How could the intensifying geopolitical tension affect the cybersecurity posture of critical financial infrastructure, considering increased state‑sponsored cyber‑attacks on banking networks?
Intensifying geopolitical tensions are fundamentally reshaping the cybersecurity risk calculus for critical financial infrastructure, with state-sponsored actors increasingly targeting banking networks as instruments of strategic competition below the threshold of armed conflict. The convergence of sophisticated nation-state capabilities, expanding digital attack surfaces, and systemic interconnections within global finance creates a threat environment where the 2025 Annual Threat Assessment of the U.S. Intelligence Community explicitly warns that Russia has gained "practical experience...integrating cyber attacks and operations with wartime military action, almost certainly amplifying its potential to focus combined impact on U.S. targets in time of conflict"Russia Threat Overview and Advisories | CISAcisa .
The financial sector has emerged as the primary target for sophisticated cyber operations globally, accounting for 17.4% of all incident response investigations conducted by Mandiant in 2024—the highest of any industryZero-Day Exploit Statistics 2025: What Defenders Needdeepstrike +1. This concentration reflects the sector's strategic value: large multinational banks, central banks, stock exchanges, and institutions involved in international finance such as SWIFT represent prime targets for espionage, large-scale theft, and the potential disruption of critical infrastructureKey Cyber Threats Facing the Financial Sector in 2025kelacyber .
Four primary nation-state actors—China, Russia, Iran, and North Korea—have sponsored 77% of all suspected cyber operations since 2005Cyber Operations Trackercfr . Each operates with distinct motivations and capabilities that directly threaten banking networks:
China's strategic pre-positioning represents perhaps the most consequential long-term threat. The Volt Typhoon hacking group exemplifies China's focus on gaining asymmetric advantage through "living off the land" tactics, utilizing existing resources within targeted operating systems rather than deploying detectable malwareEroding Global Stability: The Cybersecurity Strategies Of China, Russia, North Korea, And Iran | Small Wars Journal by Arizona State Universitysmallwarsjournal . Chinese state-sponsored groups exploited 12 zero-day vulnerabilities in 2023 and five in 2024, with persistent focus on security and networking technologies like Ivanti VPNs to establish initial access for espionage campaignsZero-Day Exploit Statistics 2025: What Defenders Needdeepstrike . A SharePoint zero-day compromise affected more than 400 organizations worldwide, including the National Institutes of Health and the federal agency responsible for securing the U.S. nuclear stockpile, with attackers creating backdoors to maintain access even after patches were appliedThe Silent Breach: Dormant Cyber Threats to Government and Critical Infrastructure | MSSP Alertmsspalert .
Russia's integrated information warfare doctrine treats cyberspace as a theater of military operations equivalent to land, sea, air, and spaceEroding Global Stability: The Cybersecurity Strategies Of China, Russia, North Korea, And Iran | Small Wars Journal by Arizona State Universitysmallwarsjournal . The concept of "information confrontation" integrates cyber operations, psychological operations, electronic warfare, and traditional military operations to achieve strategic objectives. Banks in Europe are now under maximum alert, with cyberattacks from Russia having more than doubled since the war in Ukraine beganWar in Ukraine - Impacts on the banking sector | Management Solutionsmanagementsolutions . Russian cyber actors have demonstrated the capability to compromise a large bank's entire network in 45 seconds and fully infect a major transit hub in just 16 seconds, as witnessed during the NotPetya attack[PDF] The making of a cyber crash: a conceptual model for systemic ...europa .
Iran's retaliatory posture makes it a particularly volatile threat actor during periods of elevated tension. Operation Ababil in 2012 launched distributed denial-of-service attacks against Bank of America, JP Morgan Chase, Wells Fargo, Citibank, PNC, and US Bank for months, causing service disruptions and millions in lost businessThe Cyber Retaliation: Why Bank Apps Are Failing Nowyoutube . The UK government has issued warnings of increased Iranian cyber risk amid Middle East tensions, noting that Iran's cyber units have historically targeted critical infrastructure, financial institutions, and government systems during political flash pointsCyber Command Disrupts Iran Comms, DHS Warns of Retaliatory Attacks, New CISA Director Namedyoutube .
