Research from Bridewell, a leading UK-based cyber security services provider, has found compliance with regulation as the chief challenge, as well as the main stimulus, for increasing cyber security maturity in the financial services sector. The study, entitled Cyber Security in Financial Services: 2025, also shows that response times to cyber threats like ransomware are not getting any quicker, with supply chain attacks taking the longest to deal with.
The study surveyed retail and investment banks, payment processors, clearing houses, and related institutions as part of Bridewell’s wider Cyber Security in Critical National Infrastructure: 2025 report. It highlights the sector’s greatest cyber security challenges and how financial services organisations are adapting to evolving threats like AI and the implications from increasing regulatory demands.
The main findings include:
Compliance and data protection are at the top of the agenda
Complying with cyber security regulations has emerged as the single most pressing challenge for financial institutions, cited by 44% of respondents. This reflects the growing burden of frameworks such as the NIS Regulations, the Cyber Assessment Framework (CAF) and international legislation including the EU’s DORA and MiFID II.
Meanwhile, data protection remains a critical issue. Financial organisations, frequent targets of both cyber criminals and nation-state actors, report heightened concerns around data privacy (39%) and the security of critical assets (37%).
Response times are improving but supply chain attacks linger
The average response time to ransomware attacks is 6.71 hours, which is up slightly from last year’s average of 6.62 hours. However, supply chain attacks, amplified by complex systems and third-party software dependencies, remain a major concern as they take financial organisations nearly 16 hours to respond to on average.
Remote working and cloud security bring new risks
With remote and hybrid work practices now entrenched in the sector, 39% of organisations view them as key security concerns, notably above the rest of the CNI sector’s average. Cloud security (35%) and incident detection capabilities (30%) are also high on the list of challenges.
Nation-State and global threats shift in perception
Economic turbulence remains the most cited external threat (76%), although concern is slightly down from 83% in 2024. Worry over state-linked cyber actors such as Russia (70%) and Iran (69%) remains high, but notably, fear of China-backed threats has fallen sharply from 80% to 57%.
AI-powered threats surge, especially phishing
While organisations increasingly use AI for defence, such as automated incident response (33%) and threat intelligence (22%), AI-powered phishing attacks are now the most feared emerging threat, with 89% of respondents expressing concern.
Skills shortage and budget pressures persist
Although 81% of respondents express confidence in their ability to secure IT infrastructure, the shortage of cyber expertise remains a bottleneck. More than half (52%) plan to outsource to address the skills gap, while others turn to reskilling (39%) and regional security partnerships (31%). Encouragingly, 63% of financial services firms will increase cyber security investment over the next year, with more than a fifth boosting budgets by up to 10%.
“This research reinforces the importance of financial service organisations building true cyber resilience and that regulation is no longer just a tick-box compliance issue, it is one of the primary drivers of cyber security maturity across the sector – closely coupled with an established and embedded risk management approach,” said Sam Thornton, COO of Bridewell. “Financial organisations are facing a perfect storm of regulatory scrutiny, AI-driven cyber threats and talent shortages and therefore the sector must adopt a more strategic, proactive approach to cyber resilience that integrates the right technology with highly skilled people and agile processes.”
