Inside the new threat landscape: what big banks and FS organisations are really up against w/ Tom Edwards & Paul Comber

Cyber. AI. Deepfakes. Quantum. Cloud. IoT. The risk landscape facing big banks and Financial Services institutions is shifting faster than many can adapt.

For this edition of Behind the Controls, I sat down with Paul Comber, a senior technology and cyber risk leader with 25 years across global banks and three lines of defence. Now based in Milan after roles in London and Paris, Paul has seen real incidents, real failures and real gaps up close.

We talked about the threats banks face today, the ones they’re not ready for, and why technology risk has reached a tipping point.

The threat that keeps evolving

Cyber and data security aren’t new topics. But the dynamic has changed. Now we see the emergence of new or evolved threats that compound different risks.

“Yet most of the problems we have come back to basic issues.”

Paul references the significant 2023 ICBC banking incident where Lockbit ransomware was able to be deployed simply because a publicly exposed server hadn’t been patched. No zero-day vulnerability. No highly complex exploit. Just basic control hygiene missed.

He also refers to the 2024 Snowflake event that resulted in mass data theft of Santander’s US staff data. It could have been prevented with standard access controls, like ensuring trusted connections and use of MFA.

These aren’t isolated cyber cases.

Recent UK examples like Marks & Spencer and the Co-op highlight how quickly attackers can disrupt operations, steal data, or both. And they can be very expensive: Jaguar Land Rover’s ransomware attack is currently projected to cost an eye-watering £1.9 billion.

Ransomware is a good example of an evolving threat. Paul explains that more recently it has shifted shape via:

• Ransomware-as-a-Service
• Double extortion (encrypt + steal)
• Greater involvement of organised groups and nation states as Advanced Persistent Threats
• Attacks that hit operational systems as well as data.

Another increasing threat is the hyper-scale distributed denial of service attacks that use infected IoT; however, major technology vendors are still proving so far that these can be generally managed.

So, the threats haven’t just grown, but also advanced and professionalised.

AI: attacks built in minutes, not months

AI is accelerating everything. Paul points to a recent example highlighted by Anthropic:

“Sophisticated attacks that once took months can now be built in minutes.”

This isn’t hypothetical. AI lets attackers:

• scan vast amounts of open-source data and vulnerabilities
• generate personalised phishing at scale
• write malware variations instantly
• map an organisation’s digital footprint automatically and make exfiltration plans.

The idea of slow-moving, patient attackers is fading.

Today, entry-level threat actors can execute advanced attacks using tools that do the heavy lifting for them.

For financial services, this means the volume and believability of attacks are rising at the same time. And they’re much more targeted.

All is not lost, though. As Paul explains, AI can also enable defence and protection, helping to level-the-field for those that invest.

Cloud risk: the external weak link

Banks have invested heavily in cloud for more than a decade. But risks remain.

“Cloud isn’t the problem; in fact, it can be a risk opportunity. It’s how you configure it and how you migrate that matters.”

Paul references the 2020 HDFC bank incident, which exposed data and source code hosted on AWS and showed how weaknesses in cloud security, misuse of cloud and inappropriate set-up of access can quickly generate significant operational risks.

And this pattern keeps repeating. Not because the technology is flawed, but because environments are misconfigured, rushed, or poorly understood. Paul quotes Gartner, who predicted that 99% of cloud security failures this year will be due to customer misconfiguration.

He also highlights several other trends driving and compounding risk:

• inconsistent governance across cloud platforms
• limited cloud architecture expertise in legacy teams
• rapid API expansion, especially after Open Banking
• over-reliance on suppliers, without understanding shared responsibility
• new data and digital sovereignty challenges, as well as concentration and lock-in risks.

The shift to cloud in its different forms also creates a wider ecosystem. Your systems sit inside a cloud provider’s stack, which may sit inside another provider’s stack, connected to third parties… and their third parties.

“We’re not in a castle with a moat anymore. We’re in an ecosystem connected to ecosystems.”

And as Paul puts it, modernisation itself becomes a risk. Large institutions face complex migrations, legacy dependencies and operational resilience challenges each time a service is moved.

FinTechs and neobanks, however, start differently. They build cloud-native from day one: clean architecture, consistent standards, modern identity models and well-understood dependencies.

Traditional banks must retrofit those same principles onto decades of layered systems.

This means their cloud journey is less about adoption and more about disciplined transformation: unpicking old designs, closing inherited gaps, retraining teams, and hardening controls at scale.

Zero Trust: the reality, not the buzzword

Zero Trust can feel abstract. Paul cuts through that.

“Never trust, always verify.”

The old assumption was simple: if you’re inside, you’re trusted.

But the model no longer works. Remote work, mobile devices, cloud systems and compromised credentials have dissolved the perimeter completely.

