For the financial services sector, compliance with regulation is the chief challenge, as well as the main stimulus, for increasing cyber security maturity, according to a study, by a UK-based cyber security services company. Response times to cyber threats like ransomware are not getting any quicker, with supply chain attacks taking the longest to deal with, the study suggests.
A survey of retail and investment banks, payment processors, clearing houses, and related institutions was part of Bridewellโs wider Cyber Security in Critical National Infrastructure: 2025 report. It suggests the sectorโs greatest cyber security challenges and how financial services businesses are adapting to evolving threats such as AI; and the implications from increasing regulatory demands. The main findings include:
Compliance and data protection
Complying with cyber security regulations has emerged as the single most pressing challenge for financial institutions, cited by 44pc of respondents. This reflects the growing burden of frameworks such as the NIS Regulations, the Cyber Assessment Framework (CAF) and international legislation including the EUโs DORA and MiFID II. Meanwhile, data protection remains a critical issue. Financial organisations, frequent targets of both cyber criminals and nation-state actors, report heightened concerns around data pri-vacy (39pc) and the security of critical assets (37pc).
Response times
The average response time to ransomware attacks is 6.71 hours, which is up slightly from last yearโs average of 6.62 hours. However, supply chain attacks, amplified by complex systems and third-party software dependencies, remain a major concern as they take financial organisations nearly 16 hours to respond to on average. With remote and hybrid work practices now entrenched in the sector, 39pc of organisations view them as key security concerns, notably above the rest of the CNI sectorโs average. Cloud security (35pc) and incident detection capabilities (30pc) are also high on the list of challenges.
Nation-state, global threats
Economic turbulence remains the most cited external threat (76pc), although concern is slightly down from 83pc in 2024. Worry over state-linked cyber actors such as Russia (70pc) and Iran (69pc) remains high, but notably, fear of China-backed threats has fallen sharply from 80pc to 57pc. While businesses increasingly use AI for defence, such as automated incident response (33pc) and threat intelligence (22pc), AI-powered phishing attacks are now the most feared emerging threat, with 89pc of respondents expressing concern.
Skills shortage, budget pressures
Although 81pc of respondents express confidence in their ability to secure IT infrastructure, the shortage of cyber expertise remains a bottleneck. More than half (52pc) plan to out-source to address the skills gap, while others turn to re-skilling (39pc) and regional security partnerships (31pc). Most, 63pc of financial services firms will increase cyber security investment over the next year, with more than a fifth boosting budgets by up to 10pc.
Sam Thornton, COO of Bridewell said: โThis research reinforces the importance of financial service organisations building true cyber resilience and that regulation is no longer just a tick-box compliance issue, it is one of the primary drivers of cyber security maturity across the sector – closely coupled with an es-tablished and embedded risk management approach. Financial organisations are facing a perfect storm of regulatory scrutiny, AI-driven cyber threats and talent shortages and therefore the sector must adopt a more strategic, proactive approach to cyber resilience that integrates the right technology with highly skilled people and agile processes.โ
