, with full implementation of the final regulatory rules required by 31 March 2025.

The UK Information Commissioner can also impose significant fines for personal data breaches if firms fail to maintain appropriate technical and organisational measures as required by UK GDPR. Alongside the notification to the ICO, affected data subjects may also have to be contacted quickly, posing challenges in managing reputational and litigation risks. Although there is no specific collective redress mechanism under UK data protection laws, affected individuals can pursue representative or group actions for losses.

Firms also cannot overlook the significant human cost of a data breach. The Information Commissioner issued new guidance in November 2024, with the ICO’s accompanying research highlighting that nearly 30 million people in the UK have been impacted by data breaches, with 30% suffering emotional distress as a result. Despite this, 25% received no support from the responsible organisations and 32% learned about data breaches through the media.

Building resilience

Operational resilience is critical for firms. It underpins firms’ ability to withstand cyber incidents and ensure prompt recovery if one occurs.

The NCSC’s Annual Review 2024 and the regulator’s 2024 CBEST thematic offer valuable insights for compliance teams in 2025 and beyond. These reports emphasise the importance of integrating threat intelligence into business lines and maintaining high situational awareness of threats. This requires well-staffed cybersecurity teams, despite the skills gaps identified in IBM’s recent report, which are exacerbated by the rapid rollout of AI solutions.

Communicating the importance of system vulnerabilities, good cyber hygiene, and the risks from state actors, criminal gangs, and insider threats can be challenging, especially when successful threat repulsion often goes unnoticed. Firms must recognise that cyber incidents are inevitable, and robust cyber resilience practices are essential for adapting, responding, recovering, and learning from disruptions. Prevention is only one part of the cyber and operational resilience jigsaw.

CBEST’s 2024 threat-led penetration testing (TLPT) in live production systems of systemic financial institutions highlighted key themes:

Threat Identification: Early threat detection and effective incident management reduces operational disruption risks. This requires capabilities to detect and analyse adverse events (such as data exfiltration, anomaly investigation, identification of indicators of compromise), supported by multi-layered information sources and cyber threat intelligence.
Access Controls and Identity Management: Poorly secured systems facilitate unauthorised access. Issues include overly permissive access controls, lack of multi-factor authentication, and inadequate password policies.
IT Inventory Management and Network Security: Insecure configurations and poorly patched systems extend a firm’s attack surface, especially without segregation between development and production environments and effective network monitoring. The NCSC highlights the risk of shortened intervals between the exploitation of unpatched vulnerabilities and the release of security updates, exacerbated by AI tools. The proliferation of advanced cyber intrusion tools lowers barriers for attackers, increasing the number of attacks and complicating attribution.
Expanding Attack Surface: Modern supply chains’ complexity and reliance on cloud services increase risks. UK and EU regulators are expanding their oversight to include more parts of the ICT supply chain, with new compliance obligations for critical service providers.
Vulnerability Management: Vulnerabilities, both known and zero-day without remediation, pose significant risks. In 2023, the NCSC issued around 12,000 alerts about vulnerable services. Exploitation of two specific zero-day vulnerabilities recently led to six nationally significant incidents.
Staff Training: Staff education is crucial, especially with the rise of sophisticated AI deepfakes that facilitate social engineering and phishing attacks.

Incident preparedness lessons are also to be found in the FCA’s insights on the CrowdStrike outage. Firms were reminded that those within scope of PS21/3: Building operational resilience must ensure they can deliver important business services in severe but plausible scenarios by the 31 March 2025 deadline.

Conclusion

Operational resilience is critical for firms. It underpins firms’ ability to withstand cyber incidents and ensure prompt recovery if one occurs.

In 2025, we expect increasing international regulatory coordination of TLPT, aligning UK regulators with global counterparts. We also expect regulator consultations in late 2025 on managing ICT and cyber resilience risks, linked to critical third party (CTP) designations in the UK and EU.

We recommend firms prepare for cyber incidents by reviewing or rolling out a robust incident response plan, which includes establishing an incident response team, conducting threat analysis, preparing written guidelines, developing procedures for external communication, training employees, and conducting regular incident response plan testing. UK firms may gain access to more resources for incident response and threat landscape insights, as CTPs are required to maintain self-assessments, playbooks, and conduct scenario testing and involve their financial services customers in testing their incident response management. Firms should involve key personnel in these exercises.