A recent study conducted by Bridewell, a prominent UK-based cyber security services provider, revealed that compliance with regulations is both the primary challenge and the key driving force for enhancing cyber security maturity within the financial services sector. The research, titled “Cyber Security in Financial Services: 2025,” indicates that response times to cyber threats, such as ransomware, have not shown significant improvement, with supply chain attacks posing the most extended period of concern.
The research encompassed a survey of retail and investment banks, payment processors, clearing houses, and related institutions as part of Bridewell’s broader report on “Cyber Security in Critical National Infrastructure: 2025.” This study sheds light on the most critical cyber security challenges facing the sector and how financial services organizations are adjusting to evolving threats like artificial intelligence (AI) and the escalating regulatory demands.
Key findings from the research include:
Compliance and data protection take precedence:
The research revealed that complying with cyber security regulations ranks as the most pressing challenge for financial institutions, as noted by 44% of respondents. This underscores the increasing burden of frameworks such as the NIS Regulations, the Cyber Assessment Framework (CAF), and international legislation like the EU’s DORA and MiFID II. Additionally, data protection remains a significant concern, with worries surrounding data privacy (39%) and the security of critical assets (37%) at the forefront.
Response times show improvement but supply chain attacks persist:
While the average response time to ransomware attacks has slightly increased to 6.71 hours from last year’s 6.62 hours, supply chain attacks continue to be a significant worry for financial organizations. Given the complexity of systems and dependencies on third-party software, these attacks take nearly 16 hours for organizations to address on average.
Remote work and cloud security pose new risks:
With remote and hybrid work models becoming the norm in the sector, 39% of organizations perceive them as primary security concerns, surpassing the average for the Critical National Infrastructure sector. Cloud security (35%) and incident detection capabilities (30%) also rank high on the list of challenges faced by financial services organizations.
Shift in perception of nation-state and global threats:
While economic turbulence remains the most commonly cited external threat (76%), worries about state-linked cyber actors such as Russia (70%) and Iran (69%) remain high. Notably, concerns over China-backed threats have decreased significantly from 80% to 57%.
Rise of AI-powered threats, especially phishing:
Despite organizations increasingly leveraging AI for defense mechanisms like automated incident response (33%) and threat intelligence (22%), AI-powered phishing attacks are now the most feared emerging threat, with 89% of respondents expressing concern.
Persistent skills shortage and budget pressures:
Although 81% of respondents express confidence in securing IT infrastructure, the shortage of cyber expertise remains a significant bottleneck. More than half (52%) plan to outsource to address the skills gap, while others consider reskilling (39%) and forming regional security partnerships (31%) as solutions. Encouragingly, 63% of financial services firms plan to increase cyber security investment over the next year, with more than a fifth boosting budgets by up to 10%.
In response to the research findings, Sam Thornton, the COO of Bridewell, emphasized the critical importance of financial service organizations building genuine cyber resilience. He highlighted that regulations are no longer just checkboxes to tick but are fundamental drivers of cyber security maturity across the sector. Thornton emphasized the need for a strategic, proactive approach to cyber resilience that integrates appropriate technology with highly skilled personnel and agile processes.
Overall, the study underscores the pressing need for financial services organizations to address the evolving cyber security landscape decisively. As the sector grapples with regulatory pressures, AI-driven threats, and talent shortages, a strategic and proactive approach to cyber resilience is essential for safeguarding critical assets and maintaining trust with customers and stakeholders.