Cybersecurity in the financial services industry webinar
Below you will find the presentation and recording from our webinar, Cybersecurity in the financial services industry: Debunking quick fixes and investing in what really works. For more information on the subject, and to learn more about how we can assist your organization with its cybersecurity strategy, refer to our cybersecurity and financial services webpages.
According to recent studies, financial services organizations face a disproportionate number of attacks compared to other sectors. Why? The answer is clear: They hold highly sensitive data and manage significant financial transactions, making them attractive targets for malicious actors seeking financial gain or access to valuable information.
Cyberattacks have grown in frequency, and ransomware, phishing schemes and insider threats are just the tip of the iceberg. With a rapidly evolving threat landscape, many organizations face mounting pressure to evolve their cybersecurity strategies. While the allure of the “next big thing” in cybersecurity protection is always tempting, true maturity relies on the thoughtful deployment of emerging technology that is balanced by excellence in the fundamentals. Below you will find answers to some of the most popular cybersecurity questions clients have been asking our financial services cybersecurity specialists:
The most pressing cybersecurity threats facing financial services organizations include increasingly sophisticated ransomware attacks that target core banking systems and sensitive customer data, resulting in potentially severe financial and reputational harm. Phishing and social engineering remain widespread, with attackers exploiting both employees and customers to gain unauthorized access to confidential information. Supply chain vulnerabilities are also a major concern, as cybercriminals focus on third-party vendors to infiltrate financial networks. Some of the more interesting statistics our speakers noted from the 2025 Verizon Data Breach Investigations Report [1] included the following:
- 17% of breaches were espionage motivated
- 20% of breaches involved exploitation of vulnerabilities (34% increase from prior year)
- 22% featured attacks on virtual private networks (VPNs) and edge devices (up 8x from prior year)
- 30% of breaches involved vendors (double from prior year)
- 44% featured ransomware (up from 32% the prior year)
- 60% of breaches involved human errors or social engineering
- 95% of breaches include the server as the most common asset
The integration of emerging technologies like artificial intelligence (AI) expands financial services organization’s attack surface, requiring vigilant monitoring and adaptation to evolving risks. These trends underscore the need for proactive threat detection, vendor oversight and employee training.
Effective evaluation of cybersecurity risk across various information technology (IT) domains requires a structured approach, collaboration with stakeholders and continuous adaptation to evolving threats.
Key areas to map IT domains to enterprise risk include:
Cybersecurity: Cybersecurity is fundamental to the protection of information assets and the overall integrity of an organization’s technology environment. Key risk-related areas include:
- Threat detection: Proactively identifying and monitoring for potential security threats is crucial to preventing breaches before they escalate
- Incident response: Establishing a well-defined incident response plan enables organizations to react promptly to security incidents
- Security awareness: Educating employees and users about cybersecurity threats and best practices reduces the risk of human error, the leading cause of security incidents
Data and privacy: Data and privacy risks have grown exponentially with the increasing volume and sensitivity of information financial services organizations handle. Key considerations include:
- Governance: Implementing robust data governance frameworks to ensure data is managed, protected and used responsibly
- Consent: Collecting and managing user consent transparently is essential for compliance with privacy regulations
- Compliance: Adhering to legal and regulatory requirements mitigates the risk of legal penalties and reputational harm
Business continuity: Business continuity focuses on maintaining critical operations during and after disruptive events. The main risk areas are:
- Resilience: Designing systems and processes to withstand disruptions ensures ongoing service delivery and operational stability
- Backups: Regularly backing up data and systems minimizes data loss and accelerates recovery after incidents
- Recovery testing: Periodic testing of recovery plans validates their effectiveness and prepares teams for real-world events
Third-party and SaaS: Reliance on third-party vendors and software as a service (SaaS) providers introduces unique risks, including:
- Vendor risk: Assessing and monitoring vendor security postures helps prevent cybersecurity events from propagating at or through third parties
- Cloud oversight: Ensuring proper management and oversight of cloud services mitigates risks related to data breaches, misconfigurations and service outages.
AI and agent deployment: The integration of artificial intelligence (AI) and autonomous agents brings new risk dimensions:
- Governance: Establishing clear governance structures for AI systems ensures accountability, transparency and alignment with organizational values
- Algorithm risk: Evaluating and managing risks associated with algorithmic bias, errors and unintended consequences protects against operational and reputational damage
- Human-in-the-loop controls: Maintaining human oversight over critical AI decisions helps balance automation with ethical and safe outcomes
Identify and access management (IAM): IAM is vital for controlling user access to systems and data. Key risk management practices include:
- Authentication: Implementing strong authentication mechanisms (e.g., multifactor authentication) reduces the risk of unauthorized access
- Access reviews: Regularly reviewing user access ensures only authorized individuals have the necessary permissions, limiting potential insider threats
- Privileged account management: Securing and monitoring privileged accounts helps prevent misuse and limits the impact of credential compromise
Cloud posture: As organizations increasingly rely on cloud infrastructure, managing its security posture is essential:
- Infrastructure security: Protecting cloud infrastructure against threats such as misconfigurations, vulnerabilities and unauthorized access is paramount
- Configuration governance: Establishing and enforcing configuration standards and policies ensures that cloud environments remain secure and compliant
The NAIC Insurance Data Security Model Law requires:
- Cybersecurity program: Establish and maintain a comprehensive risk-based information security program supported by policies and procedures designed to identify information assets, protect those assets and respond to cybersecurity events in a timely manner
- Incident response plans: Create a detailed incident response plan to manage cybersecurity events
- Investigation: Conduct a prompt investigation into any cybersecurity event that occurs
- Oversight: Implement management-level oversight, ongoing monitoring and regular reporting on the program’s effectiveness
- Third-party vendors: Establish requirements for the security of third-party service providers that handle nonpublic information
- Breach notifications: Notify the state insurance commissioner and affected customers in the event of a data breach
Please keep in mind that this list is a summary of the NAIC Insurance Data Security Model Law [2], not a comprehensive mapping of the entire regulation.
