As long ago as 2016, the FCA were warning financial services firms about the dangers of cyber risk. In a speech delivered at the FT Cyber Security Summit, the then Director of Specialist Supervision at the FCA, now Chief Executive Officer of the Pensions Regulator, Nausicaa Delfas, highlighted the importance of a ‘security culture’ in firms of all sizes, covering not just technology but people and processes too.
Ten years on, and the UK financial sector is under ever-increasing pressure from cyber threats that are not only becoming more sophisticated and more frequent but also more financially damaging. Cyber risk is now recognised as a serious commercial and operational concern that affects profitability, business stability, customer confidence and regulatory compliance.
As banks, insurers, investment firms and fintech organisations become ever more reliant on interconnected technological systems, they’re now under pressure not only to strengthen their cyber defences and prevent breaches, but also to understand how cyber risk can impact their organisations and to prepare to recover from such disruptions.
The implications
According to the ACCA (Association of Chartered Certified Accountants), the UK is one of the most attractive targets for cyber criminals simply because of its success. Large volumes of high-value, sensitive data, payment infrastructure, and digital transactions make it enticing for criminals seeking to maximise both disruption and financial gain, and attackers are employing increasingly sophisticated methods to disrupt operations and exploit vulnerabilities.
The Government estimates that the annual cost to UK businesses from cyber attacks was £14.7 billion last year, and events involving intellectual property and knowledge asset theft cost the UK up to £8.5 billion in 2024. And this is without factoring in the implications of reputational damage, technical disruption, operational downtime, remediation costs, legal liabilities, customer concern and regulatory scrutiny, making the impact an increasingly pressing issue.
Cyber attacks, particularly those involving AI, have evolved to encompass ransomware, phishing, data and identity theft, extortion and social engineering to gain financially, and when they succeed, they place financial institutions under intense pressure. The results can include short-term trading system downtime and digital banking or payments outages, which can cause substantial financial losses and widespread disruption for customers and commercial partners.
This is particularly concerning given the sector’s increasing reliance on interconnected digital ecosystems such as third-party suppliers, cloud technology, payment networks, and digital supply chains, which have heightened risk and exposed vulnerabilities. If one partner has a weakness, then the results of an attack can quickly cascade through multiple organisations causing even more widespread disruption.
The importance of operational resilience
Operational resilience has become a priority for both regulators and financial services organisations, with the FCA issuing guidelines in its handbook to ensure firms can continue to deliver critical services during disruption. The regulator has consistently stressed that firms should assume cyber attacks will happen to them and focus on their ability to detect, respond and recover, with an emphasis on maintaining operations during any period of disruption.
The FCA has also highlighted the issue of poor perimeter security, such as a lack of employee awareness, inadequate patch management, and outdated systems, which enable cyber criminals to exploit operational weaknesses, particularly as advanced frontier AI models are increasingly used.
The consequences of a major cyber disruption can be severe and may include:
- Disruption to services
- Loss of revenue
- Regulatory fines and enforcement action
- Increased cyber insurance premiums
- Compensation claims from affected customers
- Loss of customer confidence
- Legal expenses and litigation costs
- Share price volatility
- Long-term reputational damage
- Increased remediation and recovery costs.
Effective operational resilience is essential for financial services organisations operating in a trust-dependent environment, where reputational damage can undermine confidence and persist long after the original incident.
The impact of AI threats
AI is forcing financial organisations to rethink how they defend themselves against cyber crime. Despite at least 85% of financial firms already using AI for legitimate purposes such as fraud detection, monitoring suspicious activity and improving threat intelligence, its adoption by criminals has led to a greater number of automated attacks, more convincing scams and increasing malicious activity.
Emerging threats now include:
- AI-generated phishing campaigns
- Deepfake voice impersonation scams
- Synthetic identity fraud
- Automated password attack
- Automated credential theft
- AI-assisted reconnaissance and vulnerability activity.
