AI in Financial Services: When Data Security Comes to the Fore
As AI becomes integral to every aspect of financial services, banks and other financial institutions must increasingly prioritize their defenses against an expanding array of data threats.
As we venture deeper into 2025, it’s an opportune time to remind ourselves that wherever places AI hasn’t already permeated, it will, in all likelihood, reach them sometime this year.
From a cyber threat perspective, because AI-powered attacks bring new risks at a quicker pace, financial services institutions must take steps to swiftly identify and prioritize threats for mitigation based on their potential impact, if they don’t already have such a mechanism in place.
According to the Thales 2024 Data Threat Report (Financial Services Edition), threats to data security have increased as the digital landscape has evolved. Almost all financial services respondents (95 percent) said they saw a rise in attacks, nearly doubling the percentage in 2022 (50 percent). The top three fastest-growing types of threats reported by FSI organizations were malware, application vulnerabilities, and phishing.
Various Attacks
Compared with the same survey in 2022, malware retained first place, while application vulnerabilities replaced ransomware for second place and phishing replaced credential stuffing for third place. This makes sense as many attacks today begin with a phishing attack, followed by exploitation of an application vulnerability, and then deployment of malware that enables remote command and control and lateral movement within the organization.
With an AI boom underway in the financial services sector, data security threats are likely to climb further this year. For instance, in the aforementioned survey, 27 percent of FSI respondent organizations plan to integrate AI into their core products and services in the next 12 months.
Cybersecurity Regulations
This is 5 percentage points higher than the overall response across all industry sectors. Besides the pressure from within the business, organizations are being squeezed from the outside.
Financial services firms are facing heightened cybersecurity regulations across the globe. Besides the well known Bank Secrecy Act and the Gramm Leach Bliley Act in the US, and the Digital Operational Resilience Act in the EU, many APAC financial services providers need to comply with country specific regulations such as the technology risk management guidelines of the Monetary Authority of Singapore or India’s Digital Personal Data Protection Act.
These regulations change over time and need to be monitored by industry players.
Consolidated View
Data storage and usage across the FSI enterprise is immensely complex, caused by the need to track and manage vast volumes of data across multiple environments and solutions. One of the biggest challenges today in managing complex data environments is the absence of a consolidated view of all the risks confronting an organization’s data. This leads to overlooked incidents and ultimately, damage to the business.
Conversely, a clear, consolidated view of all their data assets will give financial services institutions more complete risk visibility and prioritization, lowered operational complexity, and diminished total cost of ownership.
Behavioural Analytics
To make this happen, organizations must be able to analyze their entire data estate (using technologies such as posture and behavioural analytics) to deliver deep visibility. Security teams must have a comprehensive view of data risk across key dimensions (including organizational, asset, and regulatory), and use the appropriate integration of threat detection, encryption, and access control to proactively identify, assess, and manage data security risks across all data environments.
Only with such a risk-focused approach, data simplification, and implementation of the necessary remediation measures can organizations strengthen their security and better protect their business based on their limited resources.
Intelligence Solutions
Thales’s Data Risk Intelligence (DRI) solution harnesses crucial data from Imperva Data Security Fabric (DSF), CipherTrust Platform, and third-party solutions to seamlessly connect a comprehensive range of data risk indicators.
The sophisticated analytics within DSF DRI empower it to present DSF users with a clear understanding of risks related to:
- User permissions;
- Data source vulnerabilities;
- Suspicious activities;
- Unencrypted sensitive data; and
- Overall organizational risk factors
By integrating DRI within their Imperva DSF, financial services firms gain a consolidated view of key data risk metrics that are transparent, flexible and customizable. This enables a precise understanding of their risk profile, and pinpoints critical areas where resources should be applied to maximize efficiency and effectiveness.
Think for the Future too
Adopting effective solutions to protect data while meeting unique requirements and regulatory compliance needs, as above, will serve organizations’ current needs.
In the longer term, however, in tandem with the rise of quantum computing, another aspect financial services institutions need to consider is strategies that ensure agility and resilience against present and future threats, such as «harvest now, decrypt later» attacks where information is stored today to be decrypted when quantum computers become available.
In fact, in the above 2024 Thales survey, nearly three-quarters (72 percent) of FSI respondents said that future encryption compromise is their top concern among security threats related to quantum computing.
Prepare for Post-Quantum Cryptography
Financial services institutions should prepare for post-quantum cryptography (PQC) now by creating a trusted environment for their business to test PQC-ready encryption, and identify potential implications that quantum computing may have on the security of their infrastructure, and develop plans to quickly adjust.
Interim solutions, like using longer symmetric key lengths or out-of-band keys, should be considered. By getting a head start, organizations will minimize disruption to themselves and their customers, reduce costs and risks, and ensure business continuity during the transformation. Crucially, it will also position organizations to be fully compliant with NIST and other industry PQC regulations as soon as they are announced.
Security leaders must find the time and resources to implement broad, long-term cybersecurity measures such as the above. Only then can organizations confidently protect critical data, meet regulatory compliance, and ultimately deliver business impact.
