By Sam Peters, Chief Product Officer at IO
Cyber risk within the finance sector is no longer periodic, but a universal risk driven by fragile supply chains, human vulnerability, and the rapid pace of AI adoption. Cybersecurity is now a core business risk that directly impacts financial stability, operational resilience, and customer trust.
High-profile incidents such as those at Jaguar Land Rover and Marks & Spencer highlight a major shift in which organisations are no longer only exposed through their own controls, but through a web of third-party vendors, suppliers, and partners. According to IO’s latest research, 61 per cent of businesses have experienced a supply chain breach in the past year, with nearly a third suffering operational disruption or financial loss. Yet only 23 per cent of organisations rank supply chain compromise among their top emerging threats, which reveals a dangerous gap between perception and reality.
For finance firms, this disconnect is particularly concerning as modern financial services rely on highly interconnected ecosystems, where data and services flow across cloud providers, fintech partners, and external platforms. When one link fails, the consequences extend far beyond IT, having a detrimental impact on payments, liquidity, customer access, and trust.
Simultaneously, threat actors are also mounting attacks on the human layer and exploiting weaknesses amongst employees and suppliers, who have become gateways into multiple organisations at once, intensifying the potential impact of a single successful attack. This risk is being accelerated by artificial intelligence as IO research shows. According to the findings, 48 per cent of finance organisations now cite AI-driven phishing as their top emerging threat. These attacks are more convincing, more scalable, and far harder to detect than traditional phishing, rendering many typical security processes redundant in terms of detection.
While AI offers clear competitive advantages, its rapid adoption has overtaken governance, with more than half (53%) of surveyed finance organisations admitting they implemented AI technology too quickly, leaving gaps in oversight, security, and accountability. This has brought about new vulnerabilities, not just in how AI systems are used, but in how they are secured, monitored, and integrated into wider operations.
Reactive security is not sufficient to tackle these mounting threats and finance organisations must shift towards a more proactive, strategic approach. The first step being a cultural one that addresses the human layer that threat actors are relying upon for entry. Security cannot be confined to tools or technical teams; it must be embedded across the organisation. Employees and partners need to be equipped to actively identify and respond to threats in real time and not just to simply follow policy. This relies upon continuous training, real-world simulations, and clear accountability.
Secondly, supply chain risk must not be overlooked and should be considered a critical business concern, as despite 80 per cent of organisations improving third-party risk management in the past year, and a further 17 per cent planning to do so, many still lack the continuous visibility needed to manage evolving risks.
Financial organisations must consider looking beyond point-in-time assessments, to implement ongoing monitoring, stronger contractual obligations, and regular audits. Frameworks such as ISO 27001, alongside enhanced vendor governance, can help establish a consistent and enforceable foundation.
In addition, security must become a board-level priority and cyber risk should sit tightly alongside financial, operational, and regulatory risks. This shift is being reinforced by major regulatory developments such as the EU’s Digital Operational Resilience Act (DORA) and the NIS2 Directive. These regulations are reshaping expectations, placing greater emphasis on resilience, third-party oversight, and incident reporting. Similarly, evolving standards such as PCI DSS v4.0 and frameworks like ISO 27001 are raising the bar for governance and accountability across the sector.
However, compliance should not be viewed as a burden but as an opportunity for organisations to treat these regulations as strategic enablers rather than box-ticking exercises in order to build more resilient operations, accelerate secure adoption of cloud and AI, and improve data integrity. This will also strengthen customer trust, which is now considered a key differentiator in financial services.
The difference between confidence and reality is further compounded by the survey findings, as despite 97 per cent of cybersecurity leaders expressing confidence in their breach response capabilities, a majority have still experienced supply chain attacks. Closing this gap requires a shift in mindset, from reacting to incidents, to anticipating and mitigating them before they occur.