The IMF has recently warned that AI-enabled cyber crime is one of the biggest drivers of future financial stability risk, and financial institutions face a severe challenge in balancing innovations with governance. The FCA has recently signalled that it does not intend to introduce AI-specific regulation, rather it will rely on existing frameworks, which it says will mitigate many of the risks associated with the technology and assist firms in managing AI-based risks through existing operational resilience, consumer protection and accountability frameworks. However, as the scale, pace, and sophistication of cyber attacks increase, it’s becoming harder for firms to detect and contain threats before significant damage occurs.
Embedding cyber risk
Organisations must now find a way to embed cyber security into their enterprise risk management, as traditional methods that treat it as a standalone technology issue are no longer sufficient.
Cyber exposure impacts many other areas of business risk management, including:
- Financial stability
- Operational continuity
- Regulatory compliance
- Third-party dependency
- Corporate reputation
- Customer perception
- Strategic planning.
Consequently, financial services firms are increasingly incorporating cyber risk considerations directly into enterprise-wide risk management and financial planning frameworks.
This means that boards and executive teams must prioritise:
- The potential financial impact of cyber incidents
- Capital allocation for resilience initiatives
- The adequacy of cyber insurance protection and any coverage gaps
- Recovery capabilities during prolonged disruption
- Dependencies on external suppliers and outsourced services
- Stress testing and scenario planning outcomes
- Business continuity planning and recovery capabilities.
The FCA has emphasised that organisations themselves are accountable for cyber resilience and cannot transfer responsibility to outsourced providers or third-party technology partners. However, by embedding cyber risk into their broader governance structures and planning frameworks, organisations are better placed to make more informed decisions about investment, planning, and operational strategy to strengthen their long-term resilience.
Strengthening organisational resilience
It takes an organisation-wide approach to build resilience against cyber threats, not simply investment in and deployment of new technology. The FCA has repeatedly emphasised the need for ‘good cyber hygiene, a good security culture and good governance’ in organisations of all sizes and across leadership teams, operations, technology and workforce planning.
Financial firms in the UK are increasingly focusing on key areas such as:
Executive accountability – boards and senior leadership teams should take a more active role and must be clearly accountable for overseeing cyber preparedness, exposure, governance, risk strategies, and resilience planning.
Scenario planning – firms should conduct cyber scenario planning exercises to understand the impact of cyber incidents on financial performance, operations, and liquidity.
Third-party risks – as reliance on third parties increases, their management becomes increasingly important to avoid exposure. Firms should conduct robust due diligence, strengthen their oversight, and continuously monitor their external technology providers and digital infrastructure partners.
Employee awareness – one of the most common causes of security breaches is human error, especially involving phishing and credential theft. Staff training, therefore, is one of the most important and effective methods of defence.
Recover and continuity planning – regular testing of recovery processes is essential to ensure that critical services can quickly recover after any disruption, and many organisations are prioritising investment in strengthening their incident response frameworks.
Cyber investment – rather than being treated as a standalone compliance requirement, organisations are now aligning their cyber security investment with broader operational resilience and long-term business continuity objectives.
Responding to an evolving risk
The UK Cyber Security Council has warned of the unpredictable nature of cyber risk and its potential impact on data security and critical services, including financial organisations. Cyber risk is evolving more rapidly than ever before, and the threats it poses to firms undergoing digital transformation and AI adoption, together with the increasing reliance on technology, cannot be underestimated.
The challenge for UK financial organisations, therefore, is not simply evaluating if and when a cyber attack may happen, but ensuring that they can continue to operate effectively when disruption does occur and maintain financial and organisational stability during and after any incident.
Firms that recognise cyber resilience as a strategic business priority and embed cyber risk planning into enterprise risk management, governance and financial strategy, rather than as a technological afterthought, therefore, will be well-equipped to deal with emerging threats and, at the same time, strengthen customer trust, operational resilience and long-term competitiveness.
