Why are financial institutions especially vulnerable to ransomware and double extortion attacks?

Financial institutions manage large volumes of sensitive data and high-value transactions, making them attractive targets for ransomware attacks that can shut down systems, disrupt operations, and result in financial and regulatory consequences.

Who is impacted by cybersecurity risks in financial institutions?

Cyber incidents affect customers, executives, regulators, IT teams, and third-party vendors, as each plays a role in governance, compliance, system security, and risk oversight.

How do third-party vendors increase cybersecurity risk for banks?

Third-party vendors can introduce vulnerabilities into banking systems, which is why regulators emphasize vendor risk management, ongoing monitoring, and resilience testing to prevent vendors from becoming a point of entry for attackers.

How are regulators responding to cybersecurity risks in banking?

Regulators are shifting toward ongoing, risk-based supervision, emphasizing third-party risk management, resilience testing, and adoption of modern frameworks such as NIST CSF 2.0 and CISA Cybersecurity Performance Goals.

What is zero-trust architecture and why does it matter for banks?

Zero-trust architecture assumes no device or user is automatically trusted and requires continuous identity verification, reducing the likelihood that attackers can move laterally within financial systems.

What steps should banks take now to strengthen cybersecurity?

Banks should implement multifactor authentication, conduct penetration testing, manage third-party vendor risk, apply least-privilege access controls, define recovery time objectives, and maintain regularly tested offline backups.

What cybersecurity risks exist in legacy core banking systems?

Legacy core banking systems often lack modern encryption, access controls, and network segmentation, allowing attackers who gain initial access to move laterally and access sensitive information across the institution.

What regulatory changes are influencing cybersecurity oversight in banking?

Regulators are shifting toward risk-based, ongoing supervision and encouraging adoption of modern frameworks such as NIST Cybersecurity Framework 2.0 and CISA Cybersecurity Performance Goals to strengthen resilience.

How can financial institutions reduce the risk of phishing and business email compromise?

Regular phishing simulations and employee cybersecurity training reduce the likelihood that staff will click on fraudulent emails that enable wire transfer fraud and other breaches.

Cybersecurity in Banking: Today’s Threats and Essential Risk Management Steps

Executive Contacts

Andrew Sizemore

Laura Sharp

Mike Shamblin

Erika Walker

Additional Contributors

Brandon Langenberg

Financial institutions are hot targets for cybercriminals. Today’s banking leaders must ensure their systems are secure, all employees are trained, and processes are up to date.

Why is cybersecurity a top concern for banks?

Financial institutions have become intensely appealing to threat actors and cybercriminals due to the large amounts of sensitive information and recurring high-value transactions they manage. The digital age has hastened this shift as it has fostered quick adoption of online banking, mobile apps, and cloud services for customers’ banking activities. While convenient, digital banking has expanded the attack surface for cybercriminals.

Ongoing technological innovation enables attackers to adopt more sophisticated techniques, including the use of automation and artificial intelligence (AI) to carry out breaches with greater speed. With a singular cyber breach likely resulting in massive financial losses, reputational damage, and compliance and regulatory penalties, efforts to prevent an attack must move even faster than the criminal practices.

Who is impacted by banking cybersecurity risks?

Cyber incidents affect more than just information technology (IT) teams. Today, stakeholders include customers, whose trust and data security are at stake; executives, who are responsible for governance and risk oversight; and regulators, who are charged with enforcing compliance and resilience standards. Interestingly, third-party vendors are both impacted by and the potential cause of attacks, as they can introduce vulnerabilities into institutions’ systems.

What are the most common cyber threats banks face?

Cyberattacks are becoming increasingly sophisticated, and banks must be prepared to defend themselves against many types of cyber threats:

Ransomware and double extortion: Criminals infiltrate systems and prevent access to sensitive data, forcing a “ransom” to be paid for return of the data.
- In 2025, 47% of financial services organizations reported experiencing a ransomware attack within the past 12 months, and 39% of those elected to pay a ransom.
ATM and card processing attacks: Malware targets ATM networks or card authorization systems to covertly gain access to customers’ card information.
- This tactic can lead to fraudulent withdrawals, card cloning, and financial loss, which can erode customer trust.
Wire transfer fraud via business email compromise: Attackers impersonate executives or vendors through email to then redirect large wire transfers to a fraudulent location.
- Banks processing high-value transactions daily are prime targets of this tactic.
Core banking system vulnerabilities: Legacy systems (older or less advanced systems) often lack modern encryption, access controls, and segmentation, making them susceptible to privilege-related weaknesses.
- These weaknesses can allow an attacker who gains initial access to move laterally through the system and view information intended for any employee—from entry‑level staff to C‑suite executives.

How are regulators responding?

Federal regulatory organizations are implementing updates to cybersecurity protocols, which indicates a shift from traditional, transaction-based examinations toward a risk-based, ongoing compliance model that takes vendor ecosystems and technology dependencies seriously.

