Every new technology a financial services firm adopts expands its attack surface. AI, blockchain, IoT, and digital currencies all introduce risks for which no established controls, threat models, or regulatory guidance yet exist.
This article draws on the Oxford Cyber Security Executive Briefing completed in mid-2024.
Financial services firms are adopting AI, blockchain, IoT, and exploring central bank digital currencies at a pace that outstrips the security infrastructure around them. The business case for each of these technologies is well documented. What is less well documented is that each one creates a new category of cyber risk that existing controls were not designed to manage. There are no established threat detection models for most emerging technology assets. There is little regulatory guidance covering them. The firms that innovate earliest carry the most risk, and many are carrying it without fully understanding what they have taken on.
AI in banking and financial services is already used for fraud detection, anti-money laundering, algorithmic trading, credit scoring, and regulatory compliance automation. Each of these applications processes sensitive data at scale and produces outputs that influence material decisions. The cyber risk is not limited to someone hacking the model. It includes the model being wrong in ways that nobody can explain.
In 2015, a system called Deep Patient was fed the health data of approximately 700,000 individuals to predict disease. It was remarkably accurate, but the researchers could not determine how it reached its diagnoses. As Professor Sadie Creese of Oxford's Global Cyber Security Capacity Centre has observed, if AI systems find effective solutions through approaches that humans cannot follow, they will also find loopholes, inconsistencies, and exploits. The explainability problem is not just an ethics question. It is a security question. A model whose reasoning cannot be audited cannot be defended against manipulation, and a model trained on biased data will systematically produce discriminatory outcomes that create both regulatory and reputational exposure.
The principle holds across the industry: if you cannot explain how a process works, you cannot secure it. That applies with greater force to AI than to any technology that came before it.
There were over 12.3 billion IoT devices globally in 2021, projected to reach 14.4 billion by the end of 2022. Financial services firms use IoT devices across retail banking, customer authentication, environmental monitoring, and operational infrastructure. Many of these devices were not designed with security or privacy in mind. Their manufacturers prioritised connectivity, cost, and speed to market. The result is a rapidly expanding attack surface that most firms have not mapped, let alone defended.
The risk compounds because IoT devices often operate at the boundary between physical and digital infrastructure. A compromised building access system, a vulnerable smart meter on a trading floor, or an insecure sensor in a data centre is not just a device-level problem. It is a pathway into the network. Security teams trained to defend perimeters and endpoints are not always equipped to monitor thousands of low-powered, intermittently connected devices that were never designed to accept security patches.
Blockchain technology exposes banks and financial institutions to three categories of risk that are distinct from traditional systems: operational risks in the consensus and validation layer, value transfer risks in the movement of digital assets, and smart contract risks where flawed code executes irreversible transactions. Each category requires its own controls, and those controls are still being developed.
Central bank digital currencies introduce a further dimension. A CBDC security breach does not just affect one institution. It can pose systemic risks to the currency-issuing central bank, the wider economy, and interconnected financial markets. The Bank for International Settlements has outlined the properties and design considerations, but the operational security frameworks for CBDC at scale remain largely theoretical. Firms exploring CBDC participation need to understand that they are building on infrastructure whose security model has not been tested under adversarial conditions at production scale.
Technology adoption outpaces security maturity. The firms that innovate earliest carry the most unmanaged cyber risk.
The common thread across all of these technologies is a gap between the speed of adoption and the maturity of the security controls around them. Firms that choose to be innovators or early adopters of emerging technologies must account for the cyber security risk that accompanies strategic innovation. That means accepting three realities that most boardrooms have not yet internalised: there are no cyber controls in place for many of the technologies they are adopting, there are no threat detection models or solutions for the assets those technologies create, and there is little to no regulatory guidance covering them.
The firms that will navigate this well are the ones that treat cyber security as a design constraint rather than a compliance afterthought. That means involving security teams before a technology is deployed, not after an incident. It means building monitoring capability for new asset types even when no off-the-shelf solution exists. And it means being honest with boards and regulators about the risks being accepted, rather than presenting innovation as a one-sided commercial opportunity.
Written following the Oxford Cyber Security Executive Briefing, 2024.
References: Federal Financial Institutions Examination Council (2021). Architecture, Infrastructure, and Operations: Evolving Technologies. Schneier, B. (2021). AI and cyber threats analysis. Creese, S. Oxford Global Cyber Security Capacity Centre. Bank for International Settlements (2018). Central bank digital currencies. Hasan (2022). IoT device projections.