Cyberattacks on financial institutions and banks aren’t just costly IT incidents. They’re critical events for businesses that could affect markets, challenge customer confidence as well as put a strain on macro-financial stability. The outlook for 2025 is clear as the average cost for a breach in finance was US$ 6.08M, among the most expensive of all industries, and attackers are shifting their tactics to more efficient, faster methods to enter.
Why is finance an ideal goal
Financial institutions are at the intersection of data with high value large volumes of transactions, and complex interconnections (payments clearing, payments markets, custody cloud, and core vendors). The IMF estimates that that nearly one-fifth of all cyber incidents reported in the last two decades has affected the financial sector. Serious events could cause disruption to vital services and reduce confidence as well as causing impacts through both financial and technological links.
This “interconnectedness” isn’t just an abstract concept. The ransomware attack in November 2023 against the ICBC’s U.S. broker-dealer caused disruption to U.S. Treasury trading settlement–a clear illustration of how a single breach can cause market disruption. U.S. Treasury later noted that the breach affected settlements of more than 9 billion dollars in securities backed by assets and IMF study shows clear rise in Treasury failures during the incident period.
U.S. Department of the Treasury
What do the latest statistics show (2024-2025)
-
Costs are rising and high: Financial services breach cost were on average US$ 6.08M in 2024; the global average across all industries of 4.88M USD. 4.88M.
-
Patterns of threat: For insurance/finance, System Intrusion, Social Engineering, and Basic Web App Security breaches are responsible for 74% all breaches. External actors are responsible for the majority of breaches, while the human component is still involved in 60 percent. Third-party involvement doubled to 30% year-over-year–underscoring vendor risk.
-
Exploitation is over: Exploited vulnerabilities as an access vector in the beginning increased dramatically caused by vulnerabilities in edge/VPN devices and slow patches. Ransomware was a part of the 44% the breaches studied, despite the fact that the median ransoms fell.
-
The number of crimes continues to rise: The FBI’s IC3 recorded $16 billion of lost revenue in the year 2024 (33 percent year-over-year growth) and Business Email Compromise (BEC) remains a major driver of fraud that is high-dollar.
Federal Bureau of Investigation
Impact of business in real-world
-
Direct financial damages as well as clean-up
incident response and legal notification, and restoration of technology are just the beginning. The average per breach cost of finance is significantly higher than the industry-wide baseline. -
Operational disruption
Attacks can delay payments, impair trading, or block customer access. The ICBC case demonstrated the ways in which a single outage of a broker-dealer could hinder Treasury settlement–a fundamental market function.U.S. Department of the Treasury
-
Pressures on liquidity and balance sheets
After the occurrence of a crime, banks could suffer withdrawals of deposits–especially in wholesale funds, causing difficulties in covering liquidity and leading to costly emergency actions. (The IMF’s 2024 Global Financial Stability Report explores these trends in depth.) -
Reputational damage and turnover
Data breaches of account and personal information (often through third-party systems) cause distrust and increase fraud rates and call center charges for months. -
Legal, regulatory, and capital penalties
Failure to comply with notifications regulations (U.S. 36-hour banking incidents rules; SEC Reg S-P breach notifications; EU DORA) can include fines, remediation requirements and supervision.
Case studies to take lessons from
-
ICBC Financial Services (Nov 2023): LockBit ransomware caused disruption to the firm’s books/records as well as U.S. Treasury trade settlement operations. Later SEC conclusions focused on record-keeping and resilience gaps.
U.S. Department of the Treasury
-
Santander (May-Jun 2024): A third-party hosted database was access without authorization, impacting customers from Spain, Chile, and Uruguay and also current or previous employees. The bank claims that transactions-related credentials weren’t affected but the criminal market then offered data to purchase.
-
Evolution Bank & Trust (May-Jun 2024): A ransomware attack exposed customer data and Fintech partners Bank’s notices describe the those affected areas (including SSNs and account numbers) and the timeframe.
The rulebook for 2025: What’s changed?
-
EU DORA is live (Jan 17 2025): A binding sector-wide framework to support operating resilience, event reporting third-party oversight and test-led by threat (TLPT). The ECB has revised the TIBER-EU framework to be in line with DORA which provides a specific way to conduct red-team-style testing of resilience.
-
U.S. banking “36-hour” notification of incidents The banks are required to notify their federal regulator of primary in the first 36 hours after the time it determines the severity of a notification-level event.
-
SEC Regulation S-P Amendments (May 2024): Broker-dealers, funds, RIAs, as well as transfer agencies must keep up-to-date incident response programs and notify affected customers when they have access to sensitive customer data The phased compliance period runs until December 2025 and June 2026 depending on the size of the firm.
Supervisors also emphasize the risk of third parties (FSB’s 2023 Toolkit) along with cross-market activities (U.S. “Hamilton Series”) to handle cyber-related systemic risks.
What boards, CFOs and CISOs must do now
1) Consider cyber as a primary risk to financial stability.
Map cyber-related scenarios to capital, liquidity and P&L impact. Consider stress from market liquidity and deposit-run in tabletop exercises, based on real-world tech/service-outage assumptions derived from previous incidents. (The IMF and Fed highlight stability and macroeconomic issues.)
2) Shut the doors that hackers are using.
DBIR information shows an increase in vulnerability to edge/VPNs and continuous use of credential. Prioritize inventory for internet-facing assets and rapid patch SLAs for devices on the edge as well as phishing-resistant MFA. constant monitoring of leaks in credential security.
3) Resilience to ransomware > negotiations.
Segment critical systems, set up unalterable backups and regularly execute clean-room restorations under pressure of time. Conduct TLPT/TIBER-EU-style tests to verify the controls across technology and people.
4.) Incorporate third party risk.
Classify vendors based on the severity and require reporting of incidents to SLAs and practice failovers. Be sure to align your approach with FSB’s third-party risk toolkit to minimize fragmentation and increase supervisory credibility.
5.) Implementation of regulatory notifications. Create templates in advance and create decision trees for the 36-hour regulator notifications, SEC Regulation S-P notifications as well as DORA incidents reports. Integrate legal information, privacy, and IR corporate comms, as well as business leaders before you require these.
6) Secure payments to protect against BEC or real-time fraud.
Tighten callback protocols, behavioral/velocity analysis and release-hold control for wires that are high-risk; BEC remains an outsized source of losses throughout the industry.
Federal Bureau of Investigation
7) Find out what’s important, and report it as the finance department thinks.
Track “mean time to detect or contain,” measure the effectiveness of control (e.g., MFA coverage on accounts with privileged access) and patch latency on the external asset, tablestop results as well as the loss caused by an incident. Convert cyber exposure into liquidity and capital language to be used by the Board.
Bottom line
Cyberattacks on financial institutions aren’t more an isolated IT crises. It’s businesses-wide continuity and market stability incidents that have real cost in terms of regulatory impact, as well as possible catastrophic spillovers. The companies that are successful in 2025 will treat cyber like market risk–which is measured, planned and controlled at the top of the table, while working continuously on identity and patching security, third-party controls and tried and tested emergency response.