For New York-based financial services organizations, refer to our New York State Department of Financial Services (NYS DFS) cybersecurity rules compliance guide.
The Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) requires:
- Strong internal controls: Requires banks to establish and maintain effective internal control systems covering all operational areas, including IT
- Focus on risk management: Emphasizes identification, assessment and mitigation of risks to ensure safety and soundness
- Cybersecurity implications: While not prescribing specific cyber controls, FDICIA sets the foundation for robust IT general controls requirements
The Gramm Leach Bliley Act (GLBA) requires:
- Risk assessment: Requires banks to perform thorough risk assessments, preferably asset-based, covering internal and external threats to customer data
- Information security program: Banks must develop and maintain a comprehensive, written information security program tailored to their risk profile
- Access controls: Mandates controls to restrict access to customer information to authorized individuals only
- Monitoring and testing: Requires ongoing monitoring, testing and evaluation of the effectiveness of security controls
- FFIEC CAT tool retirement: The FFIEC Cybersecurity Assessment Tool (CAT) has been officially retired and is no longer supported for regulatory examinations. However, the NCUA still uses the Automated Cybersecurity Examination Tool (ACET), which is based off the CAT Tool.
- Transition to NIST CSF and CRI: Many financial institutions are adopting the NIST Cybersecurity Framework (CSF) and the Cybersecurity Risk Institute (CRI) framework as the primary standards for cybersecurity risk assessments.
Although FFIEC CAT is retired, regulators expect institutions to maintain robust cybersecurity risk assessments using recognized frameworks like NIST CSF and CRI. Both frameworks offer comprehensive, flexible approaches to managing cybersecurity risks aligned with business objectives and regulatory expectations.
CROs should implement comprehensive due diligence processes for all vendors, including regular security assessments and ongoing monitoring of third-party cybersecurity practices. Establishing clear contractual requirements around cybersecurity standards and incident reporting is vital to ensure vendors maintain robust defenses. Additionally, CROs should foster close collaboration between procurement, IT and risk management teams to identify and address potential vulnerabilities throughout the vendor lifecycle. Regularly updating risk assessments and incorporating third-party risks into the organization’s overall risk management strategy will further enhance resilience against evolving threats.
Regulators frequently cite the following as common characteristics of failed cybersecurity risk management plans:
- Incomplete risk assessments
- Outdated incident response plans
- Weak data encryption and monitoring
- Training gaps, especially around phishing and social engineering
- Over-reliance on SOC reports without proper scope or relevance checks
- Outdated and/or incomplete policies and procedures
CROs should ensure continuous improvement, stakeholder engagement and tailored training programs to establish strong risk management.
Cybersecurity best practices for boards of directors include:
- Oversight of the covered entity’s cybersecurity risk management
- Sufficient understanding of cybersecurity risk and related matters to exercise such oversight
- Require management to develop, implement and maintain a robust cybersecurity program aligned with a comprehensive framework.
- Receive regular updates about cybersecurity risks and the effectiveness of the organization’s cybersecurity program
- Foster a culture of cybersecurity and determine how management embeds cybersecurity risk into strategic decision making
- Ensure management has allocated sufficient resources to implement and maintain an effective cybersecurity program
- Understand the company’s organizational resilience expectations, capabilities and forward-looking enhancements
- Encourage management to seek independent assessments of program effectiveness
Don’t be the next to fall victim to cybercrime
A successful cyberattack can ground your operations, jeopardize the privacy of client information and invite regulatory scrutiny. In an industry built on trust and reliability, even a single breach may have lasting consequences. Customers expect that financial services organizations will deploy cybersecurity practices to keep their data safe and secure. Taking the proper precautions to protect sensitive data in your care is an essential component of not only running your business and upholding your reputation but is also part of your fiduciary duty in collecting that data.
Our team of cybersecurity specialists have decades of experience in the financial services industry combatting these challenges and identifying potential cybersecurity vulnerabilities before they can be exploited. Reach out to one of our cybersecurity specialists to learn how you can assess the maturity of your cybersecurity program and leverage industry leading practices and emerging technology to help mitigate risks.
References
[1] 2025 Verizon Data Breach Investigations Report, Verizon Business, April 25, 2025.
[2] The NAIC Insurance Data Security Model Law, National Association of Insurance Commissioners, August 2025.


