No More Excuses: Why Cyber Breaches in Financial Services Are Unacceptable in 2025

The financial services industry is under attack, and we are falling short on self-defense. In a sector defined by regulation and risk management, the prevalence of ransomware, data breaches and fraud is a failure we can no longer afford.

In our industry, we understand the value of trust better than most. But with every breach, we see that foundational currency chip away a little more. In an era where cybersecurity has become a board-level issue and regulatory expectations are high, data breaches are no longer excusable; they are a sign that something fundamental has gone wrong.

Over the years, the financial services industry has established a well-earned reputation as a leader in cybersecurity. In fact, it was a financial services company – Citigroup – that is credited with creating the Chief Information Security Officer (CISO) role in the mid-1990s, and our industry has always been subject to some of the strictest regulatory and compliance frameworks. Built on the principles of governance, control, and risk mitigation, financial institutions have the structural awareness and institutional memory to prevent most forms of cyber attacks. Yet still, breaches continue – not due to ignorance, but because of a persistent operational disconnect. We have the tools, frameworks and policies in place, but the consistency in execution and clarity of roles and responsibilities often lags.

Regulatory Patchwork Creating Confusion

How did we get here? Part of the problem lies in the fragmented (and often opaque) nature of cybersecurity mandates. Think of all the organizations with a hand in cyber regulation and the frameworks they’ve handed down. SEC, CISA, CIRCIA, FFIEC, PCI DSS – it’s an alphabet soup of well-intentioned but often consuming groups and regulations. Yes, the aim is to enhance cyber posture, but the reality is that the guidance often overlaps, evolves inconsistently, and introduces terminology that leaves too much room for subjective interpretation.

For example, consider the SEC’s recent materiality rule, which requires a financial institution to disclose a cyber incident within four days once it determines that the event is “material.” But that threshold is open to interpretation. Without a clear definition of materiality, when exactly does the clock start? Companies are then forced to grapple with questions about how much to disclose and how to balance transparency with the risk of exposing sensitive information.

The confusion gets even worse when multiple regulatory frameworks intersect. A single incident could trigger simultaneous obligations across the SEC, CIRCIA, and even law enforcement, with each regulatory body having its own mandated timeline and criteria. Under CIRCIA, for example, organizations are required to report substantial incidents within 72 hours and ransomware payments within 24 hours. However, it remains unclear what constitutes a “substantial” cyber incident or who qualifies as a covered entity under critical infrastructure. PCI DSS 4.0, on the other hand, introduces “customized approaches” to security controls, allowing for flexibility but also creating confusion around what documentation and validation is actually required.

So, what does this misalignment across agencies and frameworks mean for security teams? Too often, it means they are drowning in red tape and bureaucracy. They are forced to interpret, reconcile and respond to a barrage of requirements – sometimes in direct contradiction to each other – while still trying to achieve the primary goal of security teams: responding to and mitigating threats in real-time. The regulatory system is quickly becoming a patchwork quilt. The way to solve the issue and improve cybersecurity in financial services is not by adding more rules; it’s by finding a way to harmonize existing regulations and frameworks with clear, actionable guidance.

The Midmarket Gap

While the resulting confusion poses a challenge to all financial institutions, larger firms at least have the legal teams, in-house expertise, and budgets to navigate complex and evolving environments. They have a challenging climb ahead, but the summit is visible.

But mid-market financial institutions face a much steeper climb. Unlike larger institutions, smaller firms must stretch limited resources to meet the same standards, frequently leading to check-the-box compliance rather than meaningful cyber resilience. For mid-market firms, cybersecurity is also often viewed as a back-office IT function rather than a business priority. It’s a dangerous misalignment: when leadership treats cybersecurity as a cost center or checkbox item, it exposes the entire organization to operational and reputational risk.

Today, cyber incidents should no longer be treated as isolated IT problems. They must be fully integrated into disaster recovery and business continuity planning. Yet, many institutions still don’t treat cyber threats with the same rigor as natural disasters or infrastructure failures.

Ask yourself: does your current community or regional banking recovery plan include detailed contingencies for ransomware, data loss, and operational disruption from cyber events? For many, the answer is still no.

Moving Forward

While a tiered regulatory and framework model might take some time, the good news is that financial institutions of all sizes can take practical, immediate steps today to close the gap. Organizations can:

• Deploy robust endpoint detection and response (EDR) tools
• Maintain a rigorous patching and software update schedule
• Conduct regular red teaming exercises to identify vulnerabilities through simulated attacks
• And implement network segmentation for starters

Addressing the human element is just as critical, and that can be accomplished with a combination of phishing simulations, employee training, and incident response drills as a part of your operational cadence. If attackers get beyond those defenses, secure, encrypted backups – stored offline or in trusted cloud environments – can lead to a rapid recovery.

Put simply, advanced threat detection is no longer a luxury. It must be elevated as an existential business priority, and financial institutions must arm themselves with the tools that enable them to do so. AI-driven behavioral analytics and real-time threat intelligence feeds are a good start, allowing organizations to spot abnormal activity proactively before it escalates into a breach. Should an incident occur, institutions must move quickly: isolate infected systems, engage cyber experts, notify stakeholders, and restore operations using clean backups.

Ultimately, the financial sector has both the responsibility and the capability to lead by example. In 2025, the continued prevalence of cyber breaches in financial services is not a reflection of inadequate tools or uncertain threats — it reflects systemic gaps in alignment, resourcing, talent availability, and regulatory clarity, particularly for institutions without the scale and support to navigate today’s cyber landscape. With trust at the center of everything this industry does, failure to act decisively on cybersecurity is a failure of fiduciary duty.

No more excuses. The threats are known, and the playbook exists. The time for half-measures is over. Financial institutions must align culture, compliance, and operational strategy to make breaches the rare exception — not the rule.