What does Cyber Resilience Look like in Financial Services?

Cyber resilience comes as a popular topic in financial services, especially in the recent wake of headlines that highlight code insecurity. 

Lloyds Banking Group recently settled £139,000 (US$184,604) after a cyber incident resulted in a data breach, with customers briefly having access to each other’s sensitive data.

Data from IBM identifies that cyber attacks in the finance and insurance industries show no rate of slowing down as they remain the second most attacked industry for the fifth consecutive year. 

In this Q&A, Prashant Jajodia, Financial Services Sector Leader UKI for IBM, focuses on how financial institutions can build resilience in case of cyber attacks as threats such as AI are revealed. 

Cyber resilience: what is the landscape like? 

Over the past 18 years at IBM, I’ve partnered with organisations to modernise and evolve their businesses – from early cloud adoption and large-scale digital transformation programmes through to today’s advancements in data and AI. 

My focus is on helping financial institutions drive innovation and deliver value for their customers.

It is clear attacks are becoming more prolific, protracted and aggressive due to AI speeding up the time it takes to exploit core vulnerabilities. 

IBM’s 2026 X-Force Threat Intelligence Index report finds that the finance and insurance sector ranked as the second most attacked industry for the fifth year and the exploitation of public-facing applications was the top initial access vector in 2025, accounting for 40% of attacks. 

This data shows how quickly adversaries can weaponise exposed digital infrastructure.

AI has increased the ability of attackers to be able to target at speed.

Once a threat has been carried out, the likelihood of business impact is much higher.

Using agentic-powered threat detection to identify gaps or vulnerabilities before a threat is realised, is critical to business continuity. 

To close this new gap driven by the speed at which attacks can be carried out with AI, security leaders at banks and financial institutions must pivot from reactive defence to predictive intelligence. 

The most effective way to do this is by participating in an intensive, realistic cyberattack simulation.

It’s only when under that simulated stress businesses can begin to understand how the organisation will react when faced with high-stakes decisions.

What is the most common type of cyberattack that the financial services sector and the insurance sector has suffered from?

Credential theft and the exploitation of public-facing applications remain significant attack vectors, although the methods of gaining access continue to evolve.

We’ve seen a sharp and sustained rise in supply-chain compromises, with incidents increasing fourfold over the past five years. 

Rather than targeting a financial institution directly, attackers are increasingly leveraging credentials obtained through trusted third-party providers – an approach that poses a particular challenge for the insurance sector, which depends heavily on external data and services.

At the same time, social-engineering techniques have become far more sophisticated. The growing use of deepfake audio is a developing threat that the industry cannot afford to overlook.

Why should these sectors be worried about AI?

AI presents a clear paradox – it is both a powerful enabler for cybercriminals and a growing attack surface that financial services and insurance firms must secure. 

The latest IBM Threat Intelligence Report, for example, identified more than 300,000 ChatGPT credentials for sale on the dark web in a single year – highlighting just how actively attackers are exploiting AI-related tools and data.

At the same time, AI is creating significant opportunities for the industry.

According to a recent IBM IBV Banking report, 61% of executives view AI as the primary driver of value in fraud detection – 45% expect it to fundamentally transform AML and KYC controls.

Navigating that balance between AI innovation and security is the defining challenge for every modern-day business.

What improvements could be made to improve cyber resilience?

The most effective way to improve cyber resilience is participating in intensive, realistic cyber-attack simulations.

When businesses suffer a cyber-attack, decision making is made under high-stakes pressurised situations. 

Simulations are the best way to recreate this duress and understand how to improve decision making in this type of environment.

This also allows for the analysis for potential financial impact, which informs everything from insurance coverage to strategic investments. 

Finally, it should be assumed that at some point threat actors will gain access.

The priority then is to build a stand-in capability that financial institutions can switch to so they can still provide basic services, in case of a ransomware attack. 

IBM is building an Industry Stand-in Bank (ISIB) platform in collaboration with leading UK banks which can mitigate the impact to the institution and the economy in case of such a catastrophic attack.

Is AI in the cyberspace evolving into something ungovernable? How can this be managed?

It's a huge challenge, but it's not ungovernable.

The key is establishing digital provenance and authenticity. In response to the wave of deepfake fraud, we're seeing a major push for content authenticity standards, allowing us to verify where a piece of digital content has come from, be it an email, a voice note, or a video. 

From a governance standpoint, it’s about managing the AI attack surface.

Treating AI agents and platforms as critical assets that require stringent identity and access controls is key, just like any human employee. 

This requires a clear framework for how AI is developed and deployed responsibly, ensuring security is a core component, not an afterthought.

What is security-by-design, and how could it help? 

In 2026, security-by-design has become a board-level strategic imperative.

It means security is no longer just an IT issue – it's a fundamental part of business risk management and something that the entire C-suite should be looking at.

For example, when a bank develops a new AI-driven product, security isn't bolted on at the end – instead, it's baked in from the very beginning. 

This means designing systems to be resilient by anticipating attacks. It involves continuous threat modelling and understanding that your vendors and partners are now part of your security perimeter.

Building systems that are secure-by-design from the ground up are a fundamental requirement for managing risk.