2026 Cybersecurity outlook: Financial services

The banking and capital markets (BCM) sector is navigating an environment of escalating costs driven by evolving risks, regulatory requirements, and customer expectations, as well as increasing complexity of financial products and services. Geopolitical volatility is a significant factor, with 64% of banks saying they'll increase cyber investments in response to heightened global uncertainty and emerging threats. Overall, about three in four banks (74%) plan to increase their cybersecurity budgets in 2026.

Despite these planned investments, only 30% of BCM organisations currently spend significantly more on proactive security measures (e.g., monitoring, assessments, testing, controls) than they do on reactive measures (response, remediation, recovery, fines). Most (68%) say their proactive/reactive cost ratio is roughly even or skewed toward reactive measures, which can be more costly. And just 21% measure the financial impact of cyber risks ‘to a significant extent’.

The sector’s rapid adoption of digital innovation including API-enabled digital banking, customer-permissioned data access, and real-time trading platforms has expanded attack surfaces and increased operational complexity. Our survey shows that cloud-related threats (32%) rank among the top challenges BCM firms feel least prepared to address, along with quantum computing threats (34%) and exploits of zero-day vulnerabilities (29%).

Against this backdrop, banks should balance innovation, regulatory compliance, and cybersecurity investments carefully. That means taking a ‘controls engineering mindset’—moving beyond manual, point-in-time controls and toward engineered, preventative, and continuously validated controls—to help drive greater scale in automation across controls testing and compliance. It also means developing human-led, AI-enabled capabilities. 

Those that invest strategically in proactive, future-oriented cyber defence and integrated risk management stand a better chance of controlling costs, safeguarding customer assets, and maintaining trust in an increasingly challenging, dynamic risk landscape.

The threat landscape

Safeguarding customer data remains a top priority for the BCM sector. As attacks grow more sophisticated, firms are racing to leverage AI to strengthen their defences while also defending against AI-enabled threats, as well as cloud-based attacks and quantum computing threats.

• Cloud reliance increases risks: Cloud-related concerns are one of the top-ranked threat BCM firms say they’re least prepared to address. Growing reliance by banks on SaaS platforms like Microsoft 365, Salesforce, and Workday significantly expands their attack surface through risks such as data sprawl, cloud misconfiguration, vulnerability management challenges, and patching complexities.
• AI drives sophisticated attacks: The top AI attack scenarios BCM firms are most concerned about in the coming 12 months are AI-powered malware (68%), deep-fake social engineering (57%), and AI-powered supply chain attacks (55%). 
• Budgets struggle to meet evolving threats: BCM organisations are prioritising AI-driven cybersecurity solutions. Our survey indicates that AI threat hunting, event detection and behavioural analytics, and vulnerability scanning and assessments are the AI security capabilities BCM firms are prioritising in 2026. Budget constraints and cost pressures limit their ability to invest in these technologies, however, forcing difficult trade-offs between innovation and maintaining strong cyber defences.
• Third parties compound risk: Dependence on third-party providers creates potential single points of failure with wide-ranging impacts. High-profile outages from these vendors demonstrate how reliance on them can disrupt essential cybersecurity and operational functions, slow response times, and elevate operational risk. Multi-cloud redundancy is difficult for many firms, however, leaving them vulnerable to service interruptions. And for all vendor types, third-party risk management (TPRM) can be resource-intensive and prone to errors. Nearly half (47%) of BCM firms rank TPRM compliance the greatest regulatory barrier to doing business in the countries where these regulations apply.
• Data challenges abound: Our survey reveals that BCM firms rank data protection and trust among their top three cybersecurity budget priorities. Many firms, however, continue to wrestle with fragmented data environments and legacy systems, which limit the AI and advanced security solutions they could more effectively deploy. They’re also navigating diverse regulatory requirements, especially local data sovereignty rules. Forty-two percent rank data localisation the No. 2 regulatory barrier to doing business in the countries where these regulations apply.
• Quantum risks loom large: The No. 1 cyber threat that BCM firms feel least prepared to address is quantum computing. Even so, only 3% of these firms rank quantum risks among their top three cyber budget priorities over the next 12 months, citing talent shortages and more pressing priorities as barriers to achieving post-quantum readiness.