Real-world changes driving this shift:

• widespread remote working since 2020
• mobile devices and home networks
• cloud-hosted data and decentralised systems
• compromised credentials through phishing
• insiders connecting from anywhere

So, identifying “Tom” isn’t enough, explains Paul. Banks need to detect when “Tom” is behaving in a way Tom never behaves.

He puts it plainly: even your banking app could already be analysing your behaviour silently:

• Does Tom normally log in at 4am?
• Does Tom usually check his balance first?
• Does Tom use face ID or does he normally type his password?
• Is this Tom’s usual device?
• Why is the login attempt coming from Thailand?

This is where newer organisations have an advantage:

“If you start from the ground up, like a neobank or fintech, you can build Zero Trust into the design from day one.”

Larger, established banks don’t have that luxury. They have legacy estates, on-prem systems, multiple generations of architecture and millions of users, all built long before Zero Trust as a buzz existed. Which means their path is different: incremental change, modernisation, new controls layered with old ones, implementing continuous monitoring and having a long-term transition rather than a clean start.

“If you have a huge environment, you can keep moving towards lower trust within the network by deploying different technologies, segmentation and policies, etc. It’s a journey.”

In summary? New players can build Zero Trust. Large institutions must become Zero Trust, step by step, system by system, behaviour by behaviour.

Deepfakes: the identity problem no one is ready for

Deepfake-enabled fraud is already happening.

“We’ve digitalised our lives to the point we trust the screen more than the person.”

Paul mentions a real case of Arup, where fraudsters deepfaked a senior team from the target’s own company on a video call: voices, faces, accents, natural movement. And convinced an employee to send a large-value payment.

He also highlights:

• spoofed passports and utility bills
• fabricated ID documents indistinguishable from real ones
• onboarding journeys where fraudsters sail through KYC checks
• deepfake videos used to set up bank accounts.

“It’s now possible to create realistic passports, IDs and even utility bills, then match them to a fully deepfaked video. Synthetic people can pass identity checks who shouldn’t pass anything.”

And remote working has weakened the human safety net. Few of us question someone’s identity on a screen. Paul even shares his own experience: after interviewing entirely online for a previous role, he insisted the final stage be in-person, just to ensure the job (and people) were real.

Quantum: when data stolen today becomes decrypted tomorrow

Quantum used to be a problem for “the far future”. Not anymore.

“The timeline is shortening. We may see usable quantum within five to ten years.”

This amplifies a growing threat: harvest now, decrypt later. Attackers steal encrypted data today. It has limited value now. But once quantum becomes available, that same data may become readable.

For Financial Services, with decades of sensitive data, market positions and client information, the implications are enormous.

“Encryption today gives a false sense of safety if quantum can break it tomorrow.”

Banks need quantum-safe encryption plans now, not when quantum is already in the hands of attackers, says Paul.

So what can banks and Financial Services organisations do?

Paul is clear: the fundamentals still matter:

• patch systems
• harden devices
• modernise architecture
• strengthen access controls
• invest in cloud-first skills
• improve third and fourth-party risk oversight.

Many incidents, including the ones he cited, come back to gaps in the basics. But after the basics, the priorities must shift, he adds:

• aim for Zero Trust, not perimeter defence
• expand fraud detection to counter deepfakes
• implement stronger identity, especially key for the new Agentic AI world
• invest in anti-phishing and behavioural analytics, especially as insider risk is growing
• prepare encryption for the quantum era.

And above all:

“Perhaps the biggest risk to banks meeting these objectives is a failure to match resources and prioritisation against the increasing risk.”

It echoes what we saw in earlier editions of Behind the Controls: cost pressure across governance functions, freezes, restructures, headcount cuts. Cyber and technology risk consistently rank in every board’s top three risks. But investment doesn’t always follow.

Final thoughts

The threats facing Financial Services aren’t new. But the combination is. AI accelerates everything. Cloud expands everything. Deepfakes distort everything. Quantum could rewrite everything. Current geopolitics is adding a new dimension, and a tokenised system could change it all again!

And the real-world cases Paul shared show this isn’t theoretical. It’s already happening: JLR, M&S, Co-op, ICBC, Santander, HDFC, Arup; through ransomware, corporate deepfake fraud, fake onboarding, cloud breaches and unpatched infrastructure. He explains that partly due to this, regulators are increasingly becoming more prescriptive with new laws, such as EU’s DORA and UK’s Cyber Security Bill.

Technology risk is a strategic and a potentially existential-level corporate risk. And staying safe, secure and resilient requires more than just new tools: it requires investment, prioritisation and readiness for an environment that’s changing faster than banks and FS organisations are resourcing it.

Over to you

Which of these threats feels most urgent for your organisation? Is your investment, in people, controls and technology, keeping pace with the risk?

Share your thoughts in the comments. I’d love to hear how your teams are preparing for what’s coming next.

Want more insights like this?

Subscribe to Behind the Controls to stay ahead of what’s shaping Audit, Risk and Compliance leadership, and how top professionals are navigating it.