The global threat of cyber incidents is very high and is continuing to rise. This is due to advancing digitalisation, which is increasing the attack surface, as well as geopolitical tensions that are increasingly spilling over into cyberspace and affecting critical infrastructures. The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI) assessed the threat in cyberspace in spring 2024 as higher than ever before.

Almost a fifth of all global cyber incidents over the past twenty years affected companies in the financial sector. According to the International Monetary Fund (IMF), the damage has totalled almost 12 billion US dollars since 2004. The number of incidents, in particular cyberattacks, has risen steadily in recent years.

A cyber incident is an accidental or malicious incident that can have a negative impact on data confidentiality and the availability of IT systems or networks, or that violates security policies, security processes or terms of use. Such incidents can occur at the supervised entities themselves, but also at outsourcing providers.

Cyber incidents affecting companies in the financial market or infrastructures can significantly impair the functioning of the financial system and, in extreme cases, lead to systemic crises. This can occur in particular if, due to close links between companies in the financial sector and service providers, multiple companies are affected by an incident at the same time.

The inaccessibility of critical systems and functions, breaches of data confidentiality and high financial losses can damage trust and the reputation of the financial industry in the eyes of investors and consumers. Cyber incidents can trigger financial crises at the companies affected and undermine confidence in financial stability as a whole. This can lead to liquidity outflows, for example in the form of bank runs.

Cyberattacks have the potential to cause significant damage

Cyberattacks with serious consequences pose a risk with significant damage potential. However, the probability of successful cyberattacks is lower than for other IT incidents, such as system failures. Since they form part of the critical infrastructure, companies in the financial sector are an attractive target for cyberattacks. They provide an attack surface either directly or via their critical (IT) service providers. In particular vulnerabilities in software applications or software updates represent a major risk and serve as a gateway for cyberattacks.

Companies in the financial sector can also be affected through their business relationships with companies in the real economy whose continued existence is threatened following a cyberattack. In such situations, there is a risk of loan defaults. According to a study published by the digital association Bitkom in August 2024, 65% of the companies surveyed now fear that cyberattacks could put them in a situation that threatens their continued existence. This figure was 52% in the previous year.

More risks through outsourcing and artificial intelligence

Outsourcing to (IT) service providers increases the attack surface in the financial sector. IT service providers and in particular cloud environments are increasingly being targeted by cyberattacks. The risk of effective cyberattacks with serious consequences is also increased by the use of generative artificial intelligence.

For one thing, more and more companies in the financial sector are using generative AI, providing attackers with new potential vulnerabilities that can be exploited. Added to that, cybercriminals are also using generative AI to develop new and highly efficient methods of attack and malicious code. For example, high quality phishing messages can be created quickly using AI. This makes it more difficult to identify fraudulent information and queries.
Deepfakes, in which image, audio and video recordings are manipulated with the help of AI, can also be used to gain the trust of victims and trick them into handing over data. Such forms of attack based on digital deception will increase as generative AI is further developed.

Quantum computing: protective measures needed now

The use of powerful quantum computers threatens IT security since they can decrypt traditional encryption methods, such as tried-and-tested cryptographic systems (e.g. Rivest-Shamir-Adleman, RSA) and elliptic curve cryptography (ECC). Such encryption methods are fundamental elements of IT security in the financial industry. The “harvest now, decrypt later” method reinforces this threat, since data that is currently encrypted can be stored for later decryption by quantum computers.

However, many companies underestimate this threat: the BSI warned that operators of critical infrastructures, including banks, did not pay sufficient attention to these risks. Companies in the financial sector must take protective measures now to protect security-relevant data in the long term. Only then will they be equipped for the future. To achieve this, companies need to make sufficient investments now.

They should identify data at risk of being compromised through quantum computers and draw up a protection plan with a specific implementation timeframe. The protection plan should take into account existing technical possibilities and standards, such as the use of post-quantum cryptography. It must be designed in such a way that IT risk management can react flexibly to future developments and implement upcoming security recommendations and standards. In 2024, the US National Institute of Standards and Technology (NIST) set out for the first time clear post-quantum cryptography standards for the protection of organisations against quantum hacking. The G7 Cyber Expert Group also highlights the risks of quantum computing and refers to the NIST standards.

DDoS, ransomware and phishing still widespread

Distributed Denial of Service (DDoS) attacks are the most common form of attack: they overload data networks with a flood of data requests. Attackers have repeatedly succeeded in disrupting the availability of online services through DDoS attacks on companies in the financial sector.

However, the biggest threat to companies in the real economy and the financial sector comes from ransomware attacks. Companies in the financial sector have fallen victim to several successful ransomware attacks in recent years. In some cases, the attackers not only succeeded in encrypting and accessing data; through their attacks, criminals were also able to considerably disrupt the business operations of affected companies.

Customers also remain a target

Phishing and social engineering attacks are also still a common method of accessing sensitive data and login information. In June 2024, the addresses, account and tax data of tens of thousands of customers were stolen in a cyberattack on the subsidiary of a major German bank.

