By Jake Paulson
Journalist interested in an article on how the IBM X‑Force Threat Intelligence Index 2026 revealed that Europe is the third most attacked region and the impact on the finance sector
Persistent criminal interest in financial data, capital access, and extortion opportunities have long made the financial sector a top prize for cyber-criminals. These attacks have exposed the limitations of approaches that treat security as distinct from core technology operations. The IBM X-Force Threat Intelligence Index 2026 highlights the current scale of the challenge in Europe, which ranks as the third most targeted region globally, accounting for 25% of incidents investigated, with the financial sector again one of the most heavily targeted industries for cybercrime.
Within the finance sector, Europe accounted for the largest regional share of incidents at 35%, likely driven by its concentration of major financial institutions, regulatory complexity across jurisdictions, and central role in global financial markets.
These numbers reflect more than opportunistic cybercrime. Financial institutions sit at the centre of complex digital ecosystems – processing high-value transactions, storing sensitive data and operating interconnected platforms across jurisdictions. As a result, attacks on banks, insurers and financial infrastructure can quickly escalate into operational disruption, regulatory scrutiny and reputational damage.
The ongoing identity crisis
While globally, attackers are increasingly returning to traditional intrusion methods – like exploiting software vulnerabilities to break into systems – in Europe’s financial sector, credential theft is still a top objective in cyber incidents. Credential harvesting accounted for 40% of the incidents investigated by X-Force in Europe. This is a trend that’s been on the horizon for the last few years and doesn’t show any signs of slowing down.
Once credentials are compromised – through phishing campaigns, infostealer malware, or exposure on dark web marketplaces – attackers can move laterally across networks, access cloud services, and escalate privileges with minimal risk of detection. For financial institutions operating large, complex hybrid environments, this creates a particularly acute challenge, as a single compromised account can provide access to multiple systems and sensitive data.
AI is further accelerating this dynamic. Generative AI tools are enabling attackers to scale phishing campaigns, automate reconnaissance and analyse stolen data more quickly than ever before, compressing the time between initial access and operational impact.
Public-facing systems as the new preferred entry point
Another major trend highlighted in the 2026 report is the growing exploitation of internet-exposed systems. In Europe, exploitation of public-facing applications was the leading initial access vector, responsible for 40% of incidents.
These vulnerabilities often emerge in the everyday infrastructure that powers digital banking and financial services: APIs, customer portals, mobile applications and cloud-based platforms. Many of these weaknesses are not new or particularly sophisticated. Instead, they stem from persistent issues such as weak authentication controls, delayed patching of software security vulnerabilities and overlooked dependencies in software ecosystems.
For financial firms that rely heavily on interconnected digital services, even a minor vulnerability in a customer-facing system can provide attackers with a foothold into critical internal infrastructure.
Supply chains and systemic risk
Financial services do not operate in isolation. Banks, insurers and investment firms depend on vast networks of third-party technology providers, payment processors, cloud platforms and software suppliers. These interconnected supply chains increasingly represent an attractive target for attackers seeking systemic impact.
Compromising a single vendor or development pipeline can provide access to multiple financial institutions simultaneously. This dynamic helps explain why attackers increasingly focus on service providers and software environments that sit upstream of critical financial infrastructure. As digital ecosystems continue to expand, defending the organisation’s internal perimeter alone is no longer sufficient.
Three priorities for cyber resilience in finance
Against this backdrop, financial institutions must shift their approach to cybersecurity – from reactive defence to structural resilience. Three priorities stand out:
- Harden identity security – Identity is one of the primary entry points for attackers. Financial institutions must centralise governance of both human and machine identities, enforce strong authentication and implement strict least-privilege access policies. Monitoring abnormal credential use and rapidly revoking compromised accounts are essential to limiting attacker movement within networks.
- Improve supply chain visibility – Financial firms need deeper visibility across their software and vendor ecosystems. This includes validating third-party components and establishing stricter governance around partner access to internal systems.
- Hunt for vulnerabilities: As attackers increasingly target public‑facing systems, organizations need automated, continuous vulnerability management to identify, prioritize, and remediate risk before exploitation.
Cyber resilience as financial stability
With Europe accounting for nearly a quarter of global incidents and financial institutions consistently among the most targeted organisations, the sector sits at the centre of the modern cyber risk landscape.
AI is also accelerating both sides of the cybersecurity equation – enabling organisations to automate defence while also giving attackers new tools to scale and speed their operations. The institutions that succeed in this environment will be those that recognise a fundamental shift: cybersecurity is no longer just a defensive capability. It is how trust is established and sustained in digital finance.
Investing in stronger identity security, resilient supply chains, and protecting exposed applications will determine not only which institutions avoid operational disruption, but also which preserve trust in an increasingly contested digital economy.
About the Author
Jake Paulson is a cybersecurity leader at IBM, serving as Deputy Head of X-Force and Head of Delivery and Strategy. With over 20 years of experience across corporate and military environments, he specialises in cyber resilience, incident response, and strategic security operations, helping organisations strengthen defenses and respond effectively to evolving threats.
