Cybersecurity in the financial services industry: Debunking quick fixes and investing in what really works  | Baker Tilly

Have questions about the Moss Adams combination? We're here to help. Submit your inquiry.

Loading...

Cybersecurity in the financial services industry: Debunking quick fixes and investing in what really works  | Baker Tilly

What are the most pressing cybersecurity threats facing financial institutions in 2025?

The most pressing cybersecurity threats facing financial services organizations include increasingly sophisticated ransomware attacks that target core banking systems and sensitive customer data, resulting in potentially severe financial and reputational harm. Phishing and social engineering remain widespread, with attackers exploiting both employees and customers to gain unauthorized access to confidential information. Supply chain vulnerabilities are also a major concern, as cybercriminals focus on third-party vendors to infiltrate financial networks. Some of the more interesting statistics our speakers noted from the 2025 Verizon Data Breach Investigations Report [1] included the following:

17% of breaches were espionage motivated
20% of breaches involved exploitation of vulnerabilities (34% increase from prior year)
22% featured attacks on virtual private networks (VPNs) and edge devices (up 8x from prior year)
30% of breaches involved vendors (double from prior year)
44% featured ransomware (up from 32% the prior year)
60% of breaches involved human errors or social engineering
95% of breaches include the server as the most common asset

The integration of emerging technologies like artificial intelligence (AI) expands financial services organization’s attack surface, requiring vigilant monitoring and adaptation to evolving risks. These trends underscore the need for proactive threat detection, vendor oversight and employee training.

How should technology risk functions evaluate cybersecurity risk across IT domains?

Effective evaluation of cybersecurity risk across various information technology (IT) domains requires a structured approach, collaboration with stakeholders and continuous adaptation to evolving threats.

Key areas to map IT domains to enterprise risk include:

Cybersecurity: Cybersecurity is fundamental to the protection of information assets and the overall integrity of an organization’s technology environment. Key risk-related areas include:

Threat detection: Proactively identifying and monitoring for potential security threats is crucial to preventing breaches before they escalate
Incident response: Establishing a well-defined incident response plan enables organizations to react promptly to security incidents
Security awareness: Educating employees and users about cybersecurity threats and best practices reduces the risk of human error, the leading cause of security incidents

Data and privacy: Data and privacy risks have grown exponentially with the increasing volume and sensitivity of information financial services organizations handle. Key considerations include:

Governance: Implementing robust data governance frameworks to ensure data is managed, protected and used responsibly
Consent: Collecting and managing user consent transparently is essential for compliance with privacy regulations
Compliance: Adhering to legal and regulatory requirements mitigates the risk of legal penalties and reputational harm

Business continuity: Business continuity focuses on maintaining critical operations during and after disruptive events. The main risk areas are:

Resilience: Designing systems and processes to withstand disruptions ensures ongoing service delivery and operational stability
Backups: Regularly backing up data and systems minimizes data loss and accelerates recovery after incidents
Recovery testing: Periodic testing of recovery plans validates their effectiveness and prepares teams for real-world events

Third-party and SaaS: Reliance on third-party vendors and software as a service (SaaS) providers introduces unique risks, including:

Vendor risk: Assessing and monitoring vendor security postures helps prevent cybersecurity events from propagating at or through third parties
Cloud oversight: Ensuring proper management and oversight of cloud services mitigates risks related to data breaches, misconfigurations and service outages.

AI and agent deployment: The integration of artificial intelligence (AI) and autonomous agents brings new risk dimensions:

Governance: Establishing clear governance structures for AI systems ensures accountability, transparency and alignment with organizational values
Algorithm risk: Evaluating and managing risks associated with algorithmic bias, errors and unintended consequences protects against operational and reputational damage
Human-in-the-loop controls: Maintaining human oversight over critical AI decisions helps balance automation with ethical and safe outcomes

Identify and access management (IAM): IAM is vital for controlling user access to systems and data. Key risk management practices include:

Authentication: Implementing strong authentication mechanisms (e.g., multifactor authentication) reduces the risk of unauthorized access
Access reviews: Regularly reviewing user access ensures only authorized individuals have the necessary permissions, limiting potential insider threats
Privileged account management: Securing and monitoring privileged accounts helps prevent misuse and limits the impact of credential compromise

Cloud posture: As organizations increasingly rely on cloud infrastructure, managing its security posture is essential:

Infrastructure security: Protecting cloud infrastructure against threats such as misconfigurations, vulnerabilities and unauthorized access is paramount
Configuration governance: Establishing and enforcing configuration standards and policies ensures that cloud environments remain secure and compliant

What regulatory frameworks should risk functions at an insurance organization prioritize in the future?

