Cybercriminals have been targeting critical infrastructure industries and the financial services sector, in particular, is confronted with an increasing wave of cyberthreats. The financial services store highly valuable data and information, making the industry an appealing target for cybercriminals. Earlier this year, Contrast Security released a 2025 Modern Heist Bank Report, revealing that 64% of the sector’s respondents reported cybersecurity incidents within the past 12 months, highlighting the urgent need for enhanced cybersecurity measures and proactive risk management.
In 2024, several ransomware strains used by the BianLian and Play groups, were used to target the financial services industry, a In an RSACTM 2025 Conference presentation, Uri Rivner, CEO and CO-Founder at Refine Intelligence and Elena Michaeli, Global Marketplace Fraud Risk Intelligence and Business Strategy at Neurofraud Consulting, LLC, discussed the tricky nature of scams in the banking and financial sector. Rivner stated, “Cybercriminals use AI tools such as social engineer tactics, spoofing calls, and fake websites to gain access to financial information.”
Fraudsters are manipulating victims into willingly initiating or authorizing transactions through deceitful tactics as opposed to Account Take Over (ATO) as Rivner stated. These fraudsters play the long game, similar to romance scams by building a relationship of trust with the victim to gain access to their finances.
This makes it difficult for financial institutions to prevent these scams because the transaction is "real" and authorized by the manipulated victim using their own device. As a result, organizations struggle to detect such threats. Unfortunately, as Rivner explained, "Customers are the ones who move their money into the hands of criminals,".
The financial institutions have observed a significant increase in the scale and sophistication of phishing attacks. Hackers also target the supply chain of a financial institution because it's easier to infiltrate the networks and systems of third-party vendors, which can then be used to gain unauthorized access to customers' financial information and data.
The Impact of Regulatory Compliance
EU Regulations
Financial firms are using AI in a variety of ways to improve operations, enhance the customer experience, mitigate risks, and detect fraud but using AI tools also comes with risks. That’s why in January 2025, the European Union enacted its Digital Operational Resilience Act (DORA) as a means of ensuring that the financial industry and its third-party information and communication technology (ICT) service providers are adequately defended against cyberattacks.
Kim Nguyen, SVP, Innovations at Bundesdruckerei GmbH, stated in an RSAC 2025 Conference presentationexpalined the Eruopean Union (EU) AI act established in 2024 is critical for organizations to comply with as it’s a binding law that regulates usage of AI systems using four risk categories:
1. Unacceptable Risk: All AI systems considered a clear threat to the safety, livelihoods and rights of people are banned,
2. High Risk: Subject to strict obligations before they can be put on the market.
3. Limited Risk: Permitted with transparency requirements.
4. Minimal Risk: Permitted in compliance with applicable law.
Another panelists, Christian Schlaeger, CEO at Build38, provided insights in a recent study they conducted on 200 banking apps in Europe and found that 70% had ineffective tools, 20% had no protection at all, and only 10% had ample protection. These stats are concerning and show why it’s crucial for the financial industry to comply with industry standards and regulations.
While these regulations are established in Europe, they also impact US organizations that offer financial services within the EU or provide third-party services to EU financial services companies. Following these regulations is critical, even if not mandatory for some organizations.
Accountability and Governance
While the EU AI Act focuses on systems, General Data Protection Regulation (GDRP) focuses on the processing of individual data as Valerie Lyons, Chief Operations, Senior Privacy Specialist at BH consulting explained in her RSAC 2024 Conference presentation. GRDP helps organizations be accountable and governed, but what is the problem with this? Accountability relies on organizations assessing the risks that they create.
To address this challenge, Lyons highlighted a few strategies below for organization to be accountable and governed:
- The European Data Protection Supervisor (EDPS) has noted important international standards like International Organization for Standards (ISO) and NIST for cyber, privacy, and AI governance risk management.
- Follow ethical guidelines and codes for AI development.
- Develop employee usage policies and assess compliance.
- Include human rights, ethics, and fairness in GDPR impact assessments.
Cloud Security Compliance
Financial institutions are increasingly using public cloud security providers, and as they move more data to the cloud, they need strong governance. It's especially important to protect the cryptographic keys that are essential for securing financial data.
In an RSAC 2025 webcast, Smita Mahapatra, Senior Security Industry Specialist at Amazon, explained how financial services can handle cryptography and encryption keys in the cloud. Mahapatra stated that the financial organizations are responsible for ensuring that they are only using X9 (An accredited standards committee for the financial sector) approved key management methods to help reduce risks and threats. Another speaker, Jeff Stapelton the Executive Director of Cybersecurity Research at Wells Fargo and Chair of the X9F4 Cybersecurity and Cryptography Workgroup, briefly discussed the ISO/TC68, which has several sub-committees that develop and maintain standards for the financial and banking services industries. They encouraged the financial industry to follow these standards.
While regulations and industry standards are always changing, the financial sector should follow the above frameworks, regulations, and other critical policies and standards to ensure good governance and complaince. This proactive approach helps mitigate risks, protect customer data, and build trust in an increasingly digital world.