Cybersecurity and geopolitical risks in financial markets

Cyber-attacks against the financial sector have increased markedly in both frequency and sophistication over the past two decades, with new and increasingly complex attack typologies emerging. Whereas early incidents often relied on relatively simple phishing schemes or malware embedded in email attachments, threat actors now deploy a much broader and more advanced arsenal of tools and tactics. Advanced persistent threats (APTs) conducted by organised cybercriminal groups and, in some cases, state‑linked actors, and ransomware‑as-a-service platforms have become commonplace, reflecting a mature, specialised, and highly lucrative cybercriminal ecosystem (IMF, 2024[11]; BIS, 2021[17]). The growing use of AI-enabled attacks further amplifies these risks, allowing malicious actors to dynamically adapt to institutional defences. At the same time, sophisticated malware can remain dormant within systems for extended periods, enabling attackers to time disruptions for maximum financial or operational impact.

As the threat landscape continues to evolve, cyber resilience measures are also evolving in response. Private cybersecurity firms are increasingly working in close co‑ordination with governments and law enforcement agencies to detect, attribute and disrupt malicious campaigns. Although there is often overlap between financially motivated cybercrime and geopolitically driven operations, this convergence has been met with a parallel increase in public-private collaboration in cybersecurity. Information-sharing initiatives and co‑ordinated incident response mechanisms are becoming more widespread, strengthening the overall resilience of the financial ecosystem. This growing alignment between private and official sector countermeasures underscores a broader shift towards collective cybersecurity as both attackers and defenders become more sophisticated.

The number of cyber incidents across G7 countries has increased during the last two decades (Figure 2.1) Most incidents took place in the United States, followed by countries in Europe. It is likely that cyber incidents in G7 countries were mainly carried out for financial gain, with around 20% of cyber-attacks targeting financial institutions in the past two decades (IMF, 2024[11]). Recent geopolitical risks and the widespread introduction of advanced artificial intelligence (e.g. Generative AI) may have caused the growth in cyber-attacks. Recently, there have been more frequent incidents related to supply chain disruptions in manufacturing industries, showing that cyber risks can also pose operational and infrastructure risks (Crosignani, Macchiavelli and Silva, 2023[10]).1 Cross-country comparisons should be interpreted with caution, as incident disclosure, media visibility and dataset coverage differ materially across jurisdictions. Higher counts may therefore reflect both underlying risk and differences in reporting and public visibility.

Moreover, the cyber threat surface has expanded dramatically, including through the growing reliance on shared service providers such as cloud infrastructure. Disruptions at a critical financial service provider can create simultaneous operational stress across multiple institutions, especially where substitution is difficult and recovery takes time. At the same time, these risks are not limited to cloud-based environments: legacy systems, weak interfaces between older and newer platforms, and poorly governed internal architecture can also create serious cyber and operational vulnerabilities. Large technology providers are nevertheless widely used because they often offer scale, security expertise, and resilience investments that many firms cannot replicate on their own. The policy challenge is therefore to manage common dependencies and governance weaknesses, not simply to treat concentration itself as inherently problematic.

Beyond overall growth in incident frequency, Figure 2.2 suggests a sectoral shift in cyber incidents in G7 countries. Incident counts are low and constant in the early 2000s, but bank-related incidents become highly volatile and dominate the mid‑2000s to mid‑2010s, with at least one distinct spike. From the late 2010s onwards, the composition shifts: SME incidents rise strongly and in the most recent years often exceed bank incidents, while large‑firm incidents increase more moderately.2 Overall, the pattern is consistent with cyber risk broadening from episodic, through supply chain to wider targeting where smaller firms represent an increasingly large share of observed incidents. The growth in SME incidents could therefore reflect attackers’ targeting of weaker links and third-party dependencies. Even with strong internal controls, the “weakest link” is frequently a supplier/partner with lower cyber maturity, especially smaller suppliers, making supply chain/third‑party vulnerabilities a leading cyber-resilience challenge (WEF, 2026[18]).

Cybersecurity incidents increasingly reflect attackers’ ability to exploit residual and highly specific vulnerabilities (“security holes”) in systems, processes or governance, rather than broad systemic weaknesses, highlighting the uneven nature of cybersecurity maturity (CSRC, 2015[19]). These weaknesses typically arise from unpatched software, outdated legacy systems, weak configurations, or misconfigurations, all of which feature among the most common root causes of breaches (OECD, 2022[1]; 2021[20]; OWASP, 2021[21]). The emergence of AI-enabled tools (e.g. Mythos) that can automate their detection and exploitation at scale increases the importance of addressing such vulnerabilities (BBC, 2026[22]). These technologies lower the barriers to entry for attackers and accelerate the speed at which weaknesses can be identified and leveraged. This reinforces the need for timely vulnerability management, continuous monitoring, and stronger baseline cyber hygiene, as even minor gaps can quickly become vectors for malicious activity in an increasingly automated threat landscape.

These vulnerabilities tend not to be evenly distributed. SMEs consistently face higher exposure due to structural constraints including limited cybersecurity personnel, smaller budgets, and less formalised risk‑management processes. This makes their monitoring and response capacity less systematic and constrained. Consequently, SMEs are persistent targets for cyber-criminals, who are able to continue exploiting weaknesses in these firms long after larger organisations have remediated them. Importantly, SMEs and specialised service providers often form part of financial institutions’ supply chains and can therefore act as inadvertent “backdoors” into larger organisations. For example, a 2025 cyberattack on the mortgage services provider SitusAMC compromised sensitive data linked to multiple major banks, despite the banks themselves not being directly breached (NYT, 2025[23]). This illustrates how a single weak point in the supply chain can create systemic risk, enabling disruptions and data exposures to propagate across multiple financial institutions simultaneously.

Emerging markets and developing economies (EMDEs) may be particularly exposed to similar concentrations of vulnerabilities, as structural factors, such as reliance on a limited number of providers, weaker institutional capacity and limited substitution possibilities, can amplify common dependencies and cyber risks. These economies typically experience rapid digitisation but often with uneven cybersecurity infrastructure and governance maturity. Variations in regulatory enforcement, budget limitations across the public sector, and reliance on older technologies create environments where cyber risk is structurally higher. As a result, vulnerabilities, whether technical or organisational, tend to remain exposed for longer, increasing the probability of exploitation. Furthermore, international firms with suppliers or operations in EMDEs face elevated third‑party risk, as attackers increasingly exploit these asymmetries in global ecosystems.

Figure 2.3 illustrates the intersection of three zones of heightened vulnerability: SMEs, EMDEs, and periods of financial stress. During stress episodes such as economic downturns or liquidity tightness, budget cuts, staff turnover, and operational disruptions often lead organisations to postpone patching, defer upgrades, or reduce monitoring. These temporary lapses compound existing weaknesses in SMEs and EMDEs, creating a convergence of conditions that significantly amplifies systemic cyber risk. When these three factors overlap, security holes are both more likely to emerge and more likely to be exploited.

Taken together, Figure 2.3 underscores that cyber risk is not only a technological problem but also a structural and macro‑economic challenge. Vulnerabilities concentrate where resources are scarce, governance is weaker, and market pressures reduce resilience. This creates predictable patterns of exposure that attackers exploit opportunistically. Strengthening cybersecurity therefore requires not only improving technical defences but also addressing the broader institutional and economic factors that shape vulnerability across different sectors and countries.