Future proofing against AI and quantum threats: How are leading financial organisations strengthening cybersecurity?
The cybersecurity landscape is evolving at an unprecedented pace. With two out of three executives identifying cyber as one of the top three AI risks, and quantum hacking predicted to emerge by 2035, financial risk managers face a critical question: Is your organisation prepared for the threats of tomorrow?
What has changed in cyber risk management over the past five years?
The transformation in cybersecurity has been dramatic; there has been a fundamental shift in the attack surface. Five years ago, organisations primarily relied on on-premise technology with controlled entry points. Today, the proliferation of software-as-a-service (SaaS), public cloud, and mobile workforces has exponentially expanded vulnerabilities.
Perhaps most striking is the evolution in attack vectors. Malware, once the primary threat, now accounts for only a fraction of breaches. Identity-based attacks have surged to represent 70% of all incidents, with the remaining 30% predominantly involving vulnerability exploitation. This shift demands a complete rethinking of defensive strategies.
There’s also been an acceleration in attack pace and quality. Vulnerabilities that once took 30-90 days to exploit are now weaponised within hours. AI-enabled attacks have democratised sophisticated techniques previously reserved for nation-states, making them accessible to lower-tier threat actors.
How should financial institutions secure AI innovation while enabling business growth?
The challenge facing financial risk managers is clear: 46% of organisations struggle to ensure security and compliance while implementing AI initiatives. How can you balance innovation with protection?
A leading European bank has established dual governance structures: a compliance-focused "control tower" addressing regulation, legal considerations, and ethical use, alongside technical squads including an AI red team. This red team specifically examines the behaviour of non-deterministic models, recognising that uncertain outcomes require new safeguarding approaches.
The threat landscape demands this vigilance. Approximately 80% of phishing emails now leverage AI, resulting in a 50% increase in click rates due to improved communication quality. AI-generated malware is lowering barriers to entry for attackers, while automation is beginning to link discrete attack processes together.
What are the critical controls financial organisations must prioritise?
Despite technological advances, fundamental security hygiene remains paramount. A Chief Information Security Officer for an international business shares that their team manages 380 different generative AI solutions, requiring a delicate balance between enabling entrepreneurial innovation and maintaining security controls.
The consensus among security leaders is clear: boring basics matter. Identity management with comprehensive multi-factor authentication coverage, rapid vulnerability patching, and network segmentation form the foundation of effective defence. These controls prevent 90% of attacks, leaving only the most determined nation-state actors as outliers.
For financial institutions, the prioritisation framework should focus on:
- Visibility: Understanding where AI is deployed across browser-based, API, and multimodal access points
- Risk-based governance: Aligning to frameworks like NIST (National Institute of Standards and Technology) AI Risk Management Framework
- Data governance: Controlling data flow through generative AI tools to prevent leakage
- Exposure management: Prioritising vulnerabilities that are publicly exposed and actively exploited
When should financial services prepare for quantum computing threats?
Quantum computing represents an existential threat to current cryptographic systems. When viable quantum computing arrives – what experts call "Q-Day" – all encryption, certificates, and digital signatures become vulnerable. This isn't just about encrypted data; it threatens identity management, system access, and contract integrity.
The timeline is compressing. While quantum computing has been "10 years away" for decades, MIT and Stanford research now suggests three-plus years as a realistic timeframe. A leading European bank has already established a migration roadmap:
- 2026: Vendor assessment for post-quantum cryptography capabilities
- 2027-2028: Theorisation, software preparation, and migration planning
- 2029-2031: Active migration of critical systems
The consensus among risk authorities – NIST, NCSC (National Cyber Security Centre), FCA, and WEF – is that critical systems should be quantum-safe by 2031, with complete migration by 2035. For financial risk managers, the message is unequivocal: planning must begin now.
What investment strategy should financial risk managers adopt?
The path forward requires multi-horizon planning. Security teams under pressure to address immediate threats often lack bandwidth for future-focused initiatives. However, transformational changes like migrating to passwordless authentication or implementing post-quantum cryptography cannot be accomplished in a single year.
Financial institutions should adopt a three-pronged investment approach:
- Human capital: Investing in security awareness and culture across all employees, creating a "human firewall"
- Operational resilience: Obsessing over recovery capabilities, including immutable backups and business continuity
- Continuous testing: Engaging ethical hackers and conducting tabletop exercises to validate response procedures
The reality is stark: organisations will experience incidents. The question isn't if, but when. Financial risk managers must shift focus from pure prevention to absorption, response, and recovery capabilities that minimise business impact when breaches occur.