In 2025, financial services are deeply reliant on digital infrastructures. Cloud services, especially, are reshaping how the sector operates.

The cloud offers both established and challenger companies the ability to improve flexibility, efficiency, and analytics capabilities. When deployed properly, it can deliver integrated security across an organisation, but also introduces new vulnerabilities.

Due to the sensitive nature of financial data, the sector remains a target for cyberattacks. This, combined with strict regulatory oversight, means firms must continuously align with evolving legislation while enhancing service functionality.

Which regulations do financial services need to be aware of?

There are several specific regulatory requirements that financial institutions must follow. These pieces of legislation are designed to ensure customer data is protected from attackers:

Payment card information and PCI-DSS

For businesses that handle payment card information, PCI DSS requirements dictate security and operational requirements for protecting cardholder information during storage, processing, and transmission. In practice, these requirements are 12 mandatory security controls that cover network security, data protection, vulnerability management, access control, monitoring and logging, physical security, testing, and policy enforcement. Failure to comply with the 12 security controls can lead to severe financial penalties and even liability for compensation costs.

GDPR implications

GDPR regulations categorise financial data as sensitive personal data. This refers to bank details, transaction histories, assets, credit scores, and anything else that might concern the overall financial health of an individual. Firms must take measures to prevent unauthorised access or risk facing fines.

Basel III considerations

The third Basel Accord, Basel III, sets the international standards for capital requirements, stress tests, liquidity regulations, and leverage. It is designed to reduce the risks of phenomena such as bank runs and bank failures, as we saw in the 2008 financial crash. Due to this, most of Basel III focuses on financial requirements such as liquidity to ensure banks are more resilient to changes in the international financial markets. However, it still communicates standards in relation to information and communication technology (ICT),‍ cyber incident response and reporting, and‍ third-party risk management (TPRM).

Digital Operational Resilience Act (DORA)

Introduced in January 2025 by the European Union (EU), DORA addresses rising digital dependency in finance. It covers ICT risk management, third-party oversight, operational resilience, incident reporting, and information sharing.

Compliance with these regulations is essential. Beyond avoiding penalties or criminal charges, it strengthens protection against growing cyber threats.

Assessing Vulnerability and Risk in the Financial Services Industry

Risk assessments are critical to business continuity and reducing the impact of cybersecurity breaches. A task of identifying threats and vulnerabilities, and quantifying the consequences of threats if they were to materialise, enables firms to rank services and ensure the most critical systems are protected first.

The Financial Services Information Sharing and Analysis Center (FS-ISAC) identified several key threats to the global financial sector in its latest report, including: 

Supply Chain Incidents

Businesses should remain alert to the competencies and overall security of service providers they utilise. As reliance on external providers is increasingly integral to many core business strategies, firms cannot afford to overlook the cyber maturity of their partners. To mitigate potential security risks, organisations should ensure and verify that all service providers meet robust cyber-security standards.

Fraud

The universality of real-time payments has led to a surge in fraud action in all sectors for which financial channels and services are used. The immediacy of payment has also created a scenario where it is almost impossible to retrieve stolen funds. Online scammers are building complex operations to take advantage of this. Fraud prevention and detection are becoming more and more important to companies in the sector. Increasing friction for payments through two-factor authorisation, along with other strategic obstacles, reduces fraud risks. Without cross-border partnerships tackling this global issue, however, this is set to remain a growing threat for businesses.

Ransomware

Ransomware has long been a cybersecurity threat. Many victims are often opportunistically targeted by hackers, rather than chosen specifically. Incidents of spear phishing are also on the rise – attackers research individuals or organisations to create personalised messages to convince them to click on infected links. Creating barriers to stop or delay ransomware attacks is therefore essential to reduce the threat. Ransomware’s targeting of customer data also means detection and recovery protocols are critical for firms that want to reduce the threat from malicious actors.

Distributed Denial-of-Service

The FS-ISAC revealed that financial services accounted for a third of all distributed denial-of-service (DDoS) attacks in 2023. DDoS attackers bring down an area of a network or application and extort the affected organisation for financial gain. Motivations may also include political statement-making, competitor sabotage, and cyber vandalism, simply to cause chaos and disruption. The increasing use of application programming interfaces (APIs) in the sector means that denial of service can have a devastating effect on financial service businesses. Firms should implement mitigation strategies to protect customer trust and service availability. 

When, Not If: Building Cyber Resilience Through Disaster Recovery

While cybersecurity defences are essential, effective disaster recovery is vital to reduce the impact of incidents and maintain operations.

Speed of recovery has become the main point of difference for organisations attempting to recover from cyber incidents. Prolonged downtime can lead to reputational damage, regulatory penalties, and lost customers. Without effective disaster recovery, continuity efforts are undermined.

Firms should develop a ‘when’, not ‘if’, mindset when it comes to disaster recovery. A comprehensive disaster playbook provides a manual in the event of a cyber incident. This plan must incorporate tools to allow for early detection of malicious action. Your plan for disaster recovery should be printed as a hard copy or saved on an external device (to ensure it remains accessible if your primary system is compromised). It must consider the first steps of: documenting evidence for cyber insurance and law enforcement, identifying and isolating infected systems, and informing relevant stakeholders an attack has taken place. Furthermore, the plan should contain information around communication and key contacts, an agreed chain of command and designated person to lead the ransomware response, and assurance the plan comes under regular review with ‘fire drill’ rehearsals.

Financial institutions face some of the most severe cyber risks in the world. Abiding by regulatory requirements goes some way to protect against threats, but organisations must go further – by proactively assessing threats, incorporating security measures, and preparing for disruptions. Resilience isn’t just about avoiding breaches. It is about ensuring trust, safeguarding sensitive data, and maintaining the ability to deliver reliable services in a digital-first landscape.

Learn more at virtualDCS