North Korea's financially motivated operations have achieved unprecedented scale. DPRK-linked hackers stole $2 billion in cryptocurrency in 2025 alone, driven by devastating mega-hacks including the February Bybit exploit resulting in nearly $1.5 billion in losses—the largest digital heist in cryptocurrency historyStablecoins just replaced Bitcoin for crime on the dark web – and the reason why is a $154 billion nightmarecryptoslate . North Korean actors have dramatically increased their zero-day activity, tying with China for the highest number of attributed in-the-wild exploits in 2024Zero-Day Exploit Statistics 2025: What Defenders Needdeepstrike . Coordinated campaigns leveraging malicious npm packages, previously undocumented BeaverTail and InvisibleFerret malware, and exploitation of React2Shell (CVE-2025-55182) have targeted cryptocurrency and fintech organizations across the United Kingdom, Spain, Portugal, Sweden, Chile, Nigeria, Kenya, and QatarThe State of Cybersecurity in the Finance Sector: Six Trends to Watchdarktrace .
September 2025 marked a watershed moment in cyber warfare: the first documented case of a large-scale cyberattack executed without substantial human interventionDisrupting the first reported AI-orchestrated cyber espionage campaignanthropic . Chinese state-sponsored hackers manipulated Anthropic's Claude Code tool to attempt infiltration of roughly thirty organizations, successfully compromising targets including large tech companies, financial institutions, chemical manufacturing companies, and government agenciesChinese Hackers Automate Cyber-Attacks With AI-Powered Claude Codeinfosecurity-magazine .
The operational characteristics of this attack are alarming for financial institutions: AI performed 80-90% of campaign tasks, with human intervention required only at 4-6 critical decision points per hacking campaignDisrupting the first reported AI-orchestrated cyber espionage campaignanthropic . At peak attack velocity, the AI made thousands of requests per second—an attack speed physically impossible for human hackers to matchThe Hacker Who Made AI Attack 30 Companies While He Ate Lunchyoutube . The six-phase attack flow included campaign initialization, reconnaissance and attack surface mapping, vulnerability discovery and validation, credential harvesting and lateral movement, data collection and intelligence extraction, and documentationChinese Hackers Automate Cyber-Attacks With AI-Powered Claude Codeinfosecurity-magazine .
This development represents what experts characterize as an AI arms race in cybersecurity. AI is now enabling ransomware groups to create polymorphic malware that rewrites itself with each instance and context-aware code that detects sandboxes5 Threats That Reshaped Web Security This Year [2025]thehackernews . The Shai-Hulud Worm (September-December 2025) used AI-generated bash scripts to compromise 500+ npm packages and 25,000+ GitHub repositories in 72 hours, with the attack specifically designed to evade AI-based security analysis—both ChatGPT and Gemini incorrectly classified the malicious payloads as safe5 Threats That Reshaped Web Security This Year [2025]thehackernews .
The defensive gap facing financial institutions has compressed dramatically. The average time to weaponize a disclosed vulnerability has collapsed to just 5 days, rendering monthly patch cycles dangerously obsoleteZero-Day Exploit Statistics 2025: What Defenders Needdeepstrike . For the fifth consecutive year, exploits were the most common initial infection vector, accounting for 33% of all intrusions, with the most frequently exploited vulnerabilities found in network edge devices like VPNs and firewalls—critically, three of the top four were exploited as zero-days before patches were availableZero-Day Exploit Statistics 2025: What Defenders Needdeepstrike .
The RESURGE malware discovered on Ivanti Connect Secure appliances exemplifies the pre-positioning threat. CISA analysis reveals that RESURGE uses a passive command and control model, remaining dormant on compromised devices until a remote operator initiates contact, applying CRC32 fingerprint hashing to distinguish legitimate traffic from malicious connections New CISA guidance targets persistent RESURGE implant as Ivanti Connect Secure threat continues to deepen - Industrial Cyber industrialcyber . This stealth capability enables the malware to evade routine scans and monitoring, meaning RESURGE may still be present and undetected on affected devices, posing an active and ongoing threatCISA Issues Updated RESURGE Malware Analysis Highlighting a Stealthy but Active Threat | CISAcisa .
Strategic access actors are now the most consequential adversaries, responsible for many of the most significant intrusions into U.S. critical infrastructure in the last two years Check Point: US faces rising cyber power contest as state-aligned operations target government, critical infrastructure - Industrial Cyber industrialcyber . Their focus on long-term infiltration and pre-positioning—establishing persistent access inside networks and maintaining it covertly—allows adversaries to hold key capabilities at risk during crises, creating leverage without immediate action.
