IO’s third annual State of Information Security Report revealed the key challenges security leaders are facing in 2025, from AI-powered attacks to compliance struggles. Professionals from a range of industries shared how they’re securing the supply chain, approaching strict regulatory requirements, and tackling AI-driven threats.

Our respondents included over 130 security professionals working in the finance industry across the US and the UK. Their responses shed light on the top information security challenges the finance industry has faced in the last 12 months, actions leaders have taken to build organisational resilience, and their priorities for the year ahead.

Discover the top 11 finance industry statistics from this year’s Report.

Key Information Security Statistics for the Finance Industry

Supply Chain

  1. 51% of finance organisations have been impacted because of a cybersecurity or information security incident caused by a third-party vendor or supply chain partner in the last 12 months.
  2. 88% of finance organisations have strengthened third-party and vendor risk management in the last 12 months.

Cyber Incidents

  1. 43% of finance organisations experienced phishing/vishing incidents in the last 12 months.
  2. 98% of finance organisations say they are confident in their organisation’s incident response.

Priorities and Challenges

  1. Finance organisations ranked enhancing employee security awareness and behaviour as their top information security priority (31%).
  2. AI phishing is the top emerging threat concern for finance organisations (48%).
  3. Securing emerging technologies such as AI, ML and blockchain is the top information security challenge (47%) for finance organisations.

Leadership Matters

  1. 87% of respondents from the finance industry agree that their organisation has a clear and well-communicated information security strategy
  2. 87% agree that every business should have someone responsible for information security at board level

Compliance Management

  1. 46% of finance organisations say that boosting their ability to securely adopt new technologies (e.g. cloud, AI) is their top motivation for ensuring strong information security and compliance
  2. 36% of finance organisations received fines between £251,001-£1,000,000 for data breaches or violation of data protection rules in the last 12 months.

Supply Chain Security

Over half (51%) of the finance organisations we surveyed said they’d been impacted because of a cybersecurity or information security incident caused by a third-party vendor or supply chain partner in the last 12 months. More than one in five (21%) said they’d been impacted multiple times. Repercussions faced by the organisations impacted by these incidents ranged from financial loss (38%) to reputational damage, including loss of customer trust (both 27%).

High-profile cyber incidents like the attacks on Jaguar Land Rover (JLR) in September and retail giant Marks & Spencer (M&S) in April highlight the havoc that supply chain vulnerabilities can wreak.

The JLR incident is predicted to have cost £1.9billion in estimated losses and affected 5,000 businesses in total, with suppliers facing delayed payments and cash flow disruption. Meanwhile, the ransomware attack on M&S led the business to shut down online orders completely. In both cases, disruption lasted over a month.

With incidents like these becoming increasingly common, finance organisations are evidently treating supply chain security as a priority. 88% of Report respondents say their organisation has strengthened third-party and vendor risk management in the last 12 months, while 12% say they plan to do so in the coming year. 58% also plan to increase their spend on supply chain and third-party vendor security in the next 12 months.

Cyber Incidents, Challenges and Priorities

Employees are often targeted by threat actors as gateways into an organisation’s network – and beyond. Many successful supply chain attacks are caused by attackers compromising employee credentials, whether they’re that of an employee working at the target organisation or a supplier.

As such, it’s no surprise that finance organisations ranked enhancing employee security awareness and behaviour as their top information security priority (31%) for the next year. This is for good reason – nearly two in five (43%) of respondents said they’d experienced a phishing or vishing incident in the last 12 months.

The rapid evolution of artificial intelligence (AI) and machine learning (ML) technology has also created new challenges for businesses. Finance organisations ranked AI phishing as their top emerging threat concern (48%) for the next 12 months, as threat actors leverage the technology to increasingly convincing effect.

AI implementation is another challenge the industry faces. More than half (53%) of finance organisations said their business had implemented AI technology too quickly and is now facing challenges in scaling it back or implementing it more responsibly. In line with this, respondents ranked securing emerging technologies such as AI, ML and blockchain as their top information security challenge (47%).

As businesses look to implement more stringent, ethical AI systems, it’s important to take a strategic approach to AI governance. Standards like ISO 42001 can provide guidelines and guardrails for organisations. ISO 42001 specifically provides a framework for the responsible design, development, and deployment of an AI management system (AIMS). Organisations can use this framework to ensure compliance with regulations such as the EU AI Act and proactively address AI risk.

Senior Leadership Involvement

Information security has historically been viewed as solely the remit of IT departments, but that view is rapidly changing. After all, information security is an organisation-wide concern, requiring engagement and awareness from employees whether they’re on the executive team or a new starter.

Security leaders are now pushing for board-level oversight and involvement. Nearly 9 in 10 (87%) of finance industry respondents agree that every business should have someone responsible for information security at board level. The same number agree that their organisation has a clear and well-communicated information security strategy, suggesting that organisations where boards have oversight and understanding of information security priorities benefit from clear improvements at a strategic level.

Compliance Motivations

Over one in three (36%) of finance organisations received fines between £251,001-£1,000,000 for data breaches or violation of data protection rules in the last 12 months; just under a quarter (24%) said they hadn’t received a fine. Alongside growing cyber threats, businesses are also contending with stringent regulatory requirements and watchful regulators.

However, finance organisations are increasingly using compliance as a catalyst to unlock innovation and growth. Finance industry respondents ranked boosting their ability to securely adopt new technologies such as cloud and AI as their top motivation (46%) for ensuring strong information security and compliance. Respondents also ranked their improved quality of business decisions due to secure and reliable data as providing the best information security compliance ROI (42%) in the last 12 months.

Proactivity is Key

While security leaders in the finance industry are facing an array of information security challenges, from the growing AI attack surface to supply chain security, the Report reveals that they’re also taking key steps to stay ahead. They’re working to improve employee information security training and awareness, investing in supply chain security and strengthening supply chain risk management, and implementing AI systems more securely and ethically.

By proactively embedding information security best practices organisation-wide, businesses can simplify their compliance efforts, grow customer trust, and boost digital resilience. We look forward to seeing how finance organisations have bolstered their security in next year’s Report.