Understanding the true risks to financial cyber resilience

By Naz Bozdemir, Lead Product Researcher, HackerOne

In its 2025 cybersecurity breaches survey, the Department for Science, Innovation and Technology (DSIT) and the Home Office discovered 43% of UK businesses experienced a cyber-breach or attack during a 12-month period. Perhaps unsurprisingly, the financial services sector was among the most heavily targeted.

A recent report pulled insights from the world’s largest community of security researchers to identify where the risks lie. It showed that while financial services often report fewer individual vulnerabilities than other sectors, researchers have discovered that validated issues are more likely to escalate into real-world incidents due to their integration with key processes.

Criminals are exploiting AI technologies to power attacks against financial service organisations, harnessing techniques such as deepfake-driven Business Email Compromise, synthetic identities, and API abuse to bypass traditional security controls. Despite increased security measures, businesses are still falling victim, with a multinational firm recently losing $25 million due to criminals manipulating deepfake technology to impersonate the company’s CFO during a video conference call.

Sophisticated attacks like these are converting weaknesses such as Insecure Direct Object Reference (IDOR) into full-scale takeovers. Even the smallest failure can expose key data or processes, with 21% of validated findings of high or critical severity. The impact of these attacks is only growing, as the average breach now costs financial services $5.56m.

Regulatory pressure intensifies the challenge, with organisations facing strict demands around operational resilience, third-party risk management, and timely vulnerability disclosure. Financial service institutions that experience a breach will now be subject to regulatory penalties alongside customer data remediation and operational downtime, making each unmitigated vulnerability a potential compliance event as well as a security gap.

The ever-evolving dangers

As institutions look to better their defences, attackers are also looking to improve offensive measures, automating approaches to test security systems faster and more effectively. Where before key aims were to exploit large volumes of low-impact vulnerabilities, cybercriminals are increasingly focusing on fewer but higher-impact opportunities tied to key networks and data. In this context, AI is empowering them to increase productivity as they search for new ways to circumvent security defences.

Financial institutions must look to shift the security challenge away from high-volume vulnerabilities and focus on a clearer understanding of where risk concentrates and how losses actually occur. There can be no doubt that the industry will experience attacks – the question is how institutions prepare for and mitigate these attacks to ensure the least possible chance for breaches and industry disruption.

AI is expanding the attack surface

As businesses rush to adopt AI for fear of being left behind, the number of new cyber risks increases exponentially. According to research, over the past year alone, valid AI-related vulnerability reports have increased by more than 200%, including within the Financial Services Industry, highlighting how quickly AI integrations are expanding the attack surface in live financial workflows.

As financial services integrate this new technology into every aspect of the business, fast, inefficient implementation results in critical failures springing up everywhere – most notably in  endpoints, access controls and permissions. These vulnerabilities stem from both AI-specific weaknesses, such as how models process untrusted inputs, and gaps in underlying infrastructure design, resulting in direct operational risk. As AI becomes embedded in fraud detection, underwriting, customer service and internal operations, it introduces novel attack vectors while inheriting the same security gaps that affect existing financial platforms, particularly around identity management and complex authorisation logic.

AI is also making existing weaknesses exponentially more dangerous. Attackers are using AI to accelerate reconnaissance and identify subtle control failures that would previously have taken much longer to discover. The recently disclosed DockerDash vulnerability demonstrates exactly this risk: attackers embed malicious commands in Docker image metadata, which the AI assistant reads and executes as legitimate instructions, completely invisible to traditional endpoint detection tools because the commands appear authorised.

Weaknesses around improper access control, IDOR and business logic flaws are particularly attractive targets for threat actors, as these systems often sit directly on transaction flows, enabling account takeover and/or unauthorised fund transfers. Exploiting these vulnerabilities enables attackers to bypass perimeter and endpoint controls by abusing trusted relationships between users, services, APIs and third-party systems.

For regulated institutions, third-party dependencies are another avenue for criminals to exploit. The direct risk of compromise and the regulatory scrutiny that follows any incident involving customer data or funds moving between organisations results in a dual exposure that can be hard to mitigate.

To stay on top of these issues, financial service companies must maintain a consistent lookout for both cybercriminal and state-aligned groups, focusing key investment into security controls and continuous threat monitoring. Ultimately, criminal activity is driven by the potential financial returns versus the effort required, with the most advanced adversaries seeking the most effective ‘ROI’.

Restructuring for cyber resilience

Industry leaders must begin to view AI not as a separate security domain but as a significant force multiplier that amplifies existing structural risks within financial systems.

To best protect networks and data, financial institutions should shift security investment away from volume-driven vulnerability reduction and toward testing the controls that govern access to critical networks and data.

This means prioritising end-to-end visibility across areas such as APIs, delegated access models, onboarding processes and automated decision workflows, where failures are most likely to escalate. Automation remains a practical option for detecting mature, deterministic vulnerability classes, but it also delivers diminishing returns given the rapidly changing threat landscape.

Adversarial testing adoption offers a clear upside – FSI programmes that deliver a 5x return on mitigation and $128m in immediate breach avoidance. This is achieved by closing exposed vulnerabilities before adversaries can exploit them. This way, organisations are increasingly pairing automation for scale with human-led testing to strike the most effective balance that focuses effort on the controls and workflows most likely to drive material loss.

Securing the future

Ensuring cyber resilience will depend on aligning security programmes with attacker behaviour and real loss scenarios, rather than relying on severity scores or compliance-driven metrics. Traditional security tools cannot detect attacks that manipulate AI reasoning rather than infrastructure, making adversarial testing against AI-integrated systems essential, not optional. As finance institutions continue planning and investing in security strategies for 2026 and beyond, the key is not more testing, but rather testing what matters most.

DORA (Digital Operational Resilience Act), FCA operational resilience requirements, and PCI DSS guidelines now explicitly expect institutions to demonstrate continuous security testing and third-party risk management. As these regulatory frameworks increasingly recognise the benefits of vulnerability disclosure and coordinated testing with security researchers, forward-thinking organisations must begin treating adversarial testing as evidence of robust operational resilience – the kind regulators increasingly expect to see.

Financial services will never cease to be attractive targets for threat actors. As AI becomes embedded in critical workflows, the attack surface will only grow more complex. The industry must double down on security measures to ensure attacks never succeed. It is time for the sector to shift from reactive compliance to continuous adversarial testing, treating security researchers as an essential line of defence.