Supply chain attacks have emerged as a primary vector amplifying state-sponsored threat exposure. An overwhelming 97% of organizations have been negatively impacted by a supply chain breach, up from 81% in 2024Supply Chain Breaches Impact Almost All Firms Globally, BlueVoyant Revealsinfosecurity-magazine . Verizon's 2025 Data Breach Investigations Report documents a 100% year-over-year increase in third-party breaches, rising from 15% of all breaches in 2024 to 30% in 2025[PDF] 2025 SUPPLY CHAIN CYBERSECURITY TRENDSsecurityscorecard .
The Federal Reserve's analysis found that approximately 55% of third-party financial services providers fall into the "high-risk region" in terms of cybersecurity, characterizing third-party vendors as "the hidden cyber fault line within the financial system"Supply Chain Weak Links: Reducing Third‑Party Risk in Finance | Entrustentrust . Scenario analysis revealed that losses from potential incidents targeting third-party service providers are up to 66% higher for banks than routine cyber incidents, largely driven by business interruptionSupply Chain Weak Links: Reducing Third‑Party Risk in Finance | Entrustentrust .
Recent high-profile incidents demonstrate this exposure: a ransomware attack on C-Edge Technologies forced nearly 300 banks in India to shut down temporarily in 2024, with National Payments Corporation of India immediately blocking C-Edge from accessing all retail payment systemsRansomware attacks in finance hit new high (Updated for 2026)invenioit . A ransomware attack on a financial services software company in 2025 impacted more than 70 U.S. banks and credit unionsFinancial institutions face new and emerging cyber risks - Munich Remunichre . Since April 2025, supply chain attacks have averaged more than 28 per month—more than twice the 13 monthly attacks seen between early 2024 and March 2025 Software supply chain attacks surge, as ransomware groups escalate and industrial sectors face more exposure - Industrial Cyber industrialcyber .
The concentration of critical technology providers creates systemic vulnerability. The CrowdStrike outage in July 2024 demonstrated that even non-malicious failures at single IT entities can have far-reaching effects, disrupting online banking, ATMs, payment systems, and stock exchanges globallySupply Chain Weak Links: Reducing Third‑Party Risk in Finance | Entrustentrust . Microsoft, Google, Cisco, and Apple emerge as key contributors to systemic cyber vulnerability, with these providers also representing the largest cumulative count of vulnerabilities—creating financial stability considerations from common exposureSystemic Cyber Risk - FEDERAL RESERVE BANK of NEW YORKnewyorkfed .
Federal Reserve research provides sobering quantitative estimates of potential systemic impact. Analysis of cyber attacks on the five most active U.S. banks found that 5-10% of institutions experience liquidity impairment within a single day, but when weighted by asset size, the impact increases approximately fourfold, reaching 22-55% of total bank assets[PDF] Cyber Risk and the U.S. Financial System: A Pre-Mortem Analysisnewyorkfed +1. The average liquidity shortfall grows from $122 billion on day one to an average of $1 trillion by day five—implying an expansion of the Federal Reserve balance sheet of over 20% to provide required liquidity injections[PDF] Cyber Risk and the U.S. Financial System: A Pre-Mortem Analysisnewyorkfed .
Under cascade scenarios where institutions hoard liquidity, forgone transactions represent 5-35% of total daily payment value, amounting to one to eleven times daily GDP[PDF] Cyber Risk and the U.S. Financial System: A Pre-Mortem Analysisnewyorkfed . If a cyber attack disrupts CHIPS or CLS operations, the netting benefits would be lost, forcing banks to execute an additional two to three times their normal Fedwire payment volume[PDF] Cyber Risk and the U.S. Financial System: A Pre-Mortem Analysisnewyorkfed .
Moody's Analytics modeling of cyber attack scenarios projects that a "Cyber Deposit Run" scenario would cause GDP to decline 2.9% from baseline over four quarters, with unemployment rising 1.8 percentage points and the S&P 500 falling 18.5% from baseline[PDF] Cyberattack Contagion in the Financial System - Economy.comeconomy . A "Payment System Collapse" scenario would cause immediate GDP contraction of 9.9% annualized, with recovery taking multiple quarters[PDF] Cyberattack Contagion in the Financial System - Economy.comeconomy .
