Cybersecurity in the financial sector was once viewed as a compliance-driven discipline. But as attackers have increasingly targeted institutions with sophisticated, persistent and often internally driven campaigns, it has become a strategic priority.

According to the Digital Universe Report H1 2025, financial services were the second most targeted industry globally, accounting for 19% of all observed cyberattacks. This reflects both the sector’s value to adversaries and the complexity of the digital ecosystems it now operates within.

Regulatory frameworks such as the FCA and PRA’s operational resilience rules, the EU’s Digital Operational Resilience Act (DORA) and NIS2 have strengthened baseline protections. However, the report’s findings demonstrate that regulation alone cannot deliver true cyber resilience. Institutions must adopt a strategic, risk-led approach that looks beyond compliance to understand real threats, behaviours and operational dependencies.

Tailored, Internal and Stealthier Threats

One of the most striking insights from the report is how targeted financial sector attacks have become. Industry-specific security risks now represent 32% of all incidents in the sector. This is an indication that adversaries are designing attacks using detailed knowledge of financial operations, from trading workflows to payment systems.

Internal activity is also a major concern. Suspicious internal activity accounts for 26% of detections across financial services, reflecting the frequency of compromised accounts, misused privileges and lateral movement. For a sector historically focused on defending the perimeter, this shift highlights the need for deeper visibility into user behaviour and identity-driven risks.

The wider threat landscape reveals adversaries are moving away from overt, signature-based attacks. In H1 2025, brute force activity made up 27% of global alerts, while vulnerability scanning accounted for 22% and known malicious indicators for 20%. Notably, direct malware payloads dropped to 0% of trending alerts, replaced by fileless techniques and living-off-the-land methods that bypass traditional defences.

For financial institutions, this is a challenge. Many compliance requirements still centre on endpoint protection, patching and malware controls. These will of course, remain important, but they cannot address threats that are increasingly behavioural, stealth-driven and identity-focused.

Operational Complexity

The financial sector’s cyber risk is intensified by its expanding operational footprint. Cloud adoption, open banking, digital identity models and extensive third-party ecosystems have all created new points of exposure. Financial services operate within a global digital infrastructure that is both vast and increasingly interconnected. This level of complexity cannot be effectively protected through compliance checklists alone.

Regulators are recognising these realities. DORA’s emphasis on ICT third-party risk, operational resilience testing and continuous oversight reflects the need for more proactive, intelligence-driven approaches. But DORA still only sets a minimum standard. True resilience requires institutions to move beyond regulatory expectations and embed cybersecurity into broader business strategy.

Strategic, Risk-Led Cybersecurity

A risk-led approach begins with understanding the threats that pose the greatest risk to operations and customers. Financial institutions remain priority targets for groups such as FIN7, TA505, Cobalt Group and various state-backed actors. Their tactics, such as credential harvesting, remote access tools, web-injection frameworks and lateral movement, are specifically designed to exploit the digital fabric of financial services.

This evolving threat profile puts identity and behaviour at the heart of cyber defence. With credential-driven and internal threats so prevalent, institutions must prioritise behavioural analytics, continuous authentication and zero-trust models that verify users and devices contextually rather than relying on static controls.

Strategic cyber resilience also needs to have continuous assurance. Traditional audits, annual testing and scheduled penetration exercises cannot keep pace with rapidly evolving threats. Leading institutions are shifting toward continuous control monitoring, automated attack simulation and persistent adversarial testing. These practices align with the Bank of England’s CBEST framework and demonstrate a sector-wide move toward ongoing, intelligence-led assurance.

Crucially, cyber risk must be treated as an operational issue, not just a technical one. Embedding cybersecurity into enterprise risk management, financial planning, product development and board oversight is essential. This integrated approach also mirrors the direction of FCA and PRA regulation, which increasingly emphasises governance, accountability, and resilience across the entire organisation.

Beyond Compliance

Financial services underpin national economies and public confidence. As digital ecosystems grow and adversaries become more sophisticated, the sector faces a dual challenge: meeting rising regulatory expectations while defending against complex, targeted attacks. It is clear that cybersecurity must evolve from compliance-driven activity to a strategic capability built on intelligence, continuous assurance and behavioural insight.

Institutions that embrace this risk-led model will be better positioned not just to meet regulatory requirements but to strengthen resilience, protect customers and uphold the trust that is so essential to the future of financial systems.

Learn more at obrela.com