The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

When it comes to cyber risk management, the financial services sector faces stringent regulations and standards. Laws such as FFIEC IT and GDPR, the SEC requirements, standards like NIS2 or DORA, and frameworks like NIST, ISO, PCI, SIG, or SOC2 have made robust security postures a mandate—and cybersecurity programmes are synonymous with nurturing customer relationships to build and maintain trust, as well as increasing accountability and transparency to executive boards, audit committees, regulators, and investors.

Every breach is a crack in customer confidence 

In over two decades in cybersecurity, I’ve seen how the swift evolution of cyber threats directly correlates to customers' sense of security. Financial institutions face not just direct losses from theft, but also long-term reputational damage that can hinder customer acquisition, loyalty, and retention. 

Cyberattacks can also have longer lasting impacts such as damage to the organisation’s share value, increased insurance premiums, and increased audit requirements from regulators, investors, or credit lending agencies. According to the IBM Cost of a Data Breach Report, the financial sector has one of the highest churn rates following a breach, underscoring the direct link between trust and customer loyalty. The average cost of a data breach in the financial sector is $5.9 million per incident, the second highest after healthcare.

The lesson is clear: cybersecurity lapses and ineffective governance don’t just disrupt operations; they erode the very trust that binds customers to their financial services providers.

Proactive measures for enhanced security: prevention is better than cure

Stepping beyond mere threat response, the cornerstone of modern cybersecurity in finance is anticipation and prevention. Cybersecurity leaders in the financial services sector must consider the following best practices:

1. Foster transparency with stakeholders

Transparency is key in trust-building. Regularly communicate with your stakeholders about your cybersecurity efforts and the state of your defenses. This includes sharing updates about new threats, changes in the security landscape, enhancements to your cybersecurity protocols, and the overall health of your security posture. Transparency not only reassures boards and clients, but also empowers them by making them feel involved and informed.

2. Implement rigorous access controls

One practical step in safeguarding data is to implement strict access controls and identity verification mechanisms. Utilize multi-factor authentication (MFA) and robust identity and access management (IAM) solutions to ensure that only authorized personnel have access to sensitive data. This reduces the risk of data breaches and unauthorized access, reinforcing trust in your security measures.

3. Regularly update and patch systems

Keep your software and systems up to date with the latest security patches and updates. This can protect your systems from known vulnerabilities that could be exploited by cybercriminals,  such as those tracked in CISA’s KEV Catalog—Bitsight research found that in 2023, 35% of organizations had a KEV, and these vulnerabilities are 2.7 times more prevalent than others. Regular updates are not just necessary for compliance, but they also demonstrate to your customers and partners that you are committed to maintaining a secure environment.

4. Educate and train your team

When security becomes a core aspect of your organizational culture, every employee understands their role in maintaining and enhancing customer trust. Regular training sessions for all employees, especially those who handle sensitive financial information, can significantly lower the risk of breaches due to human error. It’s important to ensure security "enables" as opposed to "disables"—security controls need to be not only effective but simple to use and understood in terms of value by customers and users, so that they buy into their use instead of seeing them as a barrier to bypass.

5. Leverage audits and advanced cybersecurity analytics

Conduct regular security audits and risk assessments to identify vulnerabilities within your organisation's cybersecurity framework—and share the results. Leveraging these findings when communicating risk to executives can be very beneficial to increase budget, resources, or velocity of your security programme, and demonstrate real risk reduction when done the right way.

By implementing these strategies, cybersecurity leaders in the financial services industry can strengthen their defenses, comply with stringent regulations, and most importantly, build and maintain the trust that is so crucial in the financial sector. To achieve this, you must have the visibility, insights, and processes to help you identify, prioritise, communicate, and mitigate risks across your extended attack surface and your third-party supply chain—and put that information to work in your programme.