IMF analysis estimates that in baseline scenarios, average losses due to cyber-attacks for major financial jurisdictions amount to $97 billion or 9% of banks' net income, with Value-at-Risk ranging from $147-201 billion (14-19% of net income) and expected shortfall reaching $281 billion[PDF] Cyber Risk for the Financial Sector: A Framework for Quantitative ...imf . In severe scenarios—where attack frequency doubles—average losses would reach $268 billion (26% of net income), with extreme risk indicators ranging from $352-539 billion[PDF] Cyber Risk for the Financial Sector: A Framework for Quantitative ...imf . Contagion effects across financial institutions would increase aggregate losses by approximately 20%[PDF] Cyber Risk for the Financial Sector: A Framework for Quantitative ...imf .
Ransomware attacks against the banking sector have intensified dramatically. In 2024, approximately 65% of financial organizations reported experiencing a ransomware attack, up from 34% in 2021Ransomware attacks in finance hit new high (Updated for 2026)invenioit +1. The average breach cost reached $6.08 million per incident in 2024—a 10% increase over the prior yearRansomware Attack on Financial Institutions Average $6.08 Million in Losseshalcyon . Researchers documented 3,348 global ransomware attacks on banking infrastructure, with groups now using "triple extortion" techniques combining encryption, data theft, and DDoS attacksRansomware Attack on Financial Institutions Average $6.08 Million in Losseshalcyon .
Recovery timelines reveal operational fragility: only 11% of financial organizations recover in less than a day, 35% take up to a week, 30% require up to one month, 20% need 1-3 months, and 5% require 3-6 months for full recoveryRansomware attacks in finance hit new high (Updated for 2026)invenioit . Detection and containment often take 258 days, during which operational disruption escalatesRansomware Attack on Financial Institutions Average $6.08 Million in Losseshalcyon .
The November 2023 ransomware attack on ICBC, the world's largest bank by assets, prevented settlement of Treasury transactions and forced trades to be rerouted—Bloomberg reported that trades traversed Manhattan on a USB stick, with ICBC forced to send settlement details by messengerRansomware attack on the world's largest bank disrupt the US Treasury marketyoutube . The Akira ransomware group has become a particular threat to financial institutions, exploiting VPN and remote access vulnerabilities—including recent SonicWall and Cisco flaws—often within days of public disclosure, with demonstrated ability to exfiltrate large volumes of data in just hoursCISA, FBI, and Partners Issue Critical Guidance on Akira Ransomware in Joint Statement | NETBankAuditnetbankaudit .
The SWIFT Customer Security Controls Framework v2025 specifies 25 mandatory and 7 advisory security controls structured around three core objectives: secure your environment, know and limit access, and detect and respondUnderstand Controls - Swiftswift +1. All SWIFT users must complete annual independent assessments validating compliance by December 31stWhat is a SWIFT Customer Security Independent Assessment?youtube . The 2025 update introduces no new mandatory controls, reflecting deliberate stabilization after several years of increasing requirementsUnderstanding the 2025 SWIFT CSP Framework: Stabilization and Strategic Evolution -worldinformatixcs .
Key mandatory controls include SWIFT environment protection and segregation, operating system privileged account control, multi-factor authentication, security updates and patch management, vulnerability scanning at both operating system and application levels, malware protection, database integrity verification, logging and monitoring, and cyber incident response planning[PDF] Swift Customer Security Programme (CSP) - Bottomline Technologiesbottomline . Significant for 2025, the architecture transition from Type B to A4 affects organizations using APIs, middleware clients, or file transfer clients, requiring compliance with 8 additional controls by v2026Swift Customer Security Programme v2025 - BDObdo .
DORA, applicable from January 17, 2025, establishes a unified regulatory and supervisory framework for digital operational resilience across the EU financial sectorDORA explained: What it means for financial institutions in 2025partisia . The regulation encompasses five pillars: ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharingWhat is DORA and Its Impact on Financial Cyber-Resiliencesbs-software +1.