The road to resilience

Facing rising cyber challenges largely driven by cloud, AI, and quantum computing threats, BCM firms need a smart, focused approach in 2026 to protect their most valuable assets. We suggest focusing on six key areas.

1. Reinforce cloud and SaaS frameworks: Develop and operationalise holistic SaaS security programs focused on continuous monitoring, posture management, and governance. Address risks related to data sprawl and misconfigurations in platforms such as Microsoft 365 to safeguard sensitive information.
2. Leverage AI for cyber defence: Deploy AI-powered tools that enhance threat detection, automate routine tasks, and provide faster, clearer insights to security teams. Leading BCM firms have integrated AI-enabled solutions across their security operations, from cloud security and endpoint protection to insider threat detection, allowing their teams to identify risks sooner and respond more effectively without overloading analysts.
3. Balance investment with constraints: Manage cost pressures by prioritising cybersecurity investments that align with both innovation goals and regulatory requirements. Encourage continuous upskilling across teams to improve cybersecurity readiness within budget limits.
4. Strengthen third-party resilience: Map and understand critical dependencies on third-party providers. Identify single points of failure and design resilient architectures focused on enabling rapid recovery, acknowledging that multi-cloud redundancy is often impractical. Look for opportunities to automate manually intensive TPRM processes (e.g., due-diligence onboarding, monitoring).
5. Modernise data management: Consolidate fragmented data and upgrade legacy systems to enable effective AI deployment and improve security operations.
6. Start preparing for quantum: Establish a holistic cryptographic inventory that identifies at-risk assets and captures critical cryptographic metadata. In parallel, familiarise yourself with NIST-standardised quantum-resistant algorithms and implement immediate cyber hygiene improvements to reduce near-term exposure to ‘harvest now, decrypt later’ attacks, while laying the groundwork for the longer-term disruption to today’s public key infrastructure and secure authentication protocols.

In our survey, 58% of insurance firms say geopolitical volatility is driving increased investment in cyber risk mitigation, underscoring a growing urgency to strengthen defences amid an unpredictable global landscape. Overall, over three in four insurers (78%) plan to increase their cybersecurity budgets in 2026.

Firms in this sector rank employment infiltration threats as the top risk they feel least prepared to address, highlighting staffing and insider risk as critical vulnerabilities. Attacks on connected products and quantum computing risks follow closely behind.

Despite these growing risks, only 24% of insurers currently spend significantly more on proactive security measures (e.g., monitoring, assessments, testing, controls) compared with reactive measures (response, remediation, recovery, fines). Three-quarters (75%) say their proactive/reactive cost ratio is roughly even or skewed toward reactive measures, which can be more costly. And just 14% measure the potential financial impact of cyber risks ‘to a significant extent’, potentially impeding informed decision-making and risk prioritisation.

Insurance companies also face internal barriers in adopting advanced technologies for cyber defence. Our survey suggests that lack of knowledge, unclear risk appetite regarding AI use, and lack of budget prioritisation are the top internal challenges hindering AI implementation for cybersecurity across the sector.

The threat landscape

Rapid technology advances and expanding digital footprints are creating security gaps that expose insurers to data breaches, operational disruptions, and privacy challenges. Persistent talent shortages and limited in-house cyber capabilities further compound these vulnerabilities, presenting ongoing challenges for the sector.

• Staffing challenges undermine defences: Insurers are struggling to attract and retain skilled cybersecurity professionals, a challenge facing all industries. In addition, insurance leaders tell us that employment infiltration—where attackers gain access by obtaining or impersonating employment, or where insiders intentionally or unintentionally compromise security—is among the top threats their companies are least prepared to address.
• Rising complexity surpasses in-house capacity: Insurers face challenges in effectively managing the growing complexity of cyber threats. Cyber managed services rank among their top cyber budget priorities for 2026, highlighting a demand for experience in areas such as endpoint security, AI, cloud, and threat management. This reliance on managed services underscores the difficulty insurers experience in building and maintaining in-house capabilities to keep pace with rapidly evolving cyber risks.
• Digital transformation drives data risk: As insurers pursue digital transformation, they face significant challenges in managing data risk. When asked about their progress implementing various data risk measures across the business, only about half of insurers have fully implemented data classification policies (52%) and data controls across the entire data life cycle (48%), while other measures ranked even lower.

