Cybercrime remains one of the highest-impact risks for UK financial services firms.
Digitisation has improved service and efficiency, but it has also widened the attack surface across email, payments, and supplier access.
For board papers, risk registers, and client communication reviews, cybersecurity now sits alongside credit, conduct, and operational risk.
The statistics below mix UK-specific and global financial-sector research from named sources. Where a figure is global or dated, we note the scope so you can judge how it applies to your firm.
We've grouped 21 cited statistics on targeting rates, costs, phishing, ransomware, governance, and resilience, with links to the original reports.
Contents
Use the sections below to scan by theme, then follow the source links when you need the full report context.
Understanding the Risk
1. Financial services organisations are 300 times more likely than other companies to be targeted by a cyber attack, according to CIO Dive's 2019 analysis.
What The Research Shows
Financial services firms remain disproportionately targeted compared with other sectors - a pattern that still shapes threat modelling and control investment today (CIO Dive, 2019).
2. In McKinsey's 2022 sector survey, the number of cyber attacks reported since the pandemic rose by over 200%.
3. The banking industry saw a 1318% increase in ransomware attacks in 2021, according to Security Magazine's reporting on that year.
4. In the same McKinsey survey, cybersecurity risk is rated “extremely important” by more than 80% of bankers, ranking above all other operational risks.
"Boards are now expected to treat communication risk with the same seriousness as financial and conduct risk.
If phishing and mis-sent client data are not visible in risk reporting, firms can look secure on paper while everyday email workflows stay exposed."
Paul Holland, Founder and CEO, Beyond Encryption (Mailock)
Those governance shifts sit alongside rising incident costs in sector reporting.
Quantifying the Threat
When incidents land, recovery cost and duration often determine whether the impact stays operational or becomes regulatory and reputational.
5. In Accenture and Ponemon's 2021 analysis, the average cost of cybercrime for financial services was 40% higher than in other sectors.
6. Among financial services organisations that paid a ransom, almost 39% paid $1 million or more in Sophos's 2023 sector study, up from 5% the year before.
7. The average worldwide cost of a data breach in the financial sector was $5.9 million in 2022 - above the global average of $4.45 million (USD).
8. For 37% of institutions in McKinsey's 2022 survey, the average time to resolve a security issue exceeds three months.
Key Threats: Phishing
Brand impersonation and malicious email remain common routes into financial services environments, including firms covered in our financial services cybersecurity overview.
9. In 2020, HMRC reported a 73% increase in email phishing attacks targeting taxpayers.
10. In Vade's H1 2022 sample, financial services was the most impersonated industry for phishing, accounting for 34% of activity.
11. Phishing is the method of initial access in 46% of cyber attacks targeting financial services in McKinsey's 2022 survey.
"Phishing statistics are useful, but the operational question is whether staff can spot a plausible payment or document request before it reaches a client workflow.
Firms also need evidence of who opened sensitive email when something goes wrong."
Michael Wakefield, CTO, Beyond Encryption (Mailock)
Ransomware reporting shows how quickly encryption and payment decisions follow initial access.
Key Threats: Ransomware
Encryption and extortion continue to dominate sector incident reporting, with payment and recovery choices under board scrutiny.
12. In Trellix's January 2022 threat report, the banking and financial sector accounted for 22% of total ransomware attacks in the sample.
13. In Sophos's 2023 financial services study, 64% of organisations reported a ransomware attack, up from 55% the year before, and 81% had data encrypted in those incidents.
Securing Client Communications In Financial Services?
Learn how Mailock supports regulated financial firms that need to protect client information while keeping email practical for everyday use.
Explore Mailock for financial services
14. In VMware's 2022 financial-sector survey, 74% of financial leaders experienced one or more ransomware attacks, and 63% ended up paying the ransom.
Key Threats: System Attacks
Technical exploitation and availability attacks still feature heavily in sector threat data alongside social engineering.
15. In Akamai's 2021 finance sector analysis, one in three cyber attacks against financial institutions began with vulnerability exploitation.
16. In IBM's 2021 X-Force Threat Intelligence Index, Distributed Denial of Service (DDoS) attacks increased by 110% year-on-year in the financial sector.
Attitudes to Cybersecurity
Governance and investment priorities are catching up with the frequency of incidents reported in sector surveys.
17. 95% of board committees now discuss cyber risk four or more times a year, according to McKinsey's board-focused analysis.
18. Top cybersecurity investment priorities for CISOs in that report include Extended Detection and Response (24%), Workload Security (22%), and Threat Intelligence (15%).
How Are Firms Addressing Risk?
Accenture's 2021 UK financial services cyber resilience study highlights how maturity and tooling choices affect breach outcomes. Figures below are in USD from that research.
19. Firms that had mastered cybersecurity were nearly four times better at stopping breaches.
What The Research Shows
Accenture's 2021 UK study found that firms with stronger cyber maturity were nearly four times more effective at stopping breaches than peers (Accenture, 2021).
20. Modern systems and protocols can reduce breach costs by 72%, saving $273,000 per incident in the same study.
21. With an average of 22 incidents a year, those savings add up to $6 million annually for the average financial firm in that model.
Preparing Your Business
Keeping pace with threat data while running core platforms and client service is a constant pressure for providers, platforms, and intermediaries.
Email remains a common route for phishing, misdirected messages, and impersonation. Controls that sit alongside everyday sending can help reduce those risks without forcing every client onto a new portal.
For practical steps beyond the numbers, see our guide to cybersecurity best practices for financial organisations.
Mailock adds AES-256 encryption, recipient authentication, secure replies, and message tracking to email workflows used by advisers, providers, and their customers.
It supports individuals, teams, and enterprises that need to evidence who received sensitive information and how access was checked, including message logs and broader audit trails across the account.
FAQs
Which Cyber Risks Are Highlighted for Financial Services?
The article groups risks around phishing, ransomware, system attacks, attitudes to security, and board-level preparedness.
Why Do Statistics Need Context?
Figures help show scale, but firms still need to map them to their own systems, people, suppliers, and customer communication workflows.
How Should Firms Use Cybersecurity Statistics?
Use them to prompt practical reviews of resilience, training, incident response, and secure handling of customer information.
References
Cyberattacks Hit Financial Services 300 Times More Than Other Sectors, CIO Dive, 2019
The Cybersecurity Posture of Financial Services Companies, McKinsey, 2022
Cybersecurity Emerging Challenges and Solutions for the Boards of Financial Services Companies, McKinsey, 2022
Banking Industry Sees 1318% Increase in Ransomware Attacks in 2021, Security Magazine, 2021
Cost of Cybercrime Continues to Rise for Financial Services Firms, Accenture, 2021
The State of Ransomware in Financial Services, Sophos, 2023
Average Cost of a Data Breach in the Financial Sector, Statista, 2022
HMRC Sees 73% Growth in Email Phishing Attacks, Infosecurity Magazine, 2020
Phishers' Favourites: Top 25 for H1 2022, Vade, 2022
Threat Report: January 2022, Trellix, 2022
Modern Bank Heists 5.0: The Escalation from Dwell to Destruction, VMware, 2022
Phishing for Finance: State of the Internet Security Report, Akamai, 2021
Security X-Force Threat Intelligence Index, IBM, 2021
Financial Services Cyber Resilience Study, Accenture, 2021
Reviewed by
Sam Kendall, 30.05.26
This content is for general information only and is not legal advice.