DORA requires financial entities to establish comprehensive ICT risk management frameworks reviewed at least annually, following major incidents, and after supervisory instructionsDORA RTS: what are the upcoming requirements regarding the digital operational resilience of financial entities? | EY Luxembourgey . Systematic testing requirements include vulnerability assessments, independent penetration testing, scenario-based testing simulating real-world cyberthreats, and—for significant entities—threat-led penetration testing (TLPT)What is the Digital Operational Resilience Act (DORA)opentext +1. Third-party ICT providers must participate and cooperate in testing activitiesDORA and its impact on UK financial entities and ICT service providers - PwC UK pwc .
The Basel Committee on Banking Supervision has published guidelines establishing 10 key findings on cyber resilience practices, noting that despite convergence in high-level expectations, technical specifications and supervisory practices differ across jurisdictionsCyber-resilience: range of practices - BISbis . The Committee emphasizes that institutions should ensure systems are "secure-by-design" with emphasis on resilience rather than mere complianceCyber-resilience: range of practices - BISbis .
Central banks have notably increased cyber security-related investments since the pandemic, prioritizing technical security control and resiliency[PDF] BIS Working Papers - No 1039 - Cyber risk in central bankingbis . The BIS Cyber Resilience Coordination Centre provides structured knowledge-sharing, collaboration, and operational readiness among central banks[PDF] BIS Working Papers - No 1039 - Cyber risk in central bankingbis . However, respondents generally judge the preparedness of the financial sector for cyber attacks to be inadequate[PDF] BIS Working Papers - No 1039 - Cyber risk in central bankingbis .
The G7 Cyber Expert Group completed a cross-border coordination exercise in April 2024, bringing together 23 financial authorities to strengthen ability to communicate and coordinate responses to significant cross-border cyber incidentsG7 Cyber Expert Group conducts cross-border coordination exercise ...europa . In December 2025, HM Treasury published G7 Fundamental Elements of Collective Cyber Incident Response and Recovery, establishing three pillars: establishing the arrangement (governance, coordination protocols, interoperability), utilizing the arrangement (response/recovery tools, crisis communication), and maintaining/testing the arrangementHMT publishes G7 Fundamental Elements of Collective ...regulationtomorrow .
The Financial Services Information Sharing and Analysis Center (FS-ISAC) serves as the sector's primary threat intelligence sharing body, sharing indicators of compromise and threat data multiple times daily through its information sharing portal2025 Public Sector Perspectivescitibank . FS-ISAC provides members with actionable intelligence during incidents, including threat actor capabilities (TTPs and IOCs), support for impacted firms, analysis of sector-level impact, and industry/public-private coordinationIncident Response at FS-ISACfsisac .
The effectiveness of this sharing is evidenced by member testimonials: "The regular updates from FS-ISAC's analysts on the status of the incident were valuable and we often had more reliable information coming from these updates than we did from the victim of the incident"Intelligence - FS-ISACfsisac . Members receive trusted, real-time visibility through the member-driven intelligence community, enabling organizations to anticipate threats, respond faster, and reduce systemic riskFS-ISAC | Safeguarding the Global Financial System by Reducing Cyber Riskfsisac .
FS-ISAC has identified that DDoS attacks accounted for 35% of attacks targeting financial services in 2023, with the industry experiencing an almost exponential rise in such attacks between 2014 and 2024DDoS Attacks on Financial Sector Surge in Scale and Sophisticationinfosecurity-magazine +1. The organization warns that threat actors will exploit vulnerabilities in critical infrastructures and leverage any tool available to destroy trust in system securityThe biggest challenge with increased cybersecurity attacks, according to analystszdnet .
Real-time gross settlement systems incorporate multiple redundancy mechanisms. The Bank of England's renewed RTGS (RT2) operates within a dedicated secure zone with strengthened perimeter defenses, modular architecture enabling faster system recovery, dual-site operations enhancing service continuity, and a trusted independent data source providing robust protection against severe data loss or integrity breachesReal-Time Gross Settlement (RTGS) system and CHAPS Annual Report 2024/25 | Bank of Englandbankofengland .
The ECB's TARGET Services employ a two-region/four-sites architecture providing both inter- and intra-regional failover, ensuring that even in extreme circumstances—natural disasters, pandemics, cyberattacks, or terrorist incidents—critical payment and securities settlement operations can continue with interruptions kept to a minimumWhat resilience takes: strengthening the financial system in an era of heightened riskeuropa . T2 alone processes roughly 90% of the total value settled by large-value payment systems in euro—more than €1.8 billion dailyWhat resilience takes: strengthening the financial system in an era of heightened riskeuropa .
