Cybersecurity considerations for the financial services sector

As Chief Information Security Officers (CISOs) at financial services organisations embrace digital transformation and cloud adoption, they face several challenges. These include safeguarding critical assets, managing an expanding attack surface, and navigating a complex regulatory landscape. CISOs across the sector must deliver on a broad array of imperatives while operating in a world of reduced visibility and heightened noise due to the proliferation and resulting complexity of data. The capability to focus simultaneously on vulnerabilities, critical assets and incidents has become essential.

While budgets are not necessarily shrinking, they are also not increasing in proportion to rising demands. CISOs must continuously justify their current expenditure while struggling to secure additional funding for essentials such as automation and cloud security. A greater challenge lies in the tension between allocating budgets to innovative solutions incorporating artificial intelligence (AI) and machine learning (ML), versus ongoing regulatory remediation, given the global rise in new cyber rules and standards. Additionally, financial services CISOs must navigate an onslaught of multi-regional regulations that are becoming increasingly rigorous and complex.

To stay ahead of these challenges, CISOs are turning to advanced technologies such as AI and ML to automate security operations, reduce false positives, and streamline incident response. However, technology alone is insufficient. CISOs need to foster collaboration and ensure their programmes align with business objectives by maintaining open communication with senior leaders. Change is already underway. According to KPMG research, 74 percent of financial services organisations say cybersecurity is typically involved from the earliest planning stages of technology investment and has a strong influence on the decision-making process.

In the aftermath of the pandemic, many organisations found themselves with bloated second lines of defence. This eventually led to a reassessment of existing roles and responsibilities. We encourage CISOs to work closely with the second line of defence — which oversees controls — to focus on operational key performance indicators (KPIs) as proxies for the overall health of the digital environment, and to align those KPIs with the relevant key risk indicators (KRIs). As always, CISOs must be proactive and adaptable, continuously assessing cybersecurity, identifying gaps, and implementing strong yet flexible controls to mitigate risks.

Cybersecurity considerations for New Zealand's financial services sector

These global insights resonate strongly with what we’re seeing in the New Zealand market. The need to directly mitigate the risk of ongoing technology-led transformations, continuing adoption of cloud services, and increasing use of AI – are all areas that continue to need close attention.

The data aspect of all this change has only become more critical. For all those organisations needing to do more with existing budgets, the use of AI to assist with routine cyber security tasks is now an important tool for freeing up cyber staff to focus on the really important stuff, cutting through the noise they currently experience.

Global top priorities for cyber in FS include continuous monitoring and management of third-party security risk to create more resilient supply chains; embedding security into AI approaches; and the critical role of identity in security.

We believe the role of identity and how it can help both buy down risk and enable business transformation is one of the most important opportunities for New Zealand organisations.

Key cybersecurity considerations for financial services CISOs

AI and ML can assist financial services organisations in automating routine cybersecurity tasks, thereby reducing the burden on understaffed teams. With current processes, data noise leads to numerous false positives. However, the reality is that there are not enough personnel to manage the volume. AI solutions can help reduce false positives, automatically assign tasks, and escalate critical issues to better manage security detections, prioritise and patch vulnerabilities — areas under significant regulatory scrutiny. This can enhance operational efficiency and improve compliance with regulations such as the General Data Protection Regulation (GDPR) and the Federal Financial Institutions Examination Council (FFIEC).

Key challenges:

Cyber skills gap: Financial services organisations continue to face a shortage of skilled cybersecurity professionals. This compounds the difficulty of addressing the increasing complexity and volume of cyber threats.
Resource allocation: Without automation, professionals are consumed by routine tasks, leaving less time to address and analyse complex security threats.
Regulatory pressure: Financial institutions are subject to frequently evolving regulatory requirements. Continuously adapting to new standards can be resource-intensive and requires careful management to avoid errors.

Key opportunities:

Enhanced threat detection: AI and ML offer advanced capabilities for detecting threats, enabling faster and more accurate identification. This can help prevent financial losses and protect sensitive data. Consequently, cybersecurity professionals can focus on more complex and strategic tasks. Indeed, according to KPMG research, 68 percent of financial services professionals agree (24 percent strongly agree) that AI is helping to fill skills gaps among knowledge workers — a challenge that had previously been significant.
Operational efficiency: Automating routine tasks enables continuous monitoring and rapid data analysis. This leads to faster threat mitigation and better resource utilisation. This scalability ensures consistent compliance with cybersecurity regulations and enhances overall resilience.

Many financial organisations recognise the value of using AI and ML in cybersecurity, but adoption varies. Larger institutions currently lead in this regard due to their ability to allocate more resources and onboard additional knowledge workers. Smaller organisations lag behind due to budget constraints. Overall, there is growing appreciation of the need for automation and readiness to implement these solutions in cybersecurity strategies. Looking ahead, AI-related disruption will likely make significant investment in upskilling a strategic imperative, with 40 percent of financial services professionals expecting AI to significantly change job roles over the next 10 years.

The growth of AI presents financial services organisations with numerous opportunities to enhance operations, customer experience, and innovation. However, it also raises concerns around trust, security, and privacy. To maintain data integrity, security, and regulatory compliance, financial institutions must embed trust into their AI adoption strategies. Currently, financial services organisations are approaching AI governance in a manner similar to model risk management, such as with trading algorithms. In terms of CISO involvement, engagement remains insufficient. Many are experimenting with securing AI tools but remain uncertain about how these tools differ from other critical data or algorithms.