The road to resilience

With cyber risks evolving rapidly, insurance companies should adopt integrated, forward-looking strategies in 2026 and beyond to strengthen their security posture and operational resilience.

1. Prioritise AI cyber capabilities: Deploy AI-powered tools that enhance threat detection, automate routine tasks, and provide faster, clearer insights to security teams. Integrate AI-enabled solutions across your security operations, from cloud security and endpoint protection to insider threat detection, allowing teams to identify risks sooner and respond more effectively without overloading analysts.
2. Secure identity and access management: Adopt a secure-by-design framework for connected products throughout the operational life cycle. Enforce consistent identity, access, and policy controls across third-party platforms, APIs, and integrations.
3. Leverage managed security services to fill expertise and capacity gaps: Determine if your business should leverage managed services by developing an ROI-based managed services plan that maps technology, skills and resource needs.
4. Treat data risk as a business risk, not just a compliance issue: Create a cohesive strategy to inventory data, assess risks, apply governance and protection according to risk levels, and establish appropriate ownership.

The rapid expansion into new markets and asset classes is driving asset and wealth management (AWM) firms to act swiftly to secure critical assets. Moving too fast, however, can create exposure to cyber risks around data protection, fraud, and regulatory compliance. Our survey indicates that 64% of AWM firms plan to increase their cyber risk investments in response to the current geopolitical environment, reflecting a heightened awareness of emerging threats.

Firms in this sector cite cloud-related threats as the top risk they feel least prepared to address (37%), followed closely by quantum computing threats (35%) and third-party breaches (33%).

Despite these growing risks, only 23% of AWM organisations currently spend significantly more on proactive security measures (e.g., monitoring, assessments, testing, controls) than they do on reactive measures (response, remediation, recovery, fines). Most (76%) say their proactive/reactive cost ratio is roughly even or skewed toward reactive measures, which can be more costly. And just 12% are measure the potential financial impact of cyber risks to a significant extent.

The threat landscape

Innovation drives a lot of the change we’re seeing in asset and wealth management. As investments shift toward AI infrastructure, digital assets, and foreign products, firms face a cybersecurity landscape that demands new ways of thinking about risk, resilience, and trust. Our survey shows that AI, cloud security, and network security are the top three investment priorities for AWM firms in 2026. But the challenges ahead are as much about adapting culture and strategy as they are about technology.

• New asset strategies amplify regulatory complexity: Both asset and wealth managers are increasingly diversifying their portfolios by expanding into sectors such as real estate, energy, cryptocurrencies, and foreign investments. This strategic evolution introduces a growing set of federal and international regulatory obligations, which amplifies compliance complexity and introduces new operational risks. Firms should navigate these layered requirements carefully to avoid regulatory gaps and associated penalties.
• Expanding data volumes introduce new attack vectors: AWM firms leverage vast volumes of customer data to fuel AI-driven marketing and personalised services. While offering growth opportunities, this also amplifies risks of data breaches, privacy violations, and advanced social engineering such as deepfakes. Our survey data indicates that fewer than half of asset and wealth managers have fully implemented data classification policies (48%) and data controls across the entire life cycle (44%), underscoring gaps in data governance.
• The broader ecosystem expands the risk perimeter: Increasing reliance on third-party providers and outsourced services extends cybersecurity risks beyond organisational boundaries. Managing security across these external networks remains a significant challenge, consistent with survey findings that rank third-party breaches in the top three threats AWM firms are least prepared to address (right after cloud and quantum concerns).
• Cyber talent shortages impede resilience: Many firms face difficulties attracting skilled cybersecurity talent, especially in areas like AI and cloud security. Knowledge and skills gaps were the top two barriers to implementing AI for cyber defence over the past year, forcing asset and wealth mangers to rethink how they scale capabilities.

