Search
00
GBAF Logo
trophy
Top StoriesInterviewsBusinessFinanceBankingTechnologyInvestingTradingVideosAwardsMagazinesHeadlinesTrends

Subscribe to our newsletter

Get the latest news and updates from our team.

Global Banking & Finance Review®

Global Banking & Finance Review® - Subscribe to our newsletter

Company

    GBAF Logo
    • About Us
    • Profile
    • Privacy & Cookie Policy
    • Terms of Use
    • Contact Us
    • Advertising
    • Submit Post
    • Latest News
    • Research Reports
    • Press Release
    • Awards▾
      • About the Awards
      • Awards TimeTable
      • Submit Nominations
      • Testimonials
      • Media Room
      • Award Winners
      • FAQ
    • Magazines▾
      • Global Banking & Finance Review Magazine Issue 79
      • Global Banking & Finance Review Magazine Issue 78
      • Global Banking & Finance Review Magazine Issue 77
      • Global Banking & Finance Review Magazine Issue 76
      • Global Banking & Finance Review Magazine Issue 75
      • Global Banking & Finance Review Magazine Issue 73
      • Global Banking & Finance Review Magazine Issue 71
      • Global Banking & Finance Review Magazine Issue 70
      • Global Banking & Finance Review Magazine Issue 69
      • Global Banking & Finance Review Magazine Issue 66
    Top StoriesInterviewsBusinessFinanceBankingTechnologyInvestingTradingVideosAwardsMagazinesHeadlinesTrends

    Global Banking & Finance Review® is a leading financial portal and online magazine offering News, Analysis, Opinion, Reviews, Interviews & Videos from the world of Banking, Finance, Business, Trading, Technology, Investing, Brokerage, Foreign Exchange, Tax & Legal, Islamic Finance, Asset & Wealth Management.
    Copyright © 2010-2026 GBAF Publications Ltd - All Rights Reserved. | Sitemap | Tags | Developed By eCorpIT

    Editorial & Advertiser disclosure

    Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

    Home > Banking > Digitalisation and cyber risk: Do banks have their heads in the cloud?
    Banking

    Digitalisation and cyber risk: Do banks have their heads in the cloud?

    Published by Jessica Weisman-Pitts

    Posted on November 25, 2022

    9 min read

    Last updated: February 3, 2026

    This image illustrates the intersection of digital banking and cybersecurity risks, highlighting the cloud's role in modern financial services. It reflects the themes of the article on digitalisation and cyber risks in banking.
    Illustration of digital banking with cloud technology and cyber risks - Global Banking & Finance Review
    Why waste money on news and opinion when you can access them for free?

    Take advantage of our newsletter subscription and stay informed on the go!

    Subscribe

    Tags:cybersecurityDigital bankingcloud computingfinancial servicesrisk management

    Libero Marconi

    By Libero Marconi, Director with Alvarez & Marsal and Vishal Pandey, Senior Director with Alvarez & Marsal’s Disputes and Investigations Global Cyber Risk Services practice.

    As the financial sector grows increasingly digitised, both cyber and data risks have developed in tandem, with the need to proactively combat such threats becoming paramount for financial institutions.

    The adoption of cloud computing technology by financial institutions, alongside the outsourcing of key tasks supporting the digital banking service delivery to third party vendors, is allowing them to streamline operations and work seamlessly across borders. On the flip side, the migration opens up said firms to increased, and rapidly evolving, risk of cyberattacks and data breaches, as well as the reputational damage these bring about.

    Vishal Pandey

    On top of this, the advent of digital banking has meant that customers themselves are increasingly at risk of being duped or defrauded, most commonly through phishing and malware. The latest data released by the Financial Crimes Enforcement Network, for example, shows that the number of ransomware-related transactions flagged by US banks increased by more than 100% from 2020 to 2021[1].

    Regulators are fast attempting to address the trade-off between innovation and cybersecurity, issuing new rules and guidance to ensure firms are best prepared to fend off any unwelcome attacks.

    But what are the risks exactly and how are they being addressed?

    Third parties and the cloud

    While mass migration to the cloud has been pronounced among financial services institutions in recent years, it has not always been seamless. Even though existing infrastructures and capabilities may limit ability to detect and address new risks and vulnerabilities, firms commonly move applications and infrastructure to the cloud without adequate planning – especially as it relates to cybersecurity and data access controls.

    One issue commonly seen is that legacy infrastructure with physical firewalls and existing network segmentation/design may not readily adapt to, or fit within, the targeted cloud architecture. This can lead to resulting gaps and vulnerabilities within cybersecurity controls that do not translate over.

    Security controls are implemented differently in the cloud because of the tools that are native to each cloud provider’s environment and the fact that cloud providers typically take responsibility for the security of the lower-level infrastructure layers. The shared-security responsibility between cloud providers and the clients they host changes how organisations should anticipate and prepare for security risks.

