Cybersecurity in financial services is being reshaped by a broader attack surface, faster exploitation cycles, and the growing use of Artificial Intelligence by attackers. Five years ago, many organisations relied mainly on on-premise systems with tighter entry points. Now, software-as-a-service, public cloud, and mobile workforces have expanded vulnerabilities significantly. Identity-based attacks have surged to represent 70% of all incidents, with the remaining 30% predominantly involving vulnerability exploitation. Vulnerabilities that once took 30-90 days to exploit are now weaponised within hours, increasing pressure on security teams to detect and respond faster.
Financial institutions are also trying to support Artificial Intelligence adoption without weakening compliance and security. 46% of organisations struggle to ensure security and compliance while implementing Artificial Intelligence initiatives. One leading European bank has introduced a dual governance model, combining a compliance-focused control tower with technical squads that include an Artificial Intelligence red team. That structure is designed to address regulation, legal concerns, ethical use, and the unpredictable behaviour of non-deterministic models. The threat environment is worsening as approximately 80% of phishing emails now leverage Artificial Intelligence, resulting in a 50% increase in click rates due to improved communication quality. At the same time, Artificial Intelligence-generated malware is reducing barriers for attackers and helping automate more of the attack chain.
Security leaders continue to stress that core controls remain the most effective defense. One international business is managing 380 different generative Artificial Intelligence solutions, highlighting the challenge of enabling experimentation while maintaining oversight. The priority remains strong identity management, broad multi-factor authentication coverage, rapid patching, and network segmentation. These controls prevent 90% of attacks, leaving only the most determined nation-state actors as outliers. Recommended priorities also include visibility into where Artificial Intelligence is deployed, risk-based governance aligned to frameworks such as the NIST Artificial Intelligence Risk Management Framework, tighter data governance around generative Artificial Intelligence tools, and exposure management focused on publicly exposed and actively exploited vulnerabilities.
Quantum computing is emerging as a strategic cyber risk because viable systems could undermine current encryption, certificates, and digital signatures. MIT and Stanford research now suggests three-plus years as a realistic timeframe. One leading European bank has mapped out a migration roadmap: 2026: Vendor assessment for post-quantum cryptography capabilities 2027-2028: Theorisation, software preparation, and migration planning 2029-2031: Active migration of critical systems. Risk authorities including NIST, NCSC, FCA, and WEF agree that critical systems should be quantum-safe by 2031, with complete migration by 2035. The investment response centers on human capital, operational resilience, and continuous testing, with greater emphasis on recovery and business continuity as incidents become inevitable.