The financial services sector has always operated at the intersection of high value and high risk. However, the landscape in 2025 presents unprecedented challenges. Financial institutions are navigating shifting sands, constantly adapting to increasingly sophisticated cyber threats while simultaneously facing a complex and tightening web of global regulations.

The convergence of advanced technologies like Artificial Intelligence (AI), persistent nation-state actors, intricate supply chains, and evolving regulatory expectations demands a fundamental shift in how cyber risk is managed – moving from a reactive posture to a proactive, integrated, and resilient strategy.

Financial institutions remain prime targets for cybercriminals for obvious reasons: they hold vast amounts of sensitive customer data and manage trillions of dollars in assets. But the nature of the threats is evolving dramatically. Gone are the days when a strong network perimeter was sufficient defense.

Today’s threats are multifaceted:  

  1. AI-Powered Attacks: Malicious actors are leveraging AI to enhance their capabilities, creating highly convincing deepfakes for social engineering and CEO fraud, developing evasive malware that bypasses traditional signature-based detection, and automating attacks at scale. Financial institutions must now defend against threats that learn and adapt. 
  2. Sophisticated Ransomware & Extortion: Ransomware attacks have evolved beyond simple encryption. Double and triple extortion tactics – involving data theft and threats of public release or denial-of-service attacks – are becoming commonplace, putting immense pressure on victims. The financial sector, with its critical operations, is a lucrative target.
  3. Supply Chain & Third-Party Vulnerabilities: Banks and financial institutions rely on a vast ecosystem of third-party vendors, from core banking platform providers to FinTech partners and cloud services. Each connection point represents a potential vulnerability, as attackers increasingly target weaker links in the supply chain to gain access to larger institutions.
  4. Cloud Security Risks: While cloud adoption offers flexibility and scalability, it also introduces new security challenges related to misconfigurations, inadequate access controls, API security, and ensuring consistent security policies across hybrid and multi-cloud environments.
  5. Nation-State Threats: Financial institutions are often caught in the crosshairs of geopolitical tensions. State-sponsored actors may target financial infrastructure for espionage, disruption, or economic warfare.

The Tightening Regulatory Net

Compounding these evolving threats is a rapidly changing regulatory environment. Regulators globally are placing increased emphasis on cybersecurity and operational resilience within the financial sector:

  • Increased Scrutiny & Disclosure: Regulations like the SEC’s cybersecurity rules in the US mandate stricter requirements for incident reporting, disclosure of material cyber events, and board oversight of cyber risk. Similar trends are emerging globally.
  • Operational Resilience Focus: Mandates like the EU’s Digital Operational Resilience Act (DORA) – impacting US firms with EU operations – demand robust frameworks for managing IT disruptions, ensuring business continuity, and rigorous third-party risk management.
  • Data Privacy Intersections: Stringent data privacy laws (GDPR, CCPA/CPRA, etc.) directly impact how financial institutions handle customer data, adding complexity to cybersecurity incident response and data breach notifications.
  • Focus on Governance: Regulators expect demonstrable proof of effective cybersecurity governance, including clear roles and responsibilities, regular risk assessments, and adequate resource allocation.

Moving Beyond Traditional Defenses: The Need for Integration

The sheer complexity and interconnectedness of these threats and regulations render traditional, siloed approaches to IT risk obsolete. Protecting a financial institution today requires breaking down barriers between cybersecurity, IT, risk management, compliance, legal, and even business operations.

A connected risk approach is essential. This involves:

  • Integrating Cyber Risk into ERM: Treating cyber risk not just as a technical issue, but as a core enterprise risk with strategic implications.
  • Data-Centric Security: Shifting focus from solely protecting the perimeter to protecting the data itself, wherever it resides.
  • Proactive Threat Intelligence: Actively hunting for threats and leveraging intelligence to anticipate attacks.
  • Robust Governance: Establishing clear policies, controls, and accountability structures for cyber risk management.
  • Resilience by Design: Building systems and processes designed to withstand and recover quickly from disruptions.
  • Cross-Functional Collaboration: Ensuring seamless communication and coordination between all relevant departments during both peacetime and crisis response.

Risk New York Tickets

Expert Insights at #RISK New York

Navigating these shifting sands requires deep expertise and strategic foresight. The upcoming #RISK New York conference (July 9-10, 2025, Fordham Law School) provides a crucial platform for financial institutions to gain these insights. A key session addressing these challenges head-on is:

“The Shifting Sands of Cyber Risk: Protecting Financial Institutions in an Era of Evolving Threats and Regulations” (Session Time: 2:45 PM - 3:15 PM)

This panel brings together two highly respected leaders to dissect the current landscape and offer practical guidance.

  • Michael Rasmussen: Renowned GRC Analyst & Pundit at GRC 20/20, often called the “Father of GRC,” providing strategic insights into the evolving risk and regulatory environment.
  • Anne Higgins: Global Head of Cybersecurity Control Services at BNY Mellon, offering invaluable real-world experience from the front lines of cybersecurity at a major global financial institution.

Attendees will gain actionable strategies for:

  • Understanding the specific cyber threats targeting financial services in 2025.
  • Navigating the complex web of US and global cybersecurity regulations.
  • Building a truly resilient cybersecurity posture.
  • Implementing effective governance and controls in an AI-driven world.
  • Fostering the cross-functional collaboration needed for success.

Conclusion: Building Resilience in Uncertain Times

The challenges facing financial institutions in managing IT and cyber risk are significant and constantly evolving. Success requires moving beyond traditional defenses, embracing a connected risk approach, fostering cross-functional collaboration, and staying informed about both emerging threats and regulatory expectations. Events like #RISK New York provide the essential forum for leaders to gain the knowledge and connections needed to protect their organizations and secure their digital future.

Register for #RISK New York to hear directly from Michael Rasmussen, Anne Higgins, and other leading experts.

Click here to buy tickets
Sell tickets online with Ticket Tailor

Topics