SWIFT's Market Infrastructure Resilience Service (MIRS) provides a fully diversified RTGS application offering operational and business continuity services in case of failure of primary and secondary sites, with unique combination of software, staff, technological and geographical diversity for maximum threat coverageMarket Infrastructure Resiliency Service (MIRS) - Swiftswift . MIRS can rebuild balances at point of failure in less than 2.5 hours without requiring direct data replication, increasing protection against cyber threatsMarket Infrastructure Resiliency Service (MIRS) - Swiftswift .
The Enhanced Contingency Solution (ECONS II) for TARGET2 addresses situations where T2 Service is unavailable due to major technical failure or successful cyber attack, allowing processing of critical transactions for up to five consecutive business days on segregated contingency settlement accountsReal-time Gross Settlement System (RTGS)europa .
Cyber insurance exclusions represent a significant gap in financial institution risk transfer mechanisms. Following the NotPetya incident—which caused damage exceeding $10 billion globally—Lloyd's of London mandated from March 2023 that all standalone cyber attack policies must contain cyber-specific war exclusionsCyber insurance – risks, opportunities and trends - Clifford Chancecliffordchance . Insurers are expanding war or cyberwar exclusions to cover state-backed attacks, with even incidents occurring in peacetime potentially falling within exclusions if a government is implicatedCyber Insurance Exclusions to Expect in 2026 | Insurance Thought Leadershipinsurancethoughtleadership .
The challenge of attribution—determining whether a ransomware attack represents pure criminal activity or state-sponsored warfare—can take months of forensic investigationDemystifying Cyber Insurance Exclusions: What They Mean for Your Insuredtotalcsr . State-sponsored cyber threats may escalate, "adding to attribution challenges in the context of insurability"‘Geoeconomic Fragmentation’ Challenges Insurers: Geneva Associationcarriermanagement .
The Merck litigation established important precedent: when Merck's cyber insurance carrier denied coverage for NotPetya losses under a war exclusion, claiming the malware represented military action, a New Jersey appellate court ruled that the war exclusions did not apply as the attack was not "hostile or warlike"—not involving "a sovereign power...intended to relate to actions clearly connected to war"Cyber insurance – risks, opportunities and trends - Clifford Chancecliffordchance . However, this precedent remains contested as insurers refine exclusionary language.
The global cybersecurity workforce shortage critically constrains defensive capacity. While the workforce has grown to 7.1 million, another 2.8 million jobs remain unfilled globallyClosing the Gap in the Cybersecurity Talent Shortage | BCGbcg . Four industries account for 64% of this shortage: financial services, materials and industrials, consumer goods, and technology—notably the sectors facing seven out of ten cyberattacksClosing the Gap in the Cybersecurity Talent Shortage | BCGbcg +1.
The Basel Committee identified that skills shortages lead to recruitment challenges across jurisdictions, with some implementing specific cyber certifications to address this gapCyber-resilience: range of practices - BISbis . Some 74% of companies report the skills gap impacts their ability to secure sensitive information, while 58% of chief information security officers express concern that the gap will continue to widenMinding the (skills) gap for cybersecurity talent - BAIbai .
Governance structures reveal critical gaps: only 24% of organizations brief senior leadership on security matters monthly or more frequentlySupply Chain Breaches Impact Almost All Firms Globally, BlueVoyant Revealsinfosecurity-magazine . However, this is improving—84% of boards now regularly assess political risk impact on strategy, more than double the 40% in 2021How Boards Are Rewiring for Geopolitical Risk | Corporate Compliance Insightscorporatecomplianceinsights . Two-thirds of boards participate in scenario planning and tabletop exercises related to geostrategic risks—triple the 22% from 2021How Boards Are Rewiring for Geopolitical Risk | Corporate Compliance Insightscorporatecomplianceinsights .
The NCUA urges credit union boards to prioritize cybersecurity as a top oversight and governance responsibility, noting that seven out of ten cyber incident reports were related to third-party vendor involvementBoard of Director Engagement in Cybersecurity Oversight | NCUAncua . Boards must approve comprehensive information security programs, review them at least annually, and ensure resilience plans allow continued operation during and after cyber-attacksBoard of Director Engagement in Cybersecurity Oversight | NCUAncua .