Interagency guidance: The U.S. Department of the Treasury Office of the Comptroller of the Currency (OCC) as well as the Federal Deposit Insurance Corporation (FDIC) and Federal Reserve emphasize third-party risk management and resilience testing. They are calling for financial institutions to ensure vendors and other third parties comply with proper cybersecurity protocols to avoid serving as an easy target and “way in” for attackers.
Framework transition: The Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT) was officially retired in August 2025. Financial institutions are now encouraged to adopt modern, risk-based frameworks such as the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework 2.0 (CSF) and the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals (CPGs).

Other agencies are establishing requirements for financial institutions to implement resilience planning, including recovery time objectives (RTO) and fallback capabilities during disruptions. These protocols represent the maximum acceptable amount of time a system can be down after a breach before it causes significant business loss. Financial institutions, therefore, need to test their recovery time to determine how long systems can safely remain offline in the event of an attack.

What steps should banks take now?

Banks can take steps to prevent or manage a cyberattack by prioritizing many practices, including risk management, workforce awareness, governance and investment, privileged access management, and RTOs:

Risk management: Secure the systems.
- Zero-trust architecture: Never trust; always verify. This practice assumes by default that no device is trusted. Every user, device, and connection must prove its identity every time access is requested.
- Multifactor authentication: Use multiple layers. Instead of relying on a single password, users must complete additional authentication steps to confirm their identity before gaining access to the system.
- Penetration testing: Find internal weaknesses. Penetration testing is essentially “practice hacking” to help the bank find areas of weakness and patch them before an actual bad actor has the chance to exploit the weaknesses.
- Vendor management: Manage third-party risk. Banks rely heavily on external vendors, so they must evaluate each vendor’s cybersecurity controls, monitor ongoing risks, and ensure vendors remediate identified weaknesses promptly.
Workforce awareness: Train often.
- Regular phishing (the practice of sending fraudulent emails) simulations and training on cybersecurity best practices for all employees reduces the likelihood of an employee clicking on a phishing email, which can create a digital opening for an attacker.
Governance and investment: Get the C-suite involved.
- Elevate cybersecurity oversight to the managerial/executive level and invest in AI-driven defense tools.
Privileged access management. Be selective.
- Apply the principle of least privilege to prevent unauthorized entry into loan origination and deposit systems. This practice limits each user’s rights within the network, so employees access only what they need to perform their duties—nothing more.
RTO for critical services. Know response time.
- Understand the amount of time a critical service can be down before detrimental harm is done to the business.
Backups. Keep updated records.
- Maintain offline backups in secure locations and manual fallback procedures for essential operations. Perform testing of backups regularly to ensure critical data can successfully be restored when needed.

What is the outlook?

Cybercrime cost $10.5 trillion in 2025, making it a major global risk, and is projected to reach $12.2 trillion annually by 2031. Financial services remain one of the most targeted sectors. Attackers are leaning into AI-driven attacks and automated phishing, making attacks harder to identify and response windows tighter than ever before. At the same time, banks are expanding their reliance on third-party partnerships and cloud providers, creating a broader attack surface and more complex vendor oversight requirements.

With a broadened attack surface, every employee must constantly be mindful of cyber risk. Financial institutions that implement safeguards into their data systems; train and practice often; understand recovery time; and institute backups and up-to-date cybersecurity policies are more likely to be well equipped to withstand today’s sophisticated cyber tactics.

PYA Can Help

We partner with financial institutions to assess cybersecurity risks, conduct IT audits, implement best practices, and meet regulatory requirements. Our team provides IT risk advisory services aligned with frameworks such as NIST CSF 2.0, CISA’s Cybersecurity Performance Goals (CPGs), AICPA, and the SANS Institute.

References

OCC 2025 Report – https://www.occ.gov/publications-and-resources/publications/cybersecurity-and-financial-system-resilience/files/2025-cybersecurity-report.html

FFIEC Guidance – https://www.ffiec.gov/sites/default/files/media/press-releases/2024/cat-sunset-statement-ffiec-letterhead.pdf

Federal Reserve Guidance – https://www.federalreserve.gov/frrs/guidance/interagency-guidance-on-third-party-relationships.htm

Cybersecurity Ventures – https://cybersecurityventures.com/official-cybercrime-report-2025/

FDIC Guidance – https://www.fdic.gov/news/financial-institution-letters/2023/fil23029.html

McGrathNicol Financial Services Snapshot – https://a.storyblok.com/f/186891/x/6d554c3f6c/mcgrathnicol-report-financial-services-2025.pdf

Forbes – https://www.forbes.com/sites/chuckbrooks/2025/12/31/what-every-company-needs-to-know-about-cybersecurity-in-2026/

Informatics – https://informatics.systems/cyber-threat-intelligence-services/financial-sector-cyber-threat-intelligence-2026/