Legal updates
Cybersecurity in Financial Services
8 Sep 2025
4 min read
Key Contact
Legal updates
Recent targeting of huge retailers M&S and the Co-op has generated significant press attention and serves as a reminder that even sophisticated and well-resourced companies face cyberthreats on a daily basis. This issue is particularly in financial services, given the value and nature of data held as well as the high levels of inter-connection between financial businesses and their technology partners.
Organisations are alive to the importance of cybersecurity, particularly with the increasing value of data for both businesses and cybercrime organisations alike. So how do you tackle the challenge of staying ahead of the latest cybercrime tactics and what are practical points to focus on?
Reassess threat monitoring
It is vital to reassess threat monitoring to ensure that current security measures are adequate. You need to critically examine whether current arrangements are effective against current and emerging cyber threats or whether they need bolstering. Invest in regular health checks and attend market updates to keep your finger on the pulse and ensure that this is a responsibility spread across different teams in the business and not just a worry for your IT team.
Review your third-party risk management profile
Third party contractors can represent a weak link if they have access to data but do not adhere to appropriate data standards. Supply chain security means more than just putting robust measures in place at the beginning of a relationship – you need to test these measures throughout the relationship lifecycle.
As an immediate step, analyse your present arrangements with priority suppliers (whether assessed by volume of data, level or dependence or financial spend), reviewing their level of access, supplier resilience and business continuity, and how you would work with them in the event of an attack. Test these processes regularly and look to continuously improve them.
Consider refresher training
Use recent cyber incidents as a springboard to implement refresher training, focusing on developing employees’ awareness of cybercrime and ensuring proper handling of sensitive information (whether personal data, confidential data, commercially sensitive data or any combination). This would be especially useful for areas of the business which handle the most significant volumes of data or where there are “gateways” into systems, such as IT support.
Test and refresh crisis plans and your business continuity policy
You should regularly test and refresh crisis plans and your business continuity policy, specifically with contingency plans in the event of certain systems being shut down e.g. stock monitoring and recruitment. Consider whether you would shut down certain functions to prevent further data leakage. Regular testing could help to identify weaknesses in the current plan which could subsequently be improved.
Consider additional simulation exercises
Look for additional simulation exercises to reflect the latest developments and improve operational effectiveness, familiarising participants with the decision-making process of an actual cyberattack.
Cyber insurance
Review your cyber insurance policies to ensure they are adequate for your risk profile, including the extent of cover for incident response costs, business interruption losses, and third-party liability coverage. In addition, key stakeholders in the business should be aware of the notification obligations in your cyber insurance policies.
Refresh your communications strategy
You should refresh your communications strategy to factor in the reaction from both the public and relevant regulators, for example this Statement on British Library’s 2023 ransomware attack where the Information Commission (ICO) commended the British Library for being open and transparent.
Stay abreast of new guidance and any statements from regulators.
You should keep up to date with new guidance and statements from regulators. For example, the National Cyber Security Centre (NCSC) published this in May, which contained some very helpful practical tips. Notably, the NCSC recommends that organisations deploy a 2-step verification system and increase monitoring against account misuse.
If your organisation requires any assistance in relation to the points above, please contact Madelin Sinclair McAusland or Justin Barrow.
Key Contact
Key Contact
Justin Barrow Senior Associate View profile
01
02
Related services
Related sectors
Related articles
/Passle/5d9604688cb6230bac62c2d0/SearchServiceImages/2025-09-16-17-44-54-259-68c9a216c609cffb1530880a.jpg)
Thought leadership
The Digital Asset Ecosystem: A potted history and some terminology
17 September 2025
/Passle/5d9604688cb6230bac62c2d0/SearchServiceImages/2025-09-17-15-01-18-535-68cacd3e4f6ac15288cc3f33.jpg)
Thought leadership
The inaugural Global Hydrogen Compass report: how far has hydrogen come, and where is it going?
16 September 2025
/Passle/5d9604688cb6230bac62c2d0/SearchServiceImages/2025-09-16-14-49-04-497-68c978e0c609cffb152fd64f.jpg)
Legal updates
Governance as a protector of successful AI deployment in financial services
16 September 2025
Thought leadership
Strengthening Consumer Rights: new EU rules proposed to promote out-of-court dispute resolution
12 September 2025
/Passle/5d9604688cb6230bac62c2d0/SearchServiceImages/2025-07-07-13-17-58-452-686bc906d61027272ff84c1d.jpg)
Thought leadership
Cyber risk: an area of focus for TPR following its Annual Report and Accounts
11 September 2025
/Passle/5d9604688cb6230bac62c2d0/SearchServiceImages/2025-09-11-08-42-27-241-68c28b732b4d83f98421282d.jpg)
/Passle/5d9604688cb6230bac62c2d0/SearchServiceImages/2025-09-10-10-00-12-778-68c14c2c217fb669ac0673f8.jpg)
01
10