Financial Services Cybersecurity: 5 Questions Boards Should Be Asking

Financial institutions are the leading targets of cybercrime, including extortion, theft, and fraud, accounting for over 20 percent of all cyber attacks.

Financial services firms are also 300 times more likely than other companies to be targeted, according to industry reporting from 2019.

Threats can include phishing schemes, ransomware, other malware attacks, and even insider activity. In this environment, boards must play a key role in guiding and assessing security strategies.

The Changing Risk Landscape

The risks to financial institutions have been complicated by rapid digitisation and disrupted working habits.

To keep up with changing technology and customer expectations, the last decade has seen widespread investment and transition to digital service provision.

This shift to digital was accelerated by the pandemic, forcing many institutions to bring forward their transformation timelines.

However, the explosion of digital financial services and mobile banking has also expanded the available attack surface that criminals can exploit. During the pandemic, the number of cyber attacks rose by over 200 percent.

In this charged environment, cybersecurity must be a key concern for everyone in financial services organisations, from boards to frontline staff.

The Cost of Financial Crime

The impact of financial crime is significant and growing.

Cyber incidents can lead to lost revenue, remediation costs, service disruption, and reputational damage. Alongside those business consequences comes the risk of financial penalties and regulator scrutiny.

Maintaining customer confidence is also a key concern. Customers trust institutions with their financial information and livelihood.

Financial services businesses must demonstrate the ability to preserve confidentiality, maintain the availability of systems and services, and guard the integrity of data.

While cybersecurity awareness has grown in the financial sector along with new defences, the threats are constantly evolving.

In this guide, we explore the five key questions that financial boards need to be asking to be prepared for these challenges and the solutions arising to protect businesses and customers.

"Boards cannot treat cyber risk as a quarterly IT update. Client data moves through email, third parties, and recovery plans every week - that belongs in the same conversation as financial and conduct risk."

Paul Holland, Founder and CEO, Beyond Encryption (Mailock)

Each question below focuses on a different layer of resilience, from core systems and people to long-term oversight and secure communication.

Cyber Attacks: Plan for Incidents and Recovery

New rules in place from March 2022 require firms to proactively address disruption to important business services from a range of events, including a cyber attack, technical glitches, and power outages.

Meanwhile, in Europe, the proposed Digital Operational Resilience Act (DORA) would introduce an EU-wide regulatory framework on digital operational resilience for a wide range of financial services firms, focusing on business continuity and the management of third-party risk.

However, many institutions are held back by outdated technology.

1. How Resilient Are Our Systems?

Legacy core operational systems are one of the major barriers to digital transformation.

They are unnecessarily slow to update and fix, with a shortage of expertise available in the market to work on them.

Repair work is necessarily slow due to disconnected systems, large code bases, and outdated workflows.

When it comes to a cyber attack, every hour of downtime is lost revenue, trust, and resources. With cyber attacks a near certainty, businesses need to prioritise quick recovery and data security.

The Challenge

• Investment in technology and systems to detect issues sooner to provide maximum response time.
• Established data and disaster recovery protocols with backups of essential data off-site that can be restored if an attack impacts business. With verified backups in place, fast system recovery means quicker operational recovery.
• Documented threat response protocols to standardise your approach to issues and limit the impact of cyber attacks to a disruption rather than a disaster.

For leading financial firms, modern systems and security protocols can reduce the cost of a breach by as much as 72 percent, saving $273,000 per breach.

At an average of 22 incidents per year, these savings add up to potentially $6 million annually for the average firm.

The Solutions

• Automated penetration testing.
• Security Information and Event Management (SIEM) systems to comply with necessary mandates more efficiently and track issues.
• AI and ML-powered fraud detection algorithms to spot suspicious activity.
• Smart incident resolution to handle low-level issues and automated attacks.

2. Are Your People Empowered to Be Part of the Solution?

Cybersecurity is a constantly evolving field.

Making your people an asset in detecting and solving threats requires the right training, structures, and protocols.

The Challenge

Financial institutions have invested heavily in some areas, such as ‘don’t click the link’ training to avoid traditional phishing.

The result is that the sector is one of the least vulnerable to traditional phishing, with only 8.5 percent of targets opening malicious links or attachments - but tactics are always evolving.

The cost of Business Email Compromise (BEC) attacks has reached $1.86 billion, accounting for almost half of all reported cybercrime losses.

The Solutions

• Top management should periodically rehearse scenarios to prepare and respond to a major cyber incident - building resilience and business continuity planning is absolutely key to reducing the impact.
• Protocols should be formalised in systems that strictly manage permissions, known as ‘Privileged access management’, where user credentials and privileges are honed, controlled, and audited.
• Cybersecurity should be considered a C-level priority, bringing security leaders to the highest level of the business.
• Cybersecurity also needs to adapt to new working habits, including expanding ‘Endpoint Detect and Respond’ (EDR) to support and secure the hybrid workforce. 70 percent of organisations report setting aside a budget for extended EDR (XDR).
• Employees need to be regarded as part of the cybersecurity team with corresponding investment in training and education. This includes regular refreshes to keep up with changes in the landscape.

Rehearsals and clear ownership matter as much as tooling when alert volumes rise.

"When a major cyber incident lands, the first hours depend on who has rehearsed their role. Scenario exercises expose gaps in ownership long before regulators or clients do."

