Planning ahead

The outlook on the current cyber risk landscape deteriorates further compared to previous years. Looking back at the last year, the industry association Bitkom has, in its Wirtschaftsschutz report¹, concluded that a staggering 67% or €178.6 billion of the financial losses of German businesses resulted from cyberattacks.  

The main difference in 2025, however, is the pivotal level of sophistication now reached in EU regulation relating to cyber and information security. Whether it will prove its worth depends, above all, on its implementation by the financial institutions. 

Besides, regularly and almost repetitively, publications such as the recent Risk Assessment Report² of the European Banking Authority (EBA) refer to huge numbers of financial institutions falling victim to potentially major ICT incidents due to cyberattacks, which suggests that the question is no longer whether organisations become victims of cyberattacks, but when they do and how big the impact of the attack will be. 

It is therefore hardly surprising that two thirds of businesses now consider their very existence threatened by this bleak outlook, while only half of the Bitkom survey respondents thought so last year, and a mere tenth did three years ago. 

The new threat dimension of AI comes as a test to organisational readiness.

But why is there such a stark increase in cyber-related risks threatening the existence of businesses? Not the sole reason, but certainly a significant one is the rise of artificial intelligence (AI) as the current driver of cybersecurity risks: As Allianz Commercial stated in their Allianz Risk Barometer 2025³, “new technologies” such as AI have emerged as a new challenge among the top ten business threats besides “cyber incidents” – which continue to lead as the number one.  

One of the threats posed by AI is, of course, the fact that hackers may use AI for their own purposes to improve attacks. However, the other side of the coin should not be ignored either. A lack of planning when implementing AI means that organisations are potentially opening themselves up to new security vulnerabilities.  

Financial institutions may, for instance, consider using AI for automated workflows like the analysis and evaluation of data or for a customer solvency check, thereby risking the confidentiality and integrity of their customers’ data. This could happen as a result of an organisation training its AI model with its own data. As the AI is given broad access to the organisation’s data, a financial institution’s strict access and authorisation boundaries are easily violated. 

An equally substantial challenge are the risks harboured by automated workflows based on Large Language Models (LLM) as they provide different answers to multiple iterations of the same question. Differing and unrepeatable results, however, are neither desirable for process consistency nor acceptable for auditing purposes. 

To prevent risks like these, it is necessary to plan and structure the implementation and use of AI very well before adopting it. In this regard it is worrying that according to the World Economic Forum only 37% of the respondents to their survey for the Global Cyber Security Outlook 2025⁴ stated to “have a process in place to assess the security of AI tools before deploying them”. Considering smaller organisations, even 69% did not have such a formal process. There is a high chance that AI tools will be used before a comprehensive assessment of their risks and benefits has been conducted. To mitigate this risk, it is essential to establish a risk-oriented process, possibly even an AI management system, before implementing and operating AI tools. 

AI will only be a training ground for other upcoming risks from new technologies.

While AI is the big focus of today, another upcoming technology that financial institutions will not be able to avoid in the long run is quantum computing. Even though there are no commercially available quantum computers yet, there is already a substantive risk from their development: Attackers are stealing encrypted data today which they are not yet able to decrypt without quantum computing. However, as a lot of data has a long-term value, supposedly securely encrypted data stolen today may be stored until quantum computing becomes available to decrypt it. This so called “Harvest Now, Decrypt Later” (or “Store Now, Decrypt Later”) tactic is a rapidly growing risk according to Europol. It suggests that when mitigating the risk of data theft, financial institutions must not rely on the idea that stolen data is protected as long as strong cryptographic controls are in place. 

To highlight the significance of this emerging threat for financial institutions in particular, Europol has hosted the Quantum Safe Financial Forum (QSFF) at the beginning of 2025 and in this context published a call to action⁵ about the importance of transitioning to quantum-safe (or post-quantum) cryptography, both in terms of developing and implementing common guidelines. In comparison to today’s standards, such quantum-safe cryptography means to further develop the current cryptographic algorithms to be hardened against cryptanalytic attacks by quantum computers. 

As the QSFF expects that quantum computers will be available within the next 10 to 15 years, there is already a sizeable need to improve the encryption methods used by financial institutions to not fall victim to decryption at a later stage. To do so, financial institutions may get actively involved in efforts to define common guidelines and position themselves at the helm of state-of-the-art, quantum-safe cryptography. This will help not only to defend vulnerable assets, but also to not fall behind and demonstrate to customers a strong sense of duty. 