Key challenges:

Data privacy and security: AI systems require large datasets, often containing sensitive financial information, making them vulnerable to cyberattacks. Financial institutions must navigate privacy and security concerns amid evolving compliance requirements such as the GDPR, California Consumer Privacy Act (CCPA), and the EU AI Act.
Data quality and bias: Clean, accurate data is essential for effective AI. Issues with classification, quality, and consistency can result in incorrect or biased outputs. This can damage credibility and erode trust in AI systems.
Transparency and explainability: Complex AI models, such as deep learning, often operate as “black boxes” with limited visibility into their decision-making processes. This lack of clarity can complicate the explanation of decisions, which is vital for maintaining customer trust and meeting regulatory obligations.

Key opportunities:

Enhanced security through AI: Leveraging AI and ML for real-time detection and response to security incidents can strengthen the security posture of financial services organisations. AI can identify patterns that indicate potential threats, enabling faster and more precise responses.
Improved data governance and compliance: Employing AI for data governance can help uphold data integrity, accuracy, and compliance with regulatory standards. AI can support automated data classification, anomaly detection, and consistent adherence to privacy regulations, thereby fostering trust and reliability in AI-driven processes.

Financial services organisations recognise the importance of embedding trust in AI, but readiness varies. Some are already implementing data governance and AI explainability tools, while others lack the necessary resources. Awareness of the need for transparency, data quality, and security is growing, and strategies and technologies are evolving to address these concerns.

With the rise of interconnected systems, cyber resilience in financial services is more crucial than ever. CISOs in this sector must manage a broad attack surface, respond swiftly to incidents, and uphold robust resilience practices. In particular, threats to critical infrastructure can significantly disrupt operations and compromise sensitive data. As a result, resilience has become the primary focus of business continuity planning and disaster recovery programmes.

Key challenges:

Extensive attack surface: The digitisation and integration of various systems within financial services have expanded the attack surface, presenting significant challenges in effectively safeguarding all entry points from potential threats.
Rapid incident response: Financial institutions require advanced detection systems and efficient response plans to promptly identify and mitigate incidents.
Regulatory compliance and resilience standards: Financial institutions must adhere to stringent regulatory standards on resilience. These vary depending on their significance and interconnections within the financial ecosystem, adding complexity.

Key opportunities:

Advanced threat detection and response: By leveraging technologies such as AI and ML, financial institutions can identify and respond to cyber threats more efficiently, reducing potential damage and enhancing overall resilience.
Embedding continuous improvement: Financial institutions can strengthen resilience through regular training, investment in advanced technologies, and proactive management of their attack surface.

While larger institutions are leading the way and smaller firms are making progress, cyber resilience is increasingly becoming a second line of defence (LOD) topic — not just a first line concern. This priority also extends to critical third parties and cloud providers. Indeed, there is growing scrutiny over the potential disruption to core business functions if a critical supply chain partner experiences an issue.

Cybersecurity considerations 2025

Modern, robust cybersecurity has become a key requirement for success as threats and costly attacks proliferate.

Download

Top priorities for financial services cyber security professionals

Zero trust architecture: Focusing on identity-centric security and micro-segmentation strategies.

Integrating AI/ML driven tools to automate routine security operations center activities, allowing cybersecurity teams to focus on complex tasks.

Conducting continuous monitoring of third-party vendors to ensure a secure and resilient supply chain.

Developing transparent processes for assessing AI systems, including data classification and quality management, to mitigate privacy concerns and build trust.

Embedding security measures into the development lifecycle of AI technologies to avoid costly retrofitting and potential regulatory or reputational damage.

Engaging with regulatory bodies to stay ahead of compliance requirements and proactively address concerns related to AI implementation.

CASE STUDY: Real-world cybersecurity in the financial services sector

In financial services, regulatory requirements are increasingly pressuring organisations to strengthen their vulnerability management capabilities. The overwhelming volume of vulnerabilities and decisions demands an innovative solution to address these risks consistently and systematically.

A leading investment bank sought to develop and implement AI/ML models to enhance operational efficiency and ensure regulatory compliance. Through close collaboration and a comprehensive assessment of the bank’s needs, the KPMG firm’s project team designed and deployed ML-driven solutions for vulnerability management and incident response. These solutions leverage targeted use cases to identify weaknesses in current operations and determine where innovative approaches can be most effective. The use cases ranged from triage and ownership assignment to criticality adjustment.

The AI/ML models deployed by KPMG not only reduced manual intervention and accelerated decision-making processes but also incorporated built-in compliance checks. These checks helped ensure that human expertise retained proper visibility into the models’ decision-making processes, aligning with regulatory requirements.

Such solutions enable financial services organisations to identify, prioritise, and remediate vulnerabilities more rapidly than ever before. This allows them to address a broader range of risks across their entire environment, strengthening their overall cybersecurity posture.

As the sector continues to face mounting pressure from regulatory bodies, organisations that proactively adopt innovative solutions will be better positioned to swiftly identify, prioritise, and mitigate vulnerabilities. By doing so, forward-thinking institutions can not only safeguard their assets and reputation but also stay ahead of the curve in an increasingly complex and demanding cybersecurity landscape.