Adam Byford, COO, Beyond Encryption (Mailock)

Scalable monitoring and automation become the next priority once people and playbooks are in place.

3. Are Our Systems Scalable?

As the volume and complexity of cyber risks and threats grow, financial institutions need to invest in threat detection, solutions, and recovery.

However, with scalability a necessity, businesses will need to augment their human analysts with additional technological capabilities.

The Challenge

While cyber threats are becoming more numerous and complex, the ongoing cybersecurity skills gap means that there are simply not enough professionals with the right skills to tackle the problem.

In practice, security analysts typically receive more alerts than they can handle, particularly if alert parameters are not clearly defined.

This is exacerbated by the expanding network of interconnected systems that must be monitored.

In complex ecosystems, traditional indicators of compromise may not always capture the breadth or nature of a cybersecurity threat or attack campaign, possibly leading to false alert fatigue and missed detections with security analysts.

Meanwhile, attackers and adversaries are increasingly using automated and AI-driven tools to penetrate and attack corporate networks. Defences need to adapt.

The Solutions

• Automated penetration testing.
• Security Information and Event Management (SIEM) systems to comply with necessary mandates more efficiently and track issues.
• AI and ML-powered fraud detection algorithms to spot suspicious activity.
• Smart incident resolution to handle low-level issues and automated attacks.

4. How Do We Track and Assess Cyber Risk Long Term?

As financial services become increasingly digitised, the scope, importance, and integration of cybersecurity will become increasingly essential, embedded in every part of the organisation.

The Challenge

In the modern financial landscape, every service is a digital service, bringing a new level of risk.

Meanwhile, changing working habits have created a more distributed workforce with an expanded surface for vulnerabilities.

Cyber-readiness is no longer a matter of managing threats, but a core business operational capability. Accordingly, reporting on cybersecurity needs to evolve beyond simple incident tracking to a version of continuous optimisation to stay ahead of evolving threats.

The Solutions

• Forming technology committees with a mandate that includes cyber oversight.
• Expanding protocols in the event of an attack to include broad groups of senior managers beyond the technical responders.
• Elevating reporting on cybersecurity to a C-level concern with plans for every department.
• Expanding oversight to cover system status, intelligence on threats, case studies of breaches, and the impact of regulatory changes.

For modern boards, cybersecurity must be an essential part of every project plan and scope - included alongside other measures of risk.

In the same way, boards must decide their risk tolerance for cybersecurity to guide management’s resourcing and spending so that they can address the consistent and persistent risks inherent in this area.

5. How Secure Is Our Communication?

In the course of conducting day-to-day business, financial institutions deal with large amounts of sensitive information.

This passes through external and internal stakeholders, being enriched, amended, and updated. Breaches in this chain are costly, on multiple fronts.

The Challenge

Financial institutions are strictly regulated, making data breaches especially dangerous, as organisations face reputational damage, fines, and remediation costs, in addition to compensating the lost funds.

The implementation of GDPR has expanded the number and scale of fines for data and privacy while jurisdictions around the world have been introducing stricter data laws.

Financial institutions need a secure way to send and receive sensitive documents and protect customers from email interception and fraud.

The Solutions

• Stakeholders can send sensitive documents and forms to customers over an encrypted email channel, directly to their inbox.
• All customer replies should equally be protected, including when sensitive documents are attached.
• Inefficient paper-based systems should be replaced with secure, centralised, paperless digital communications.

Financial institutions need an end-to-end communication solution that can protect internal resources and transfer data securely between parties, finding the right combination of security and flexibility.

Staying Ahead of the Cybersecurity Curve

Keeping up with the rapid changes taking place in the cybersecurity landscape while maintaining service levels and core systems is one of the chief challenges for financial providers, platforms, and intermediaries.

To maintain competitive positioning, institutions must prioritise solutions that maximise security and minimise service disruption, cost, and risk.

Communicate With Confidence

Mailock is a secure email solution designed specifically for the financial services industry that integrates easily with existing systems and processes.

It uses AES-256 encryption with no disruption to the email recipient experience.

In a click, you can exchange files quickly and securely with advisers, clients, and customers, minimising paper and helping protect against interception and fraud.

FAQs

What Should Boards Ask About Cyber Resilience?

Boards should ask whether systems, people, suppliers, and recovery plans can withstand realistic incidents.

Why Are People Part of the Cybersecurity Answer?

Staff handle sensitive information every day, so training, confidence, and usable controls matter as much as technology.

How Does Secure Communication Fit Board-Level Cyber Risk?

Customer and adviser communications need protection, evidence, and recovery options when sensitive information is sent.

References

The Cybersecurity Posture of Financial Services Companies, McKinsey, 2020

Cyber Threat Intelligence Report, Accenture, 2022

Cyberattacks Hit Financial Services 300 Times More Than Other Sectors, CIO Dive, 2019

Cyber Security Breaches Survey 2024, UK Government, 2024

Cost of a Data Breach 2023: Financial Industry Impacts, Security Intelligence, 2023

Cybersecurity Threat Report, CyberEdge, 2023

Financial Services Risk Trends, Allianz, 2023

Cybersecurity Leaders Budgeting for XDR, CIO, 2022

Reviewed by

Sabrina McClune, 27.06.24

Sam Kendall, 31.05.26

This content is for general information only and is not legal advice.