Large financial institutions have long been targets of cybercrime, as these organizations handle enormous volumes of customer data. As a result, disrupting bank operations through ransomware and stealing sensitive data are attractive opportunities for cybercriminals. With the development of artificial intelligence (AI) and advances in quantum computing, threat actors have new tools to deploy in their exploits against financial institutions.

Ransomware, phishing, supply chain attacks, and other exploits continue to threaten institutions. In a 2025 study of cyber risk trends, Munich Reinsurance Company (“Munich Re”) found four cyber risk “hot spots”: ransomware, scams, data breaches, and supply chain attacks.

The data compiled by Munich Re showed an increase in ransomware attacks, agile networks of hackers using ransomware, and a record ransom payment of $75 million. In addition, Munich Re found more than 5 billion accounts were compromised in data breaches, for which the average loss was almost $4.9 million and total fines for violations of the General Data Protection Act (GDPR) were EUR 1.2 billion.

Supply chain attacks, such as those involving third-party vendors, also pose a risk to large financial institutions. In 2025, several high-profile incidents involved financial services industry vendors:

• A ransomware attack and data breach at a financial services software company impacted more than 70 U.S. banks and credit unions.
• More than 4 million U.S. consumers’ personal information was stolen from a credit reporting agency through an attack on a customer relationship management system.
• Data involving some of the largest banks and investment companies was exposed in a breach at a real estate services provider.

As an industry, finance tops the list for incident response services provided by Mandiant, a cybersecurity consulting unit of Google. In 2024, financial services accounted for 17.4% of all cyber investigations Mandiant conducted globally, followed by business and professional services, at 11.1%, and high tech, at 10.6%.

Adding pressure to financial institutions to enhance their cybersecurity are evolving financial regulations and privacy laws. Examples of such regulations for U.S. clients include:

• The Securities and Exchange Commission (SEC) in 2025 finalized disclosure rules for public companies on cybersecurity incidents. For example, public companies must disclose material cybersecurity incidents within four business days on Form 8-K and provide updates on previously disclosed incidents.
• The New York Department of Financial Services (NYDFS) maintains robust cybersecurity measures and disclosure requirements that, among other things, require financial institutions to perform periodic risk assessments.
• Payment card industry data security standard (PCI DSS) regulations impose technical and operational requirements for protecting cardholder data.
• The California Consumer Privacy Act (CCPA), unlike other state privacy laws, e.g., Colorado, Nevada, and Virginia, does not offer a blanket exemption to financial institutions that are subject to the Gramm-Leach-Bliley Act’s privacy protection rules. Differences in state privacy laws and the data protection obligations they impose increase the compliance burden on financial institutions.

Cybercriminals are using increasingly sophisticated tactics, and they are assisted in these by AI. A 2022 study by Vade found 35% of phishing attacks attempt to impersonate a bank or financial services entity.

Business email compromise, impersonation, phishing, and other social engineering attacks are becoming more persuasive and realistic with the use of AI. In prior years, ransomware attacks principally encrypted data, but these have evolved to encompass data exfiltration and cyberextortion — often with a ransom demand to avert publication of sensitive data.

The use of quantum computing is a less prevalent but emerging risk. Criminals are already seeking ways to use this highly sophisticated tool in their activities. If quantum computing can eventually break encryption, as cybersecurity experts predict, how will financial institutions and other organizations keep their data secure?

Business interruption remains a major risk for financial institutions. The disruptive effect of ransomware and other exploits extends beyond data, with financial institutions being highly dependent upon the resilience of their network.

Banks and other financial firms will need to adapt to evolving cybercrime tactics. AI is a double-edged sword. While cybercriminals are using it to improve the effectiveness of their attacks, financial institutions and other organizations also can tap AI to scan for vulnerabilities and deploy defenses. 

In a 2025 global survey by Munich Re found 87% of C-suite executives believe their organization’s cyber protection is inadequate. Yet, a significant coverage gap exists because a majority of cyber risks are underinsured or uninsured.

Cyber insurance gross written premiums in North America in 2025 exceeded USD 10 billion, and Munich Re anticipates cyber GWP in the region will nearly double by 2030, approaching 20 billion. Despite this steep growth in cyber insurance, global cyber premium volume in 2024 accounted for less than 1% of worldwide property and casualty premiums. There remains a compelling argument for financial institutions and other industries to increase their cyber insurance protection.