Central bank digital currencies introduce new vulnerabilities requiring careful consideration. The IMF warns that a CBDC creates a vast and complex ecosystem amplifying existing risk exposures while surfacing new ones—"without security, there is no trust, and without trust, there is no money"[PDF] Cyber Resilience of the Central Bank Digital Currency Ecosystemimf . CBDC vulnerabilities could be exploited to compromise a nation's financial system, with centralized data collection posing major privacy and security risksCentral Bankers’ New Cybersecurity Challenge imf .
BIS analysis of DLT attacks in the DeFi domain reveals that existing threat modeling techniques may not adequately address threats to CBDCs using novel technology like smart contracts Project Polaris: closing the CBDC cyber threat modelling gapsbis . The "mean time to attack" for DeFi implementations averages approximately 10 months between launch and successful compromise—a critical consideration for central banks planning CBDC deployment Project Polaris: closing the CBDC cyber threat modelling gapsbis .
Potential threat agents identified include organized crime groups, hackers, professional criminals, compromised third-party technology providers, nation-state-sponsored groups, malicious end users, and natural or human-caused disastersBIS highlights cybersecurity risks, proffers framework for ‘secure’ CBDC systemsmariblock . The Federal Reserve emphasizes that attackers will continue using phishing attacks and malware to obtain credentials or private keys, malicious insiders will leverage privileged access, and nation-states will engage in espionage against another nation's critical infrastructureThe Fed - Security Considerations for a Central Bank Digital Currencyfederalreserve .
CISA's Shields Up guidance provides the framework for operational response during geopolitical escalation. Organizations must validate that all remote access requires multi-factor authentication, ensure software is updated prioritizing known exploited vulnerabilities, disable non-essential ports and protocols, and implement strong cloud security controlsShields Up: Guidance for Organizations | CISAcisa . During incidents, organizations should lower reporting thresholds to help identify issues and protect against further attacksNew Shields UP Guidelines Impact Financial Institutions Integrisintegrisit .
Key defensive measures include: assuming compromise and planning for breach; maintaining offline, air-gapped backups not connected to the network; testing recovery procedures under pressure; implementing network segmentation to contain damage; and conducting regular tabletop exercises to ensure all participants understand their rolesThe Cyber Retaliation: Why Bank Apps Are Failing Nowyoutube +1.
In response to the Ukraine conflict, banks have pursued defensive strategies driven by risk and shock mitigation, including freezing assets, diversifying investment and lending portfolios, and enhancing risk and compliance functionsManaging today's geopolitical riskskpmg . Boards must understand their enterprise's operational exposures and the speed with which they can adapt amid geopolitical shocks, including whether financial reserves could absorb a shock and the confidence in counterparty financial strengthHow Boards Are Rewiring for Geopolitical Risk | Corporate Compliance Insightscorporatecomplianceinsights .
The intensification of geopolitical tensions creates a threat environment where cyber attacks on financial infrastructure have evolved from opportunistic criminal activity to instruments of strategic statecraft. The convergence of nation-state capabilities, AI-enabled attack automation, supply chain concentration, and systemic interconnections means that the question is no longer whether financial infrastructure will face sophisticated attacks, but how effectively institutions can anticipate, withstand, recover from, and adapt to them.
As Federal Reserve Vice Chair Barr emphasized, "cyber risk from both foreign powers and non-state actors has become a major concern for banks...disruption of one of these critical systems may compromise a bank's ability to execute important functions and adversely affect individual firm safety and soundness as well as the broader financial system"Barr, Risks and Challenges for Bank Regulation and Supervisionfederalreserve . The operational disruption propagated through the CrowdStrike incident "was a wake-up call for banks and regulators about vulnerabilities in a system where security is outsourced"Barr, Risks and Challenges for Bank Regulation and Supervisionfederalreserve .
The ECB's assessment captures the imperative: "In times of increasing digitalisation and geopolitical tensions which are fuelling cyberattacks, operational resilience is more important than ever...unlike financial resilience, operational resilience can't be built up by accumulating Common Equity Tier 1. Instead, boosting operational resilience requires investment"Frank Elderson: Resilience offers a competitive advantage, especially in uncertain timeseuropa . Given current elevated bank profitability, the time is right to continue investing in operational resilience—the more banks invest with strategic foresight, the better prepared they will be when attacks occurFrank Elderson: Resilience offers a competitive advantage, especially in uncertain timeseuropa .