The recent reported attack on the Industrial and Commercial Bank of China in London by the Hunters threat actor is just one example of how financial institutions are being deliberately targeted. 

From a financial regulators’ perspective, there have been three main drivers of concern over the last five to seven years: 

• – The impact of cyber events on organisations has the potential to influence the global economy 
• – How COVID 19 changed so many of our work practices and hence changed security challenges
• – The changing geopolitical situation over the past five years – the conflicts in the Middle East and Ukraine, and ongoing tensions with China, have influenced the cyber domain. 

In response, the EU has introduced a number of regulations, including DORA, as part of a concentrated effort to mitigate the risks from technology to its security and economy.

More generally, regulators have prioritised cooperation. Multi-national and multi-agency law enforcement operations are now routinely targeting larger threat actors like LockBit. 

In the UK, the Financial Conduct Authority has also built up the regulatory framework, with regulatory powers over critical third parties coming into effect in January 2025, and the Building Operational Resilience rules for financial organisations which will be implemented by March 2025. 

These are welcome steps, because of the concentration of financial entities and geopolitical issues, particularly related to the conflict in Ukraine, it is assessed as highly likely that the UK will remain a significant target for threat actors. The tactics, techniques and procedures used by threat actors to target financial institutions have evolved over the last number of years, with threat actors like Hunters using malware like the SharpRhino Remote Access Trojan to deliberately target IT staff in organisations to gain privileged access.  Hacktivists are also using techniques like Distributed Denial of Service attacks to disrupt the business operations of financial institutions to make a political point at a relatively low cost. 

Banks are already investing in their cyber resilience, and with new technologies opening new ways of doing business, it is really important that the concept of secure by design is implemented as services develop. Technologies like AI and quantum computing are likely to change significantly the way that banks offer different services, but a holistic approach to defending these services is required from banks, as threat actors develop their sophistication with the assistance of evolving technology. 

From a consumer’s perspective, ongoing vigilance is required in any online interaction with your bank. GenAI has meant that realistic, well written emails purporting to be from your bank can be generated in seconds. Time and time again, threat actors have tricked people into revealing personal details and gained access to bank accounts. Our message is, be as careful online in relieving your bank details as you would be in person.