The NAIC Insurance Data Security Model Law requires:

Cybersecurity program: Establish and maintain a comprehensive risk-based information security program supported by policies and procedures designed to identify information assets, protect those assets and respond to cybersecurity events in a timely manner
Incident response plans: Create a detailed incident response plan to manage cybersecurity events
Investigation: Conduct a prompt investigation into any cybersecurity event that occurs
Oversight: Implement management-level oversight, ongoing monitoring and regular reporting on the program’s effectiveness
Third-party vendors: Establish requirements for the security of third-party service providers that handle nonpublic information
Breach notifications: Notify the state insurance commissioner and affected customers in the event of a data breach

Please keep in mind that this list is a summary of the NAIC Insurance Data Security Model Law [2], not a comprehensive mapping of the entire regulation.

For New York-based financial services organizations, refer to our New York State Department of Financial Services (NYS DFS) cybersecurity rules compliance guide.

What regulatory frameworks should risk functions at financial institutions, banks and credit unions prioritize in the future?

The Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) requires:

Strong internal controls: Requires banks to establish and maintain effective internal control systems covering all operational areas, including IT
Focus on risk management: Emphasizes identification, assessment and mitigation of risks to ensure safety and soundness
Cybersecurity implications: While not prescribing specific cyber controls, FDICIA sets the foundation for robust IT general controls requirements

The Gramm Leach Bliley Act (GLBA) requires:

Risk assessment: Requires banks to perform thorough risk assessments, preferably asset-based, covering internal and external threats to customer data
Information security program: Banks must develop and maintain a comprehensive, written information security program tailored to their risk profile
Access controls: Mandates controls to restrict access to customer information to authorized individuals only
Monitoring and testing: Requires ongoing monitoring, testing and evaluation of the effectiveness of security controls

What cybersecurity frameworks are most widely adopted now?

FFIEC CAT tool retirement: The FFIEC Cybersecurity Assessment Tool (CAT) has been officially retired and is no longer supported for regulatory examinations. However, the NCUA still uses the Automated Cybersecurity Examination Tool (ACET), which is based off the CAT Tool.
Transition to NIST CSF and CRI: Many financial institutions are adopting the NIST Cybersecurity Framework (CSF) and the Cybersecurity Risk Institute (CRI) framework as the primary standards for cybersecurity risk assessments.

Although FFIEC CAT is retired, regulators expect institutions to maintain robust cybersecurity risk assessments using recognized frameworks like NIST CSF and CRI. Both frameworks offer comprehensive, flexible approaches to managing cybersecurity risks aligned with business objectives and regulatory expectations.

How can CROs strengthen third-party risk management?

CROs should implement comprehensive due diligence processes for all vendors, including regular security assessments and ongoing monitoring of third-party cybersecurity practices. Establishing clear contractual requirements around cybersecurity standards and incident reporting is vital to ensure vendors maintain robust defenses. Additionally, CROs should foster close collaboration between procurement, IT and risk management teams to identify and address potential vulnerabilities throughout the vendor lifecycle. Regularly updating risk assessments and incorporating third-party risks into the organization’s overall risk management strategy will further enhance resilience against evolving threats.

What are common cybersecurity audit and regulatory findings?

Regulators frequently cite the following as common characteristics of failed cybersecurity risk management plans:

Incomplete risk assessments
Outdated incident response plans
Weak data encryption and monitoring
Training gaps, especially around phishing and social engineering
Over-reliance on SOC reports without proper scope or relevance checks
Outdated and/or incomplete policies and procedures

CROs should ensure continuous improvement, stakeholder engagement and tailored training programs to establish strong risk management.

What should boards expect from CROs on cybersecurity oversight?

Cybersecurity best practices for boards of directors include:

Oversight of the covered entity’s cybersecurity risk management
Sufficient understanding of cybersecurity risk and related matters to exercise such oversight
Require management to develop, implement and maintain a robust cybersecurity program aligned with a comprehensive framework.
Receive regular updates about cybersecurity risks and the effectiveness of the organization’s cybersecurity program
Foster a culture of cybersecurity and determine how management embeds cybersecurity risk into strategic decision making
Ensure management has allocated sufficient resources to implement and maintain an effective cybersecurity program
Understand the company’s organizational resilience expectations, capabilities and forward-looking enhancements
Encourage management to seek independent assessments of program effectiveness