The European push for regulation coincides with a heightened need for sensible management.

Turning to regulation, international standards and best practices – as encouraged in the case of the QSFF – have long been a tested and successful way to manage the fall-out from cyberattacks. In its annual Cost of a Data Breach 2024 report⁶, IBM states very clearly – as does the World Economic Forum in its The Global Risks Report 2025⁷ – that best practices in incident response management and data hygiene are vital for any meaningful defence in the case of a security incident. 

Beyond that, responsibly exchanging information on threats, vulnerabilities and incidents is also contributing its share to curbing cybercrime. According to the latest Cybercrime – Bundeslagebild report⁸ of the German Federal Crime Police, international law enforcement cooperations have been able to demonstrate growing success in the fight against ransomware groups and underground economy marketplaces over the past years. Working on a national level is rarely enough in this line of work, because it is not enough to catch individual hackers, law enforcement is working against structures spanning across multiple countries. 

Similarly, another ray of hope is the ongoing development of international, universally applicable cybersecurity frameworks, vulnerability classification frameworks, and databases on threats and vulnerabilities such as MITRE ATT&CK or CISA’s KVE database which facilitate the work and international cooperation of cybersecurity professionals. 

However, as much as international cooperation and universally applicable tools have become an increasingly valuable asset over the years, their existence and availability are also dependent on the US legislation and US-based organisations. As we are currently bystanders to a strong push for deregulation in the United States, the very structures built to defend against cyber incidents and crime are coming under attack themselves. 

The non-profit MITRE platform, for instance, recently almost lost its critical funding contract with the US Department for Homeland Security and could only extend it for a meagre 11 months on the morning of its previous expiration date⁹. 

On this basis, European initiatives like the ENISA’s newly published European Vulnerability Database are increasingly important to ensure the retention of knowledge and structures in aid of cybersecurity. Equally, we are seeing a surge in legislative requirements to protect, among other critical infrastructures, the financial sector in the European Union. For financial institutions this means heightened regulatory requirements on a broad range of subjects. Be it the Digital Operational Resilience Act (DORA), the revised Network and Information Systems Directive (NIS-2), the Markets in Crypto-Assets Regulation (MiCAR), the EU AI Act, the Cybersecurity Act, or the Pilot Regime for Market Infrastructure based on Distributed Ledger Technology (DLTR): The EU has put together a tightly-knit regulatory package which increasingly accentuates a more sensible management and the ongoing use of best practice in governance, risk, operations and compliance.

Based on all these efforts of the EU to secure its member states and all institutions, the task of the institutions now is to implement these directives and regulations. This should be the number-one priority for institutions, because these regulations aim to ensure a high level of cyber resilience – but can do so only if they are thoroughly implemented. 

Thus, not just by regulatory expectations, but also by organisational aspirations, this sensible management must find its way into the collective awareness of financial institutions to address cyber security and resilience. Only then will it be possible to also address issues such as carelessness and undetected system failures, both of which are growing risk drivers according to ENISA’s Threat Landscape: Finance Sector report.¹⁰

Dependencies on third parties are as much a risk driver as supply chains among cyber criminals.

Regardless of the European push for regulation, dependencies on the products and services of third parties continue to be one of the prime risk drivers as attackers focus on the weakest point in the defence which are most often smaller third-party providers in a supply chain.  

An equally worrying facet of the tight-knit third-party ecosystems, however, is that the underground economy for cybercrime is rapidly developing its own supply chains: The German Federal Office of Security in Information Technology (Bundesamt für Sicherheit in der Informationstechnik – BSI)¹¹ reports that cybercriminals are working in efficient, highly-specialised work-sharing cooperations to gain the highest profit. They do, for example, use professional Initial Access Brokers who share their access to vulnerable systems with several other cybercriminals.  