In a new variant of such attacks, criminals send fake letters with QR codes and use the links they contain to gain access to accounts. A major German bank warned its customers about this in September 2024.

Cyberattacks economically or politically motivated

Attacks can be economically or politically motivated. Government-initiated attacks are becoming more prominent. As part of critical infrastructure, companies in the financial sector are also increasingly the focus of such attacks.

According to a UN report, around 3.6 billion US dollars were stolen by cyberattackers, including a state hacker group, in attacks on crypto companies over the past seven years. At the end of 2023, 147.5 million US dollars were stolen from a cryptocurrency exchange in a single attack.

Operational incidents far more common

Operational IT incidents at financial companies or their service providers are still far more common than successful cyberattacks. These incidents are usually caused by unintentional errors, for example in software or processes. The causes often lie in faulty updates or in companies’ change processes, for example when configuration errors occur during system customisations.

Operational IT incidents can also significantly impair the availability of services and thus jeopardise the financial market. This is especially critical when incidents affect major payment or IT service providers with a large number of customers in the financial sector.

Last year, problems at IT and payment service providers repeatedly led to disruptions in cashless payment transactions. Customers of affected companies were temporarily unable to make payments by card. The most prominent IT incident of last year affected the US company CrowdStrike in July and was due to a faulty update to an IT security tool.

Data from incident reporting under PSD2

Up until 17 January 2025, only payment service providers, i.e. banks and payment processors, had to report payment incidents to BaFin in accordance with the second Payment Services Directive (PSD2). Payment incidents are IT incidents that affect payment services. This enabled BaFin to identify and monitor payment security risks.

In the first three quarters of 2024, around 258 payment incidents were reported to BaFin (see Figure 9). This represents a significant increase in the number of reports compared to previous years, which is primarily attributable to numerous incidents at IT service providers and payment service providers. In several cases, these incidents affected multiple financial companies, which led to a large number of reports to BaFin from various institutions.

Figure 9: Total number of reports on payment incidents

*The figures for 2024 include incident reports from the first three quarters of 2024. Source: BaFin diagram, as at 30 September 2024

The incidents mainly resulted from system and process errors alongside human error. The large number of such incidents shows how important it is for companies to have resilient systems and processes in place.

The incidents reported also highlight the significance of outsourcing providers for the operational resilience of the financial sector. In around 67% of the reports in the first three quarters of 2024, the cause was not the bank itself, but one of its service providers. This shows that financial companies also need resilient service providers in order to achieve a high level of operational resilience.

The reported incidents mostly related to transaction processing and online and mobile banking. Most of the reports came from significant institutions (SIs) and multi-client IT service providers.

Around 2.3% of reports in the first three quarters of 2024 related to security incidents, including cyberattacks. As in previous years, security incidents thus only accounted for a small proportion of the reports. There are various possible explanations for this: for example, it might be that the institutions were able to successfully defend themselves against attacks, that the attacks did not have any effect on payment-related services, or that the effects did not cross the thresholds for submitting a report to BaFin. The low number of security incidents does not mean that there were not many attacks in 2024, or that the risk of being the victim of a cyberattack was low. On the contrary, the risk remains high.

New reporting obligation for ICT incidents under DORA

The Digital Operational Resilience Act (DORA) has been in force since 17 January 2025. DORA harmonises the reporting system for serious information and communication technology (ICT) incidents for all financial companies. In addition to banks and payment service providers, insurers and investment firms alongside all other financial companies falling within the scope of DORA must also report ICT-related incidents.

The new reporting obligation has a much stronger focus on cyberattacks. BaFin is therefore likely to register a higher number of security incidents. This will enable BaFin to obtain a more comprehensive picture of the cybersecurity situation in the financial sector and to better respond to developments and risks.

Risk awareness of companies in the financial sector

Companies in the financial sector largely take the risk of IT incidents into account in their risk management. Most of them have invested in IT security. However, they must continuously monitor current developments and threats, adapt their security measures and ensure they are prepared for crisis scenarios. BaFin believes that the favourable earnings situation of credit institutions in 2024 will provide a good basis for increased investment in IT security.

DORA imposes specific requirements on companies. The aim is to strengthen the resilience of the financial market against IT failures and cyberattacks and to improve companies’ ability to continue their operations following an IT incident. Companies should also establish standardised templates and communication channels for rapidly sharing information on attacks and threats with all relevant stakeholders.

More articles

Risks in BaFin's Focus 2025
Foreword by the President

Main Risks in BaFin’s Focus

1. Risks arising from corrections on the real estate markets
2. Risks arising from significant corrections on the international financial markets
3. Risks arising from corporate loan defaults
5. Risks arising from inadequate money laundering prevention
6. Risks arising from market concentration due to the outsourcing of IT services

Trends

1. Digitalisation
2. Sustainability
3. Geopolitical turmoil