The shift from prevention thinking to resilience thinking is the most important strategic change a financial services board can make. It changes what you invest in, what you measure, and how you respond when the inevitable happens.
This article draws on the Oxford Cyber Security Executive Briefing completed in mid-2024, incorporating Professor Sadie Creese's framework on assets at risk and the IRA Financial Trust case study.
On 8 February 2022, someone placed a 9-1-1 call to the Sioux Falls police department in South Dakota, reporting a kidnapping at IRA Financial Trust. Police responded. There was no kidnapping. The call was a diversionary tactic, timed to coincide with a cyber attack that stole $36 million in cryptocurrency from the firm's customers: $21 million in Bitcoin, $15 million in Ethereum. While staff dealt with police, hackers moved assets. The attack crossed from the digital world into the physical world in a way that most financial services firms have not planned for.
Professor Sadie Creese, Director of the Oxford Global Cyber Security Capacity Centre, opens her executive briefing with a statement that most boards find uncomfortable: 100% security is impossible. In the current digital climate, companies should anticipate experiencing an attack. The question is not whether it will happen, but how prepared the organisation is to limit the damage when it does.
Most financial services boards still operate on a prevention model. The implicit assumption is that with enough investment in firewalls, monitoring, and compliance, attacks can be stopped before they succeed. That assumption is wrong, and the gap between the assumption and reality is where the damage occurs.
Resilience thinking starts from a different premise. It accepts that some attacks will succeed and organises the business to minimise impact when they do. That means identifying which assets are genuinely critical to the firm's mission and concentrating protection there, rather than spreading security investment evenly across everything. It means building the ability to detect breaches quickly, because the time between penetration and detection is often where the real damage accumulates. And it means having a response plan that has been tested under pressure, not a document that sits in a folder until someone needs it.
The distinction is not academic. A board operating on a prevention model measures success by the absence of incidents. A board operating on a resilience model measures success by the speed of detection, the containment of impact, and the quality of the recovery. One model creates a false sense of security. The other creates genuine preparedness.
Each stage of a cyber attack represents a detection opportunity. Resilience thinking invests across the full chain, not just at the perimeter.
The anatomy of a cyber attack follows a pattern that boards should understand, because the pattern reveals where interventions are most effective. An attacker begins with reconnaissance: researching the target, identifying vulnerable access points, mapping the network from the outside. Then penetration: exploiting a vulnerability to gain initial access. Then persistence: establishing a foothold, installing tools, moving laterally through the network while avoiding detection. Only then does the intended harm begin, whether that is ransomware, data theft, or the kind of coordinated physical-digital attack that hit IRA Financial Trust.
Each stage represents an opportunity to detect and contain. The firms that invest in early-stage detection, catching the reconnaissance and lateral movement before the attacker reaches the intended target, will limit damage far more effectively than those that invest only in perimeter defences. Reported ransomware attacks increased by 62% in 2019 alone. The attacks themselves have evolved from simple file encryption to double extortion, where attackers both encrypt data and threaten to release it publicly. Perimeter defences alone do not address this. Detection, containment, and response capability do.
Both digital and physical assets are at risk. Technology, data, software systems, and digital infrastructure are the obvious targets. But cyber attacks also affect business processes, physical systems, buildings, corporate reputation, and stock value. The Colonial Pipeline ransomware attack in 2021 demonstrated that a cyber attack on IT systems can shut down physical infrastructure serving millions of people.
In financial services, the most critical asset is trust. Every other asset, the data, the infrastructure, the products, depends on the client's belief that the firm can protect their interests. A firm that loses $36 million of customer cryptocurrency and then cannot clearly explain what happened, who is responsible, or how customers will be made whole has not just lost money. It has lost the asset on which its entire business model depends. The CIA Triad, confidentiality, integrity, and availability, provides the technical framework for measuring cyber impact. But the commercial framework is simpler: did the attack damage the trust that makes the business viable?
The firms that will navigate this landscape successfully are the ones whose boards have accepted the uncomfortable starting point. Perfect security does not exist. What exists is the choice between a firm that has planned for the inevitable and one that has not. Everything that follows, the investment priorities, the organisational culture, the speed and quality of the response, flows from which of those two positions the board has chosen.
Written following the Oxford Cyber Security Executive Briefing, 2024.
References: Creese, S. Oxford Global Cyber Security Capacity Centre. Adejumo (2022), IRA Financial Trust breach reporting. Threat Hunter Team (2020). Ransomware trends. Alberts, C. and Dorofee, A. (2002). Managing Information Security Risks: The OCTAVE Approach. Pijpers and Arnold (2020). CIA Triad framework.