Large financial institutions have long been targets of cybercrime, as these organizations handle enormous volumes of customer data. As a result, disrupting bank operations through ransomware and stealing sensitive data are attractive opportunities for cybercriminals. With the development of artificial intelligence (AI) and advances in quantum computing, threat actors have new tools to deploy in their exploits against financial institutions.
Ransomware, phishing, supply chain attacks, and other exploits continue to threaten institutions. In a 2025 study of cyber risk trends, Munich Reinsurance Company (“Munich Re”) found four cyber risk “hot spots”: ransomware, scams, data breaches, and supply chain attacks.
The data compiled by Munich Re showed an increase in ransomware attacks, agile networks of hackers using ransomware, and a record ransom payment of $75 million. In addition, Munich Re found more than 5 billion accounts were compromised in data breaches, for which the average loss was almost $4.9 million and total fines for violations of the General Data Protection Act (GDPR) were EUR 1.2 billion.
Supply chain attacks, such as those involving third-party vendors, also pose a risk to large financial institutions. In 2025, several high-profile incidents involved financial services industry vendors:
- A ransomware attack and data breach at a financial services software company impacted more than 70 U.S. banks and credit unions.
- More than 4 million U.S. consumers’ personal information was stolen from a credit reporting agency through an attack on a customer relationship management system.
- Data involving some of the largest banks and investment companies was exposed in a breach at a real estate services provider.
As an industry, finance tops the list for incident response services provided by Mandiant, a cybersecurity consulting unit of Google. In 2024, financial services accounted for 17.4% of all cyber investigations Mandiant conducted globally, followed by business and professional services, at 11.1%, and high tech, at 10.6%.
Targeted industries, 2024
Source: M-Trends 2025 Report by Mandiant (Google Threat Intelligence Group)
Adding pressure to financial institutions to enhance their cybersecurity are evolving financial regulations and privacy laws. Examples of such regulations for U.S. clients include:
- The Securities and Exchange Commission (SEC) in 2025 finalized disclosure rules for public companies on cybersecurity incidents. For example, public companies must disclose material cybersecurity incidents within four business days on Form 8-K and provide updates on previously disclosed incidents.
- The New York Department of Financial Services (NYDFS) maintains robust cybersecurity measures and disclosure requirements that, among other things, require financial institutions to perform periodic risk assessments.
- Payment card industry data security standard (PCI DSS) regulations impose technical and operational requirements for protecting cardholder data.
- The California Consumer Privacy Act (CCPA), unlike other state privacy laws, e.g., Colorado, Nevada, and Virginia, does not offer a blanket exemption to financial institutions that are subject to the Gramm-Leach-Bliley Act’s privacy protection rules. Differences in state privacy laws and the data protection obligations they impose increase the compliance burden on financial institutions.
Criminals’ evolving tactics
Cybercriminals are using increasingly sophisticated tactics, and they are assisted in these by AI. A 2022 study by Vade found 35% of phishing attacks attempt to impersonate a bank or financial services entity.
Business email compromise, impersonation, phishing, and other social engineering attacks are becoming more persuasive and realistic with the use of AI. In prior years, ransomware attacks principally encrypted data, but these have evolved to encompass data exfiltration and cyberextortion — often with a ransom demand to avert publication of sensitive data.
The use of quantum computing is a less prevalent but emerging risk. Criminals are already seeking ways to use this highly sophisticated tool in their activities. If quantum computing can eventually break encryption, as cybersecurity experts predict, how will financial institutions and other organizations keep their data secure?
Business interruption remains a major risk for financial institutions. The disruptive effect of ransomware and other exploits extends beyond data, with financial institutions being highly dependent upon the resilience of their network.
Banks and other financial firms will need to adapt to evolving cybercrime tactics. AI is a double-edged sword. While cybercriminals are using it to improve the effectiveness of their attacks, financial institutions and other organizations also can tap AI to scan for vulnerabilities and deploy defenses.
Cyber risk preparedness
In a 2025 global survey by Munich Re found 87% of C-suite executives believe their organization’s cyber protection is inadequate. Yet, a significant coverage gap exists because a majority of cyber risks are underinsured or uninsured.
Cyber insurance gross written premiums in North America in 2025 exceeded USD 10 billion, and Munich Re anticipates cyber GWP in the region will nearly double by 2030, approaching 20 billion. Despite this steep growth in cyber insurance, global cyber premium volume in 2024 accounted for less than 1% of worldwide property and casualty premiums. There remains a compelling argument for financial institutions and other industries to increase their cyber insurance protection.
Cyber Insurance Market North America – Gross written premium (GWP)
Source: Munich Re 2025 Global Cyber Risk and Insurance Survey
To improve their cyber risk management, financial institutions should strive to gain a clearer understanding of the threat vectors, root causes of cyber loss, and how cyber insurance can offer valuable protection. Cybersecurity and risk management partners are important allies for financial institutions. Working with expert insurance partners can help institutions protect against cyberattacks and mitigate the financial impact of those attacks.
How Munich Re can help
Munich Re Facultative & Corporate (“Munich Re F&C”) helps financial institutions mitigate the financial impact of cyber events with broad first- and third-party cyber insurance, including: business interruption, contingent business interruption, cyber extortion, event response expenses, data and privacy breach, network security liability, payment card industry liability, regulatory defense, and more. Munich Re F&C also offers coverage extensions for technology E&O, property damage from a cyber event, and media liability.
Munich Re F&C is a global business unit that offers facultative reinsurance and corporate insurance solutions for large companies through subsidiaries, and branches of Munich Re. With our collaborative approach and deep knowledge across all industries, our clients benefit from our risk assessment expertise, customized products, and financial stability. Our client focus is rooted in our commitment to fostering partnerships for the long term. With our traditional and our innovative risk transfer solutions, we support you around the globe across all lines of business.
