The IMF has called the mounting risk of severe cyber incidents “an acute threat to macrofinancial stability.”
It isn’t hyperbole. Amid growing digitalization, heightened geopolitical tensions and a lack of international cooperation, cybercrime could cost the world more than USD 23 trillion by 2027. Extreme organizational losses from such attacks and other incidents have more than quadrupled since 2017 to USD 2.5 billion. The interconnected nature of today’s financial systems means there could be severe collateral damage as well.
Our latest survey fills out this troubling picture as it relates to financial crime, offering insight into pressing vulnerabilities, new regulatory developments and important security controls.
Critical Cybercrime Vulnerabilities: Artificial intelligence (AI), Supply Chain and More
Our survey respondents are clear: Cyberattacks and data breaches are the number one factor behind the expected increase in financial crime risk, particularly for legal, real estate and insurance companies. Nearly 7 in 10 respondents selected this option, followed by the increased use of AI by criminals (61%).
Which of the following factors are most responsible for this increased financial crime risk? [Asked to those who expect financial crime risks to increase over the next 12 months]
This shouldn’t come as a surprise, given the above statistics. And as our AI article in this series illustrates, the rapid-fire adoption of AI tools can be a blessing and a curse when it comes to financial crime, providing new and more efficient ways to combat it while also creating new techniques to exploit the broadening attack surface—be it via AI-powered phishing attacks, deepfakes, or real-time mimicry of expected security configurations.
Attacks like these increasingly target and exploit weaker parts of an organization’s supply chain, as evidenced in 2019’s Solar Winds attack and the 2024 ransomware attack on software provider Blue Yonder, which disrupted payment and other operations at customers including Starbucks and two large UK grocery chains.
So-called “secret leaks”—unintentionally exposed passwords, encryption keys and other credentials—regularly provide attackers with access to endpoints along the supply chain. This risk is exacerbated by modern software development, which involves numerous third-party libraries, frameworks and tools, making it challenging to create unassailable, de-federated interchanges that manage secrets across these components. Rapid deployment cycles and the quick-fire adoption of new AI and machine learning (ML) tools generate additional vulnerabilities.
Many organizations still lack appropriate security controls to detect and prevent supply chain-related attacks. Just 37% of respondents said they were very confident in their financial crime compliance program’s ability to assess supply chain threats, and a similar number (38%) said their program is very prepared to address these issues in 2025. That is problematic, since more than half (56%) of respondents who are anything less than “very confident” in their program’s ability to detect supply chain threats say cybersecurity threats pose the greatest supply chain-related challenge to organizations’ financial crime programs in the year to come—far and away the most-cited of any issue we asked about.
Which of the following supply chain-related issues pose the greatest challenges to your program over the next 12 months? [Asked to those who indicated they were anything other than “very confident” in their financial crime compliance program’s ability to assess supply chain threats]
Business leaders from APAC (India, Japan, Australia) and the U.S. were particularly concerned in this regard. A primary contributor here may be the heightened geopolitical and economic tensions between the two jurisdictions, with the U.S. looking to limit its dependence on China. Overall, political instability and geopolitical risk are two key risk factors when it comes to the expected increase in financial crime, with each selected by about 30% of those respondents.
Finally, cybercrimes are being expedited by proliferating cybercrime-as-a-service offerings on the black market, which make it increasingly easy and cost-effective to carry out sophisticated attacks. Remote work also expands the attack surface. Twenty-seven percent of respondents cite it as being most responsible for the expected increase in financial crime risk, while external remote services and valid accounts are the methods most likely to be used by ransomware networks to get into organizations’ systems, according to a 2024 Kroll survey.
Track Regulatory Requirements—and Gaps
In addition to protecting against cybercriminals, organizations must stay up to date with an ever-evolving regulatory landscape, as 55% of respondents expect financial crimes enforcement action to increase in the year to come.
Please indicate the extent to which you believe the following may change over the next 12 months.
Those with operations in the EU will be most affected, given recent regulatory developments. The Digital Operational Resilience Act (DORA), for instance, came into effect this January, placing new burdens on financial institutions and critical information communications and technology providers. DORA’s most extensive requirements focus on third-party risk management, raising the bar for financial institutions with operations in the EU.
Relatedly, 2022’s Network and Information Security Directive (NIS2) set out cybersecurity standardization goals that must be achieved by organizations deemed “essential” or “important” in all EU countries, with each country required to transpose the NIS2 directive into national laws. And the EU’s recent AI Act creates even more complications for those using these much-hyped technologies—with steep fines for non-compliance.
Other regulators around the world are expected to adopt and enforce similar requirements to DORA and NIS2, while in the U.S. a growing number of state and local data privacy laws—plus cybersecurity regulation from agencies like the New York State Department of Financial Services—are creating a complex patchwork of rules. This regulatory hodgepodge, and the resulting compliance complexity, may help explain why U.S. survey respondents are particularly concerned about the impact of cybercrime and data breaches on financial crime (81% of U.S. respondents named it as a key factor, compared to 68% overall).
Given the evolving regulatory landscape and the globally interconnected nature of financial cybercrime, cooperation between regulators and financial institutions is critical. While 62% of respondents believe there will be increased cooperation in the year ahead, this number is lower among those from Western Europe and Scandinavia (52%), where, ironically, the most stringent regulatory regimes are being enacted. Still, progress is being made: As the IMF notes, the Financial Stability Board’s model for incident reporting and its development of a common lexicon are important steps toward harmonizing effective information sharing.
Cybersecurity Essentials
How can organizations prevent financial cybercrime? Here are some high-level best practices to get started:
- Ensure effective credential and account management. Business email compromise (BEC) and phishing attempts—in large part now powered by AI tools that can help with grammar, spelling and social engineering—prey on environments with poor credential and account management.
When a customer signs into their online account, many organizations simply assume that that person is who they say they are. Organizations must be able to verify the bona fides of the individual: For instance, at Home Depot, tool renters are required to take a selfie that matches their driver’s license as part of the sign-in process. But many organizations are reluctant to interrupt a seamless client experience by, say, requiring multifactor authentication.
Relatedly, financial institutions (and others) often don’t have the right processes and controls in place to prevent new accounts from weaponizing BEC to commit wire fraud. In the financial industry, for example, there are tools that assign reputations to each bank account based on its transaction history. These “reputational detectors”—coupled with additional threat intelligence—can go a long way toward improving account management security.
- Implement control access policies. Devices shouldn’t be able to connect to your organization’s network without any verification or controls in place. Organizations may want to ensure such endpoints have the latest operating systems and virus scanners in place, or that they don’t come from a high-risk locale. Stepping up security in this arena is particularly important because threat actors can now impersonate device configurations to gain access to a system.
- Focus on SaaS due diligence. Software-as-a-Service (SaaS) applications are fast becoming an Achilles’ heel for organizations trying to fight financial cybercrime. In 2023, businesses on average used 371 such applications, and many SaaS vendors are not forthcoming in allowing buyers to do adequate due diligence. Though they tend to share their SOC 2 audit information, many organizations don’t realize this only provides a limited level of assurance; that is, the certificate being produced applies to only the corporate network and domain, not the customer environment.
A Challenging Road Ahead
Financial cybercrime can (and likely will) happen to your business, whether it’s a ransomware attack, a customer’s hijacked bank account or an AI-generated phishing email that cracks open access to your organization’s network. Nearly half of respondents (47%) say they are increasing their cybersecurity budgets next year to combat financial crime
Yet whether organizations raise their budgets or not, foundational security controls and communicating the shared responsibility of good cybersecurity hygiene across the organization are crucial for today’s business leaders—no matter what industry they’re in.