Among these well-organised hackers with a financial motive, hacktivists in particular are on the rise. These groups are ideologically-motivated actors, who are often cooperating with or are even instructed by state organisations. The most common attack type of these hacktivists are Distributed Denial of Service (DDoS) attacks used to cause disruptions of services, often as part of geopolitically-motivated cyberattacks (such as those used during the Russian war on Ukraine and conflicts in the Middle East or between China and Taiwan). In the course of their actions, states or organisations which are not directly involved in the conflict fall victim as collateral damage due to attacks run on their highly-connected third-party supply chains. This suggests that financial institutions must pay attention to threat dimensions well beyond the cyber sphere, including (regional) wars and conflicts as well as political and economic dependencies. 

Financial institutions ought to take strategic direction from the 2025 risk drivers.

Given the emergence of new technologies, the expansion of regulatory requirements, and the continuous professionalisation of cyber adversaries, there are three key take-aways from this outlook that will determine the success of a financial institution’s cybersecurity posture in 2025. 

First, understanding the political, geostrategic and economic dimensions of the cyber threat landscape is vital to avoiding the most precarious geographies, supply chains and dependencies.  

Second, implementing new technologies such as AI with caution and thorough preparation helps to reap the benefits they bring while avoiding the opening up of new flanks.  

Third, building a new understanding of the value of regulation makes all the difference. So far, financial institutions often understand regulatory requirements as the finish line of their journey to establish cybersecurity. However, the moment that organisations are willing to embrace regulatory requirements only as the bare minimum of their efforts and are ready to institutionalise cybersecurity thinking beyond these requirements, they will get ahead of the wave of cyberattacks.  

Authors: Kristina Gramberg-Stenson & Christian Hammen

Literature

1. Bitkom e.V. 2024. Wirtschaftsschutz 2024. [Online]. 28 August 2024. [Accessed 13 January 2025]. Available from: Wirtschaftsschutz 2024 ↩︎
2. European Banking Authority. 2024. Risk Assessment Report of the European Banking Authority November 2024. [Online]. November 2024. [Accessed 24 February 2025]. Available from: Risk Assessment Report – November 2024 | European Banking Authority ↩︎
3. Allianz Commercial.2025. Allianz Risk Barometer. [Online]. 15 January 2025. [Accessed 24 February 2025]. Available from: Allianz Risk Barometer | Allianz Commercial ↩︎
4. World Economic Forum. 2025. Global Cybersecurity Outlook 2025. [Online]. 13 January 2025. [Accessed 10 March 2025]. Available from: Global Cybersecurity Outlook 2025 | World Economic Forum ↩︎
5. Europol. 2025. Quantum Safe Financial Forum – A Call to Action. [Online]. 7 February 2025. [Accessed 24 February 2025]. Available from: Call for action: urgent plan needed to transition to post-quantum cryptography together | Europol ↩︎
6. IBM Corporation 2024. Cost of a Data Breach 2024. [Online]. July 2024. [Accessed 13 January 2025]. Available from: Cost of a data breach 2024 | IBM ↩︎
7. Bundeskriminalamt. 2024. Cybercrime – Bundeslagebild 2023. [Online]. 13 May 2024. [Accessed 20 January 2025]. Available from: https://www.bka.de/DE/AktuelleInformationen/StatistikenLagebilder/Lagebilder/Cybercrime/2023/CC_2023.html ↩︎
8. Bundeskriminalamt. 2024. Cybercrime – Bundeslagebild 2023. [Online]. 13 May 2024. [Accessed 20 January 2025]. Available from: https://www.bka.de/DE/AktuelleInformationen/StatistikenLagebilder/Lagebilder/Cybercrime/2023/CC_2023.html ↩︎
9.  Heise Online. 2025. CVE-Aus abgewendet, Schwachstellendatenbank der EU geht an den Start. [Online]. 17 April 2025. [Accessed 23 April 2025]. Available from: CVE-Aus abgewendet, Schwachstellendatenbank der EU geht an den Start | heise online  ↩︎
10. European Union Agency for Cybersecurity. 2025. Threat Landscape: Finance Sector. [Online] 21 February 2025. [Accessed 03 March 2025]. Available from: ENISA Threat Landscape: Finance Sector | ENISA ↩︎
11. Bundesamt für Sicherheit in der Informationstechnik. 2024. Die Lage der IT-Sicherheit in Deutschland 2024. [Online]. 12 November 2024. [Accessed 13 January 2025]. Available from: BSI – Bundesamt für Sicherheit in der Informationstechnik – Die Lage der IT-Sicherheit in Deutschland 2024 ↩︎