April 17, 2023 By Jonathan Reed 4 min read

Financial service companies are undergoing a near-continuous digital transformation. As the competition heats up, banks must implement cutting-edge technologies to improve operations and enhance the customer experience. But this shift toward modernization comes with conditions, such as an increased focus on security.

Since the beginning of the Russia-Ukraine conflict, the banking sector has faced an 81% surge in cyberattacks. Nevertheless, financial companies in the UK have demonstrated a high level of confidence in their ability to handle these risks, per a report from Bridewell. According to the study, a surprising 94% of all financial firms surveyed expressed confidence in their ability to fend off attacks.

Given the aggressive threat landscape, what’s behind such a high level of confidence?

Optimism based on performance

The financial sector appears to be the most optimistic when it comes to its security measures, according to Bridewell. The vast majority of the industry’s decision-makers express a sense of confidence. This self-assurance is not without reason, as the industry outperforms all other UK CNI (Critical National Infrastructure) sectors in detecting and addressing threats.

According to the report, financial service companies have an average of 13 days to identify a potential threat. The second best performing sector, communications, takes twice as long at 28 days. Compared with other CNI sectors during the past year, financial firms also experienced the lowest increase in successful attack volume. The report also points out that UK cybersecurity incidents in the financial sector climbed 52% year-on-year to 116 in 2021.

Cyber warfare risk vs. worry

Compared to other CNI sectors, UK financial firms don’t worry as much about the cyber risk associated with real-world military conflict. For example, 93% of transport and aviation companies are concerned about the threat of cyber warfare. Meanwhile, 80% of government entities also worry about attacks related to war. But only 76% of financial services are worried about the cyber war threat.

This is understandable: the stakes are higher for transportation, and attackers frequently target government offices. But financial companies witnessed the second-largest rise in cyberattacks since the war in Ukraine broke out, at 81%. Still, the banks remain confident.

Which risks are most concerning

Despite overall confidence levels, the UK financial sector is acutely aware of the risks. The top security concerns for financial firms named in the Bridewell report include the following:

  • Malware (40%)
  • Phishing and ransomware (tied at 33%)
  • Data theft or misuse (30%)
  • Business email compromise or BEC (27%).

Cloud security issues and banking

With financial services companies increasingly adopting the cloud, worry over cloud security has also risen. As per Bridewell, research published by the Bank of England shows banking institutions are increasingly dependent on Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS) products. Also, the Cloud Security Alliance found that nine out of 10 financial services organizations were using cloud services in 2020 or planned to use them in the next six to nine months.

Despite concerns about cloud security, financial companies use cloud infrastructure for highly sensitive and restricted workloads. Nearly a fifth of such workloads operate in the cloud. While this allows for improved operational agility, it also introduces new risks compared to traditional IT infrastructure.

Unsurprisingly, 46% of respondents in the financial services sector identify cloud services as the top attack route. Meanwhile, remote employees (39%) and insecure VPNs (37%) are also at the top of the sector’s security concerns.

Are the banks spending more?

You might guess that the financial sector spends more on security than other sectors. Could this explain the high level of confidence in their security? Amazingly, the report shows that companies in this industry actually spend the least on cybersecurity, at 32% of their IT budget.

Comparatively, financial services companies are not expected to increase that expenditure more than other sectors. This year, financial companies expect to boost their cybersecurity budget by an average of 22%. This is only half a percentage away from the mean cross-sector average.

The authors of the Bridewell report speculate that financial companies take an intelligent, priority-driven approach to security. Also, banks understand how to invest in cybersecurity to achieve superior results.

Another explanation could be that the sector invested heavily in digital security years ago ahead of other industries. Lesley Ritter, VP and senior analyst at Moody’s, said, “They have been dealing with cyber threats for well over a decade while at the same time being quick adopters of digital technology, which has the potential of making them more vulnerable. This heightened awareness translates into the banking sector standing out relative to other industries in terms of investment in cybersecurity, ability to attract scarce cyber talent and broad adoption of risk mitigation practices.”

Confident teams

The results of Bridewell’s survey reinforce the idea that the financial sector recruits (and protects) quality talent for key cybersecurity positions. The report states that staff in the banking industry are far less worried about losing their jobs due to a cyberattack. Only 68% worry about their job security in the event of an attack. Meanwhile, 96% of employees in communications companies fear losing their jobs if an attack occurs.

The right attitude

According to Bridewell, the financial sector has demonstrated an advanced level of readiness and resilience to face the complex world of cyber threats. The report says, “It is notable that the primary pressure to improve cybersecurity in the financial sector comes not from customers, but from the business itself. This suggests that managers are attuned to these threats and engaged in mitigating them.”

This means banks take a fully proactive stance when it comes to security. Instead of waiting for incidents to happen, the financial sector appears to study the terrain and seek adequate solutions beforehand. Undoubtedly, the stakes in sectors such as transportation are higher. The risk to human safety is a crucial consideration. But banking businesses are built on trust. If customers lose that trust, they will take their money elsewhere. It appears that the financial services realized early on that strong security is essential to a successful business strategy.

More from News

CISA releases landmark cyber incident reporting proposal

2 min read - Due to ongoing cyberattacks and threats, critical infrastructure organizations have been on high alert. Now, the Cybersecurity and Infrastructure Security Agency (CISA) has introduced a draft of landmark regulation outlining how organizations will be required to report cyber incidents to the federal government.The 447-page Notice of Proposed Rulemaking (NPRM) has been released and is open for public feedback through the Federal Register. CISA was required to develop this report by the Cyber Incident Reporting for Critical Infrastructure Act of 2022…

Recent developments and updates in Biden cyber policy

3 min read - The White House recently released its budget for the 2025 fiscal year, which supports the government’s commitment to cybersecurity. The cybersecurity funding allocations line up with the FY 2025 cybersecurity spending priorities released last year that included the following pillars: Defend critical infrastructure Disrupt and dismantle threat actors Shape market forces to drive security and resilience Invest in a resilient future Forge international partnerships to pursue shared goals. In 2023, the White House released a 35-page document detailing the new…

Change Healthcare cyberattack causes dire billing crisis

3 min read - Last month’s cyberattack on Change Healthcare, a sizable unit of UnitedHealth Group, brought new repercussions rarely seen in a cyberattack. As a result of the threat actor’s actions, healthcare systems and providers suffered cash flow issues, which resulted in providers being unable to pay their rent, owners dipping into their personal savings and patients being prevented from receiving important medications. Most importantly, patients are unable to get insurance approval for procedures, surgeries and prescriptions, which can affect their health outcomes.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today