Strengthening Cyber Resilience: A Call to Action for Financial Institutions

By Krystal Martin December 15, 2025

As digital connectivity grows, financial institutions must strengthen cyber defenses, particularly against third-party risks. Regulators have begun reporting and updating guidance on this very topic and recent incidents and outages have highlighted the need to improve risk management strategies.

The Federal Reserve’s July 2025 Cybersecurity and Financial System Resilience Report highlighted increased scrutiny on cybersecurity practices. The report warns of growing threats from nation-state actors, ransomware groups, and AI-enabled attacks. It stresses the risks associated with third-party providers and calls for continuous adaptation of supervisory frameworks to address emerging technology-related threats.

Simultaneously, in its 2025 Annual Regulatory Oversight Report, the Financial Industry Regulatory Authority (FINRA), introduced a new category focused on third-party risk to its report. The report emphasizes that firms must establish comprehensive third-party risk management policies, conduct due diligence on vendors supporting key systems, validate data protection controls in contracts, and maintain inventories of third-party services and infrastructure. It also calls for vendors to be included in incident response testing and for firms to address fourth-party risks—those arising from subcontractors and extended supply chains.

The cyberattack on Jaguar Land Rover (JLR) in September 2025, as detailed in our article “When One Customer Becomes the Risk,” revealed how deeply third-party cyber vulnerabilities can impact entire ecosystems. Suppliers dependent on JLR were forced to halt operations, lay off staff, and in some cases, faced existential threats. This incident highlighted a critical truth: cyber risk is not confined to internal systems—it extends to customers, vendors, and partners.

The October 2025 AWS outage served as another stark reminder of the fragility of cloud-reliant infrastructure. The failure of core AWS services like DynamoDB and EC2 disrupted operations across industries, including major financial institutions such as Lloyds Bank, Halifax, and Barclays. Payment processing, trading platforms, and customer-facing applications were affected, demonstrating how a single point of failure can cascade across the financial sector. Experts estimate the financial impact of the outage reached billions of dollars. This incident reignited concerns about concentration risk and underscored the need for multi-cloud strategies, failover systems, and robust contingency planning.

To address these challenges, financial institutions should consider the following practical measures:

1. Enhance Third-Party Risk Management

• Develop and maintain a comprehensive third-party risk policy governing vendor relationships.
• Conduct initial and ongoing due diligence on vendors.
• Require transparency into vendors’ cybersecurity frameworks (e.g., NIST, ISO 27001).
• Include breach notification and data destruction clauses in contracts.

2. Diversify Cloud Infrastructure

• Avoid single points of failure by diversifying cloud providers.
• Use multi-region failover systems to ensure business continuity.
• Automate infrastructure deployment with infrastructure-as-code tools to further enhance agility and resilience.

3. Strengthen and Evolve Incident Response and Testing procedures

• Involve vendors in cybersecurity drills and tabletop exercises to ensure coordinated responses to potential threats.
• Maintain updated inventories of third-party services and dependencies for rapid response and recovery.
• Simulate cloud outages and cyberattacks on a regular basis to help identify vulnerabilities and improve preparedness.

4. Deploy Advanced Threat Detection Systems

• Use real-time infrastructure monitoring tools for visibility into suspicious activity.
• Implement anomaly detection to detect and respond to emerging threats.

5. Educate and Empower Staff

• Train employees on cloud security protocols and incident response to ensure that staff are equipped to act swiftly and effectively during a crisis.
• Create cross-functional crisis teams involving IT, compliance, and finance professionals to foster collaboration and comprehensive risk management.

Cyber resilience is no longer optional—it is a regulatory expectation and a business imperative. Financial institutions must proactively strengthen their defenses, not only within their own systems but across their entire digital ecosystem. By adopting robust third-party risk management practices, diversifying cloud infrastructure, and preparing for inevitable disruptions, institutions can safeguard their operations, protect customer trust, and ensure long-term stability in an increasingly volatile cyber landscape.

Baker Newman Noyes’ Information Systems and Risk Assurance and Advisory teams provide a wide range of strategic consulting and auditing services to help financial institutions implement these practical measures. If you have questions or would like to discuss these services, please contact Krystal Martin or your BNN advisor at 800.244.7444.