    Dependence on a single cloud vendor can also increase cyber risk significantly for financial institutions. New York’s Federal Reserve has previously warned about a “transmission of a shock throughout the network” in the event financial services are connected through a “shared vulnerability”[2]. Meanwhile, the Bank for International Settlements said in July that the financial sector’s growing fondness of cloud computing was “forming single points of failure” and “creating new forms of concentration risk at the technology services level”[3].

    If successful, an operation carried out by a cybercriminal on a commonly used vendor can go undetected, especially if the responsibility model between the cloud service provider and the organisation is not clearly and comprehensively understood. To avoid this, institutions should ideally develop an IT security and risk programme for their cloud usage that spans both people and processes.

    Cybercriminals are now capitalising on the increasingly interconnected financial system and turning to so-called “island hopping” attacks to reach their targets. Such attacks are hacking campaigns that target an organisation’s more vulnerable third-party vendors to circumvent the target company’s defences and gain access to their network…

    This can be mitigated by institutions developing a comprehensive third-party vendor management program, and appointing key personnel with dedicated roles and responsibilities to manage vendors and associated cybersecurity risks.

    Allocating clear reporting chains and accountability can also go a long way, as will ensuring that important areas such as classifying and optimising vendor portfolios, formalising plans before onboarding vendors, securely managing transitions to support changes, and effectively terminating relationships with vendors, are in place.

    Ensuring that contracts, vendor performance, and vendor relationships are managed and closely monitored is also key for firms. They should aim to improve their third-party vendor management programmes by conducting rolling reviews.

    Regulators have chimed in on the issue as the risk has compounded in recent years. In recent months, the Bank of England conducted a survey of executives in the UK financial sector, finding that some 74% of respondents considered a cyberattack to be the highest risk to the financial sector in both the short and long term, with inflation or a geopolitical incident trailing behind[4].

    The BoE’s Prudential Regulation Authority is also investigating concentration risk of cloud provision and whether this presents a systemic risk to the financial sector, which is likely to affect both providers and customers[5].

    It said that while it recognises the potential benefits of services provided by third parties, their failure, or severe disruption to their material services, could pose risks to individual firms, to financial market infrastructure firms and even to the UK’s wider financial stability. The regulator is also asking for input on the role of big tech in the financial sector.

    Gone phishing

    Additionally, the advent of digital banking has meant that users are increasingly at risk of being duped, most commonly through phishing attacks. Hackers often contact bank customers posing as bank representatives with the underlying aim of stealing login credentials, credit card or financial information, and sensitive personally identifiable information, among other sensitive data.

    This is made all the more difficult because steps that seem rational and routine to bank staff may not align with consumer behaviour – victims often don’t see warnings, or they do but deem them irrelevant.

    Such attacks have proven very successful, owing to the carefully crafted attack messages and a seemingly authentic appearance of these communications, making it difficult to detect. Newer techniques have also emerged; “whaling” is a process whereby emails are sent targeting chief executives, while “spear-phishing” is another electronic communications attack vector targeted towards a specific individual, organisation, or business.

    Digital banking services providers can counter such attacks by employing data analytics and machine learning to detect fraud, and appropriately escalating and responding to such incidents in accordance with a documented response plan and playbook. Additionally, they can educate customers on good digital practices, utilise customer behaviour profiles to pick up on unusual behaviour, and implement multi-factor authentication.

    Malware related attacks involve malicious software injected into endpoint or mobile devices, servers, or networks. Malware – for those not familiar with the term – can come in the form of worms, viruses, spyware, ransomware, etc. According to recent research, the number of known malware attacks crept up by 11% in the first half of 2022 to 2.8 billion, with the financial sector being actively targeted[6].

    In the event an end-user’s (e.g. a bank employee or trusted third-party) device is compromised with malware, it could pose a threat to a bank’s digital network if that device then connects within the organisation’s network. From a customer perspective, if a customer carries out an online transaction using an infected device or system, the malware may steal the user’s credentials and contribute to fraudulent activity.

    Protecting digital banking systems and infrastructure from malware can begin with using runtime application self-protection solutions and strong antiviruses and Endpoint Detection and Response (EDR) software, alongside multi-factor authentication and behavioural analysis to help protect the user even if a successful attack has exfiltrated sensitive credentials.

    Regulatory horizon

    In one of the most significant regulatory moves this year, the European Union reached provisional agreement on the new Digital Operational Resilience Act (DORA) in May. This regulation is specifically tilted toward the banking and financial services industry, and aims to strengthen the security of institutions by imposing resilience requirements and regulating financial institutions’ contractual relationships with their suppliers.

    However, the regulation extends far beyond the EU and its financial sector by virtue of its aims. DORA’s uniform requirements for the security of network and information systems also addresses critical third-party vendors providing information and communications technology related services to the financial sector, such as cloud platforms and data analytics.

    More broadly, members of the European Parliament recently approved rules requiring EU member states to comply with tighter supervisory and enforcement measures and harmonise their sanctions. The legislation sets out tighter cybersecurity obligations for risk management, reporting obligations, and information sharing.

    Operational resilience has also been a major focus in UK financial services for some time and it is likely that the UK will legislate its own version of DORA in the next year

    In the United States, two significant regulations have come about in 2022 that look to address the issue. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law in March this year and calls on critical infrastructure companies – including financial services – to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA).

