Phil Robinson, Founder & CEO, Prism Infosec discusses how escalating geopolitical tensions, cybercrime-as-a-service and AI-driven social engineering are reshaping the threat landscape for banks.
Targeting Critical National Infrastructure (CNI) like banks and Financial Market Infrastructures (FMIs) is nothing new, but cyber-attacks on the sector are ever more relentless and sophisticated.
Last year, up to 20 million people in the UK were affected by cyber-attacks on financial services businesses – an increase of 143%.
While eight tier one banks, including Barclays, Lloyds and Nationwide, reportedly experienced 158 IT failures between them in just two years.
Driven by geopolitical tensions, state sponsored activity and the rise of off-the-shelf tools like Ransomware-as-a-Service (RaaS), the threat landscape is intensifying.
Despite the hundreds of millions of pounds invested by banks in defensive measures, staying ahead of both current and emerging threats remains a constant game of whack-a-mole.
According to Ian Stuart, CEO of HSBC, the bank makes 8,000 changes and updates to their IT every week.
If banks don’t maintain this scale of defensive evolution, a single cyber-breach could have serious real-world consequences for the UK economy, global stock markets and any account holders.
So, what does tomorrow’s threat landscape have in store for the sector?
Banks and financial institutions have long been high-value targets for hostile threat actors and as the geopolitical climate becomes more volatile in 2026, this activity will continue.
State-aligned groups are already using tactics like highly tailored malware and zero-day exploits (when attackers target an unknown vulnerability) to probe payment systems, liquidity platforms and core banking infrastructure for vulnerabilities.
As their tactics vary widely, so too do their goals. Sometimes they want money, sometimes to destabilise markets, create uncertainty or undermine confidence in financial institutions themselves.
As international relations fray further, banks should prepare for more targeted campaigns – including wiper malware, a destructive class of malicious software designed to permanently erase data and attempts to compromise trusted third parties that form part of the UK’s financial ecosystem.
The growing commercialisation of cyber-crime is developing a more covert, yet equally threatening landscape.
Lower-level attackers are increasingly using off-the-shelf products to infiltrate security systems.
Examples include Ransomware-as-a-Service (RaaS) – essentially a subscription model for cyber-criminals, offering would-be attackers a cheap and easy way to bypass security barriers; and
Modular Attack Kits – which can be customised for specific banking processes and technologies, such as outdated middleware, internet-facing APIs and misconfigured cloud environments.
For banks and financial institutions, these products make attacks not only more common, but also more diverse and harder to predict.
As we move into a new year there will likely be another wave of newer tools released which banks and their security providers must get ahead of.
The rapid advancement of artificial intelligence is fundamentally changing the nature of social engineering.
While many are fully aware of the dangers of phishing and know what red flags to look for, new tactics – like vishing (voice phishing) and smishing (SMS phishing) – are empowered by AI deepfake audio and visual technology, making attackers even harder to identify.
Synthetic voice, cloned voice and deepfake visuals are all easy to generate through publicly available AI models.
From there, attackers can take on the identity of a real employee or regulator to authorise fraudulent payments and gain access their own systems, as well as to travel upstream to suppliers, service providers and response teams.
Collectively, these emerging threats paint a stark picture: The cyber-risks facing banks and financial institutions in 2026 are not simply more frequent – they are more sophisticated, more accessible and more intertwined with real-world geopolitical dynamics than ever before.
UK banking regulators (Financial Conduct Authority, Prudential Regulation Authority and The Bank of England) are aware of the level of risk and already implement a risk reduction exercise called CBEST.
Undertaken once every three years at minimum, a CBEST is a critical, intelligence-led assurance framework designed to help financial institutions and regulators better understand a firm’s vulnerabilities and weaknesses.
Furthermore, UK firms with footprints in the EU will be subject to DORA and TIBER-EU tests and if they operate in Singapore/Hong-Kong, they will be subject to iCAST and in Australia, to CORIE.
While these tests are essential to ensure firms are adequately aware of their own weak points, more work will be needed to align test schedules internationally to meet regulatory requirements.
In addition to current requirements and regulations, the UK Cyber Resilience Bill – expected to become law in 2026 – proposes a host of additional requirements that will further strengthen security barriers.
It will be crucial that banks and security providers alike stay up to date on the latest announcements from the Bill – to ensure they are as well-equipped and well-informed as can be to stay secure and compliant.
