UK financial firms now face stronger demands to make cybersecurity a core part of how they operate. The rules from regulators – the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) – came into force on 31 March 2025 and require firms to adopt a security-led approach to the way they manage their assets, dependencies and risks. This is to make sure they can continue operating services even when things go wrong.
Jonathan Gill, CEO of Panaseer, which provides cybersecurity automation and data analytics, explained the regulator’s stance. He said that the FCA’s reasoning “has always been clear: even with the best will in the world, breaches keep happening, and ensuring operational resilience is critical.”
The rules aim to stop firms treating security as a box-ticking exercise. Instead, firms must use clear and accurate data to understand where their weak points are, and then act on that information. Gill says that firms need a system “that reflects the organisation as it is instead of a best-fit approximation” and that makes data simple enough that everyone, in technical and non-technical roles, can make appropriate decisions about risk.
Why Cybersecurity Risk Is So High
Financial services are among the sectors most under threat from cybercrime. Firms handle vast amounts of personal and financial data and are connected to complex digital systems around the world. This makes them attractive targets for attackers.
Recent research shows that 65% of financial services organisations worldwide were hit by ransomware in 2024. In almost a third of these cases, attackers gained entry by stealing login credentials, with exploited software vulnerabilities accounting for a further 27 % of attacks.
Another study found that almost six in ten (58%) large UK financial services institutions suffered at least one third-party supply chain attack in 2024, with nearly a quarter being attacked three times or more. Many firms still only assess third-party risk once when onboarding a supplier, rather than continuously reviewing risk.
Closer to home, a UK survey showed that around 65 % of senior leaders in financial services believe weak cybersecurity defences are a risk to the UK’s economic growth. And nearly three-quarters say the UK needs stronger cybersecurity if it is to become a global leader in artificial intelligence.
Many Firms Are Not Doing Enough
Despite these growing threats, many financial firms are still not doing enough to detect and prevent cyberattacks before they happen.
Dan Kettle of global investor and lender at Octagon Capital, commented: “Those more traditional lenders or providers that have been running for decades may not have kept up with the growing risk of cyber threats.”
“A significant number still lean heavily on traditional security measures rather than newer, proactive approaches.”
“For example, only a minority of firms take ongoing action to assess risk from suppliers and third parties.”
Nearly half of institutions only check risk at the start of a contract, and just 14% continuously monitor supplier risk using specialist tools. This leaves gaps that attackers can exploit.
Other organisations concentrate more on responding after a breach rather than identifying risks early. The same trends appear in global surveys, which show that only around a quarter of financial institutions currently spend significantly more on proactive security measures – such as monitoring, testing and vulnerability assessments – than on reactive work like recovery and fines.
This reactive stance can mean that emerging threats go undetected until it’s too late, increasing the potential damage to customers, reputations and business operations.
What More Firms Could Be Doing
To reduce cyberattack risk and improve threat detection, financial firms need to go beyond basic compliance. There are several practical steps they could implement:
A key improvement would be greater use of continuous monitoring and advanced threat detection tools. These systems use analytics and automation to scan networks and flag unusual behaviour in real time. This enables firms to spot attacks early and respond before major harm is done.
Strong identity protections, such as multi-factor authentication and regular credential audits, can dramatically reduce the risk of compromised access. Research shows that stolen credentials remain one of the top entry points for ransomware and other attacks.
Organisations should also invest in regular risk assessments and vulnerability testing, including penetration testing. These exercises help find weaknesses before attackers do, allowing firms to patch and improve defences proactively.
Better management of third-party and supply chain risk is also essential. This means more frequent reviews of suppliers’ security practices, stronger contractual requirements, and tools designed to track changes over time.
Finally, firms can improve internal readiness by training staff on recognising and reporting threats. Cybersecurity isn’t just an IT issue; every employee can play a role in spotting suspicious activity and helping to prevent breaches.
Conclusion
The message from regulators is clear: UK financial firms must embed security into their everyday operations, not just treat it as a compliance obligation. As Jonathan Gill put it, having the right data in a trusted, transparent system is vital if firms are to demonstrate resilience and manage risk effectively.
With cyber threats rising and attackers growing more sophisticated, financial institutions need to adopt smarter, more proactive defences. Investing in modern tools, continuous monitoring, stronger authentication, and ongoing risk evaluation will help firms protect themselves, their customers and the resilience of the wider financial system.