    The Securities and Exchange Commission (SEC) also proposed a rule that same month that would require publicly-listed companies to begin reporting their cybersecurity capabilities and their board’s cybersecurity expertise, as well as any cybersecurity breaches, to the SEC within stipulated timeframes.

    Conclusion

    It is clear that financial institutions face unprecedented challenges as their embrace of digital solutions continues to move at a fast pace – something that regulators have recognised and are addressing by establishing rules and guidance accordingly. However, in order to minimise risk and disruption, firms must implement well-defined and planned security controls when migrating to cloud solutions and infrastructure – and should vet the critical third-parties that they outsource sensitive functions to. Alerting and educating customers and employees as it relates to good digital banking practice and awareness is also a key tenet of the battle against cyber risk.

    [1] https://www.fincen.gov/sites/default/files/2022-11/Financial%20Trend%20Analysis_Ransomware%20FTA%202_508%20FINAL.pdf

    [2] Cyber Risk and the U.S. Financial System: A Pre-Mortem Analysis – FEDERAL RESERVE BANK of NEW YORK (newyorkfed.org)

    [3] Big tech interdependencies – a key policy blind spot (bis.org)

    [4] Systemic Risk Survey Results – 2022 H2 | Bank of England

    [5] DP3/22 – Operational resilience: Critical third parties to the UK financial sector | Bank of England

    [6] Mid-Year Update to the 2022 SonicWall Cyber Threat Report | Threat Intelligence

    Frequently Asked Questions about Digitalisation and cyber risk: Do banks have their heads in the cloud?

    1What is cybersecurity?

    Cybersecurity refers to the practice of protecting systems, networks, and programs from digital attacks. It involves implementing measures to safeguard sensitive data and maintain the integrity of information systems.

    2What is digital banking?

    Digital banking is the digitization of all traditional banking activities, allowing customers to conduct financial transactions online. It includes services like online banking, mobile banking, and digital payment solutions.

    3What is cloud computing?

    Cloud computing is the delivery of computing services over the internet, allowing users to access and store data on remote servers instead of local computers. It offers flexibility and scalability for businesses.

    4What is phishing?

    Phishing is a cybercrime where attackers impersonate legitimate organizations to trick individuals into providing sensitive information, such as passwords or credit card numbers, often through deceptive emails or websites.

    5What is risk management?

    Risk management is the process of identifying, assessing, and controlling threats to an organization's capital and earnings. It involves strategies to minimize potential losses and ensure business continuity.

    More from Banking

    Explore more articles in the Banking category

    Image for Latin Securities Named Winner of Two Prestigious 2026 Global Banking & Finance Awards
    Latin Securities Named Winner of Two Prestigious 2026 Global Banking & Finance Awards
    Image for Pix at five years: how Brazil built one of the world’s most advanced public payments infrastructures - and why other countries are paying attention
    Pix at five years: how Brazil built one of the world’s most advanced public payments infrastructures - and why other countries are paying attention
    Image for Idle Stablecoins Are Becoming a Systemic Efficiency Problem — and Banks Should Pay Attention
    Idle Stablecoins Are Becoming a Systemic Efficiency Problem — and Banks Should Pay Attention
    Image for Banking Without Boundaries: A More Practical Approach to Global Banking
    Banking Without Boundaries: A More Practical Approach to Global Banking
    Image for Lessons From the Ring and the Deal Table: How Boxing Shapes Steven Nigro’s Approach to Banking and Life
    Lessons From the Ring and the Deal Table: How Boxing Shapes Steven Nigro’s Approach to Banking and Life
    Image for The Key to Unlocking ROI from GenAI
    The Key to Unlocking ROI from GenAI
    Image for The Changing Landscape of Small Business Lending: What Traditional Finance Models Miss
    The Changing Landscape of Small Business Lending: What Traditional Finance Models Miss
    Image for VestoFX.net Expands Education-Oriented Content as Focus on Risk Awareness Grows in CFD Trading
    VestoFX.net Expands Education-Oriented Content as Focus on Risk Awareness Grows in CFD Trading
    Image for The Hybrid Banking Model That Digital-Only Providers Cannot Match
    The Hybrid Banking Model That Digital-Only Providers Cannot Match
    Image for INTERPOLITAN MONEY ANNOUNCES RECORD GROWTH ACROSS 2025
    INTERPOLITAN MONEY ANNOUNCES RECORD GROWTH ACROSS 2025
    Image for Alter Bank Wins Two Prestigious Awards in the 2025 Global Banking & Finance Awards®
    Alter Bank Wins Two Prestigious Awards in the 2025 Global Banking & Finance Awards®
    Image for CIBC wins two Global Banking and Finance Awards for student banking
    CIBC wins two Global Banking and Finance Awards for student banking
    View All Banking Posts
    Previous Banking PostThe Competitive Advantages of Offering Business Banking Solutions
    Next Banking PostChat-First Banking: Pandemic Trend or Long-Term Change?