Banks are gold mines for malicious actors as they not only safeguard customer funds but also hold a plethora of sensitive customer data. The rapid evolution of digital banking and the growing number of interconnected devices has resulted in customers finding it easier to manage their finances through online channels, exposing banking companies to increasing levels of cyber threats. The impact of cyberattacks on banks can be catastrophic, so strong measures are needed to counter the continuously evolving cyber threat landscape.

While many of these efforts come from regulation, it acts more as a foundation for effective online practices, rather than comprehensive playbooks. As such, banks have had to continuously find ways to combat threats like ransomware, distributed denial-of-service (DDoS), and phishing attacks.


The prominence of cyber-attacks in the banking sector has led to the creation of several cybersecurity regulations, placing constant pressure on banks to maintain robust cybersecurity practices. These regulations have implications for data handling, cyber risk testing, and incident reporting, among other items. Examples include the Bank Secrecy Act, the Gramm-Leach-Billey Act, and most recently, the Digital Operational Resilience Act. Non-compliance with cybersecurity-related regulations will often result in fines for banks, levied by governing authorities. For example, in October 2023, Paytm was fined $645,000 (INR53.9m) by the Reserve Bank of India for not reporting cybersecurity breaches on time.

Many cybersecurity regulations in the banking sector overlap, creating challenges for banks in dedicating resources toward compliance. A 2023 study conducted by ServiceNow found that 80% of banks struggle with data protection and privacy regulations. To address this issue, most banks prioritise mandatory regulations and avoid or give less importance to optional ones. Such issues have led to calls across the industry for more streamlined cybersecurity regulations. For example, in November 2023, the Bank Policy Institute and the American Bankers Association urged the White House’s Office of the National Cyber Director to take action to address multiple overlapping regulations.

Industry best practices

It has become increasingly clear that compliance alone is not enough to achieve cyber-resilience in the banking sector. Banks must also incorporate effective strategies to prevent, identify, and address cyber threats. These best practices include building up internal frameworks, teams, cultures, and incident response plans. Such efforts can also help banks comply with cybersecurity regulations.

A best practice that has received significant attention in the last two decades is hiring a chief information security officer (CISO). CISOs are critical to a company’s cyber resilience as they work to understand cyber threats and vulnerabilities and communicate this to key stakeholders across the company. In some cases, a CISO will be on the board of the company they work for, allowing them to correspond their findings to other executives. Research by GlobalData found that 18 of the top 20 banking companies by market cap had hired a CISO as of May 17, 2024. However, none of these CISOs sit on their company’s board.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Emerging technologies and initiatives

Many banks are exploring the prospect of using other technologies alongside existing security controls to improve their risk postures and protect against potential future threats. Banks are using AI to strengthen their cybersecurity efforts. For example, Nubank offers what it calls Intelligent Defenses, a protection system built with AI that recognises, alerts, and can prevent transactions that deviate from the customer’s purchasing patterns.

Biometric authentication systems have become commonplace in the banking sector. In particular, payment processors have integrated biometrics into digital and physical payment interfaces. At the most basic level, fingerprints are frequently used as a method of identity verification for customers. However, such practices raise concerns over biometric data handling processes.

Examples of other initiatives include using behavioral science to help customers and employees better understand and protect against phishing attacks and taking preemptive measures to protect data from quantum computers. For example, in July 2023, HSBC joined BT and Toshiba‘s Quantum-Secure Network to secure the transmission of test data and information between multiple physical locations using quantum key distribution.

Future outlook

Several changes must be implemented if banks are to ensure cyber-resilience. Most pertinently, regulatory requirements must be consolidated if banks are to ensure they comply with mandates efficiently. In addition, advanced biometric identification methods require significant guardrails to be accepted on a wider scale and ensure biometric data is being properly protected. While the idea of hiring a CISO is a relatively new area of focus, banks that do not have a CISO on the board may not fully recognise the importance of cybersecurity as a top priority for their organisation, or at the very least, may risk giving the impression that cybersecurity is not a key focus area.

Suneet Muru is an Associate Analyst, Thematic Team, GlobalData