5 types of emerging cyberthreats for financial services organizations

Balancing user experience with security, navigating regulatory requirements and assessing emerging threats are all critical areas of focus for financial services organizations’ cybersecurity resilience. From banks to insurers to the capital markets space, the financial services industry possesses seemingly infinite amounts of valuable customer and operational data. Understanding how risks are changing is essential.

"The landscape of cybersecurity is always evolving, and there will always be new emerging threats and more complex types of threats,” says Marissa Schlagenhauf, a financial services senior analyst at RSM US LLP. “It is essential to be able to adapt to those, be dynamic in your cybersecurity protocol, and prevent issues from happening before it's too late.”

Though the percentage of respondents reporting breaches over a one-year term in the Q1 2025 RSM US Middle Market Business Index survey fell significantly compared to a record high in the previous year, companies cannot afford to be complacent in an environment of constantly emerging threats.

Here are five types of emerging cyberthreats that financial services organizations should understand and take measures to prevent:

1. Phishing and social engineering: Bad actors continue to use phishing and social engineering to get hold of sensitive information. While most financial services organizations already have email filtering in place to root out phishing attempts, newer artificial intelligence tools may also help combat the threat. Organizations can use AI tools to analyze patterns that might show up in emails, social media and other platforms employees use, helping the business understand how these phishing attempts are evolving and equipping employees with proper training.
   
   
2. Distributed denial-of-service (DDoS) attacks: While DDoS attacks—large volumes of malicious traffic to disrupt a website—have been a major cybersecurity issue for some time, financial services organizations must continue to prioritize them when it comes to threat prevention. Companies should have proper mechanisms in place to detect and absorb excess traffic from such attacks. Organizations should also continually revisit their technologies to prevent DDoS threats before they happen.
   
   
3. Advanced persistent threats: For these types of threats, in which attackers gain unauthorized access to a system and remain undetected for some time, it is especially important for organizations to take a preventive approach rather than only reacting after detecting a threat. Penetration testing, audits and machine learning applications to ferret out unusual patterns of behavior are all important elements of that preventive approach.
   
   
4. Data breaches: Enhancing encryption protocols for data in transit and data at rest is central for financial services organizations to protect themselves from data breaches. Deploying zero-trust architecture and identity access management protocols is also important and may be even more critical where retail investors are involved.
   
   
5. Supply chain attacks: Many parts of the financial services ecosystem rely on third parties, and as organizations use AI and its related cloud infrastructure more frequently, that reliance will continue to grow. Financial services organizations need to understand how many layers of their supply chain they need to evaluate for various risks, and how the ripple effects from their suppliers’ suppliers might affect them.
    

“Fourth-party risk will be a major concern and become more a part of third-party risk monitoring, especially as organizations continue to move to the cloud and use AI,” Schlagenhauf says. “Companies have to ask themselves whether third parties that their own third parties depend on could potentially interrupt their service, should an issue arise.”

Financial services organizations need to assess how to maintain a frictionless customer experience while providing security against these emerging cyberthreats. Implementing two-factor authentication, for instance, has become standard for securing accounts, but companies must also understand how that added layer of security affects the user experience.

Layered on top of all these priorities are the many regulatory requirements finance organizations need to adhere to, plus labor challenges in the industry. Outsourcing some aspects of operations can help entities meet those requirements while also maintaining efficiency across the business.