Cyber security in banking: balancing innovation, regulation and risk in a high stakes setting

The regulatory-security intersection 

Regulation has long been a driving force behind cyber security investment in banking. In the EU, the Digital Operational Resilience Act (DORA) has reshaped the landscape significantly, introducing mandatory incident reporting requirements and compelling institutions to strengthen resilience and minimise financial risk through proactive risk management. Many banks are still in the process of aligning their existing risk frameworks, sophisticated as they may be, with DORA's new standards. 

Information sharing has emerged as a key priority under this regulatory environment. The more readily institutions share intelligence about incidents and attack methods, the better the sector's collective defences become. This collaborative mindset, once rare, is increasingly seen as essential. This shift has become even more important given the pace of innovation in the technology sector, which is providing threat actors with access to tooling like AI, and soon quantum computing, capabilities that current compliance frameworks do not yet fully address. 

The relationship between regulation and security is not without tension, of course. Compliance can drive innovation, but it can also constrain it, demanding exhaustive sign-off processes and box ticking at a time when the threat landscape is moving faster than ever. This creates a widening gap between regulatory expectations and the operational realities of cyber defence. 

Sector-specific vulnerabilities and attack vectors 

Banking presents a uniquely broad attack surface. Phishing, ransomware, CEO impersonation fraud and credential theft are among the most common attack types and the sophistication of these campaigns continues to grow. In addition, unlike many industries, financial institutions must defend not only their own business IT infrastructure but also the consumer endpoints through which millions of customers interact with their services daily. This dual exposure increases both the complexity and volume of potential vulnerabilities. 

Legacy systems remain a persistent vulnerability. Migrating to cloud services while maintaining the stringent security requirements the sector demands is a complex, time-consuming process and the transition period itself introduces new risks. Add to this the challenge of managing supply chains that may include thousands of third-party suppliers, often with inconsistent security maturity, and the scope of the problem becomes clear. 

Penetration testing is a well-established practice in banking, but it has its limits. Testing can be conducted internally but extending it to customer endpoints raises sensitivity concerns that make comprehensive testing difficult. This places a premium on customer education as a risk management strategy itself as customers become an extension of the institution’s security perimeter.  

Emerging threats and technology challenges 

For larger institutions in particular, the pressure to innovate is intense and nowhere more so than around artificial intelligence (AI) which was reported as the number one external factor impacting financial institutions in 2026. AI is evolving quickly enough that even well-resourced banks are struggling to anticipate and prepare for emerging threats. Two-factor authentication, long considered a reliable safeguard, faces new vulnerabilities as the platforms that support it, including widely used email services, become targets in their own right. This erosion of trust in once‑dependable controls is forcing institutions to reconsider long‑established security assumptions. 

Quantum computing presents a longer-term but significant concern, particularly for a sector that attracts some of the most sophisticated attacks in the world. The prospect of quantum-enabled password cracking throws the entire consumer authentication model into question. Preparing for a post‑quantum environment is no longer an academic exercise but a strategic necessity. 

Banks' response to AI has been cautious and deliberate. Implementation typically takes place within sandbox environments and even relatively modest tools like Microsoft Copilot are only now being rolled out at several institutions. That said, the strategic potential is clear: AI applications for fraud detection, customer service and risk scoring are being actively explored, with several major technology providers developing purpose-built tooling for financial services customers. Yet, while much of the AI narrative focuses on escalating threats, there may be an unexpected advantage emerging from the conversation:

The agility problem 

Banking's advanced cyber security maturity comes with a structural challenge: size. Large financial institutions are, by nature, complex and slow-moving organisations. This means that although the will to act quickly exists, it may be difficult to pivot in response to new threats as coordinating thousands of employees, multiple legacy systems and a dense regulatory environment can slow decision making. 

Digital transformation initiatives illustrate this tension. The pressure to deliver new features and online services quickly can lead to speed being prioritised over security controls. Budget decisions are rarely straightforward either, requiring constant balancing between innovation, growth and protection. Zero Trust architecture is widely recognised as the right direction of travel, offering strong protection by assuming no user or system is inherently trustworthy. But implementing it is a significant undertaking and for many institutions it remains a work in progress. An additional challenge is the reliance on third‑party platforms, which introduces further exposure when ongoing risk assessment is not consistently applied. 

“Outsourcing a service does not mean outsourcing the accountability that comes with it and even for small financial institutions and community banks, who often rely on outsourced IT and managed service providers for their cyber security, there is a responsibility to customers to protect their data and their capital.”

-Zach Shelton, Principal, Forvis Mazars US

The case for everyday security 

Banking's medium-to-high cyber security maturity is no accident. It is the product of decades of regulatory pressure, hard-won experience and an acute awareness of what is at stake. What sets the most mature organisations apart is not just the technology they deploy but how strategically they integrate security into every layer of the business: with a proactive mindset rather than a reactive one, and with security built into processes from the outset rather than added later. The path forward lies in combining advanced technology, robust processes and continuous training, treating cyber security as an everyday discipline rather than a periodic initiative, especially as institutions explore new areas of innovation. 

Frequently asked questions