The road to resilience

As firms face evolving cyber risks driven by innovation and market dynamics, adopting tailored cybersecurity strategies becomes essential. Our recommendations provide focused guidance for strengthening your security posture, addressing unique challenges within your portfolios, and safeguarding trust with clients and stakeholders in 2026 and beyond.

Recommendations for asset managers

Recommendations for wealth managers

As private equity (PE) firms pursue acquisitions across a broader range of industries, geographies, and asset types, portfolio diversity is complicating cyber risk management. Cybersecurity approaches vary widely across portfolio companies, making unified risk management more challenging. 

Geopolitical volatility is a significant factor, with 64% of PE firms saying they’ll increase cyber investments in response to heightened global uncertainty and emerging threats. In the year ahead, they’re prioritising investments data protection and data trust (36%), optimisation of current technology and investments (36%), and incident history of cyber breaches or intrusions to their organisation or industry as a whole (34%).

Even so, only one in five PE firms currently spends significantly more on proactive security measures (e.g., monitoring, assessments, testing, controls) than on reactive measures (response, remediation, recovery, fines). Most (76%) say their proactive/reactive cost ratio is roughly even or skewed toward reactive measures, which can be more costly. And just 14% measure the financial impact of cyber risks ‘to a significant extent’, potentially affecting decisions about which risks to prioritise.

The combination of mounting geopolitical risks and increased deal volume calls for reprioritising cybersecurity as a strategic imperative. This includes strengthening oversight, enhancing due diligence processes, and aligning cyber risk management across portfolio companies.

The threat landscape

For too long, many PE firms have viewed cybersecurity as something portfolio companies should handle on their own. But with evolving credit structures and rising deal volumes, this hands-off approach can leave firms exposed to growing and more complex cyber risks.

• More M&A activity means more cyber risk: With increasing deal volume comes greater cyber exposure, particularly concerning the handling of sensitive personal and financial information and/or intellectual property throughout complex transactions. Our survey shows that data protection and data trust is the top investment priority for PE firms. However, challenges persist due to fragmented data environments and legacy infrastructures that hinder the effective deployment of advanced security measures, including AI-driven solutions.
• Portfolio diversity creates complex cyber challenges: PE firms oversee portfolios spanning multiple sectors, sizes, and regions, each with its own unique cyber risks and regulatory requirements. This diversity makes it difficult to implement consistent cybersecurity strategies, especially as responsibility for cyber risk management often falls to individual portfolio companies. As a result, PE firms are working to get a clear, unified view of cyber risk and struggle to build strong cyber resilience across their portfolios.
• Underinvestment in security heightens risk: PE tends to lag other sectors in cyber investment. This shortfall leaves some portfolio companies vulnerable, which in turn elevates risk across the entire portfolio. And with cyber liability insurers increasingly requiring strong cyber defences as a condition of coverage, underinvesting in security can make risk management that much harder.
• Emerging risks challenge talent and resource capacities: With a persistent shortage of qualified cyber talent, many firms struggle to maintain effective threat detection and response across complex portfolios. Our survey indicates that over half (53%) of global leaders are increasingly reliant on AI and machine learning to address these gaps, underscoring the growing need for advanced technologies. Additionally, firms face challenges in accessing and integrating external cybersecurity knowledge and insurance counterparts, which are critical to scaling defences and obtaining adequate coverage in an evolving threat landscape.

The road to resilience

Taking real ownership of cybersecurity means taking a hands-on, proactive approach across the portfolio, working closely with portfolio companies to tackle their unique challenges.

1. Integrate cyber fundamentals across your portfolio: Confirm that each portfolio company meets baseline cybersecurity standards. Require regular software updates, strict access controls, device protection, and incident response plans.
2. Spot cyber risks before you buy: Conduct thorough cyber risk assessments during due diligence. Identify vulnerabilities and compliance gaps before acquisition and create formal playbooks for integration to include socialisation of cyber standards.
3. Tailor cyber strategies to each portfolio company: Develop customised cybersecurity plans based on industry, size, and jurisdiction. Align compliance roadmaps with each company’s unique risk profile and maturity level.
4. Explore options to fill expertise and capacity gaps: Determine if your business should adopt managed services by developing an ROI-based managed services plan that maps technology, skills, and resource needs.