9 hours ago
5
It is every bank boss’s worst nightmare: a panicked phone call informs them a cyber-attack has crippled the IT system, rapidly unleashing chaos across the entire UK financial industry.
As household names in other industries, including Marks & Spencer, grapple with the fallout from such hacks, banking executives will be acutely aware that, for them, the stakes are even higher.
Within hours of a successful bank hack, millions of direct debits could fail, leaving rents, mortgages and wages unpaid. Online banking may be blocked, cash machine withdrawals denied, and commuters left in limbo as buses and petrol stations reject payments. News of the attack could spark panic, leading to a run on rival lenders, as customers pull money from their accounts amid fear the disruption could spread.
This situation may seem far-fetched but it is not a long way off from the government’s “reasonable worst-case scenario” if a sophisticated cyber-attack hit a big UK bank. With the financial industry among 14 sectors categorised as “critical national infrastructure”, it is no surprise that a hack is listed on the national risk register, which models some of the biggest threats facing the UK.
Billions of pounds are being spent preventing the kind of devastating attacks that shut down systems at three retailers, Harrods, the Co-op and M&S, this spring.
“The amount of money [that] banks, all of us, will be spending on our systems is enormous today. And it has to be,” the UK chief executive of HSBC, Ian Stuart, told MPs last month. “We are being attacked all the time.”
HSBC alone is having to invest hundreds of millions of pounds to protect itself, Stuart said. “This is our biggest expense.”
Globally, banks are expected to allocate 11% of their IT budgets to cybersecurity in 2025, according to an EY study. With those IT budgets forecast to hit $290bn (£214bn) this year, according to the research body Celent, banks could end up shelling out $32bn on cybersecurity by December.
It is a new era for high street banks, as attempted heists evolve from criminals in balaclavas hitting physical branches and vaults to state-sponsored hackers and independent cybergroups looking for ransom payments or merely to cause mass disruption.
“Banks have understood the risk far better than probably a lot of other industries. They’ve invested far more in security,” said Stuart McKenzie, a managing director for Mandiant Consulting, a Google-owned cybersecurity company that works closely with a number of lenders in the UK.
Last month the governor of the Bank of England told the BBC that cybersecurity was a risk that was never going away because it continually evolved. “We’re dealing with bad actors who will continually refine the lines of attack. And I always have to say to institutions: ‘You’ve got to continue to work at this,’” Andrew Bailey said.
However, protecting systems is a complex task. Most high street banks operate on an onion-like IT system, with layers upon layers of updates, patches and add-ons. Throw third-party software and cloud providers into the mix, and banks are left playing whack-a-mole.
“We call it the attack surface,” Alan Woodward, a professor and cybersecurity expert at the University of Surrey, said. “The attack surface has actually increased, so the opportunities for attackers to try to look for ways in have also increased.”
No bank hacks to date have been disruptive enough to bring a country to an economic standstill – although April’s power blackout across the Iberian peninsula exposed how reliant modern societies are on digital payments. Where hackers have been successful, they have more often than not targeted banks’ customer data and accounts.
In 2021, attackers on the US bank Morgan Stanley stole personal information belonging to its corporate clients by hacking into a server used by a third-party consulting company.
A year earlier, at the start of the Covid pandemic, attackers got hold of staff mailboxes at the Italian state-owned bank Monte dei Paschi, and sent emails to clients with voicemail attachments.
Meanwhile, one of the most devastating hacks on a UK bank came in 2016, when criminals found a way to guess bank card details and steal almost £2.5m from 9,000 accounts at Tesco Bank. Tesco was forced to halt all online and contactless card transactions after struggling to block fake purchases taking place around the world, including Spain and Brazil.
Tesco Bank eventually reimbursed customers in full.
The National Cyber Security Centre says customers who suspect a hack should contact their bank using their official website or social media channels, and avoid using any links or contact details they have been sent. The organisation should be able to confirm if a hack has actually taken place, how they have been affected and what they need to do next.
The Bank of England has tried to stay a step ahead. Policymakers officially recognised cybersecurity as a risk to financial stability in 2013 and started to implement cyber resilience standards for all regulated banks and insurers under its supervision.
after newsletter promotion
That involved the launch of “CBEST”, a world-first scheme in which ethical hackers test a single bank’s potential vulnerabilities with a cutting-edge attack.
“Nothing is 100% secure,” Woodward said, but the UK banking system comes close. “A lot of it has to do with the oversight”, particularly by the central bank. “They gather threats and intelligence from MI5, GCHQ, NCSC, all the usual people, and then they actually try real scenarios out to see how robustly a bank can withstand that,” he said.
The central bank also coordinates multiday cyberwar games as part of its SIMEX – simulation exercise – programme every two years to test City companies’ security.
Authorities are tested, too, and the Bank, the Financial Conduct Authority, the Treasury and the National Cyber Security Centre review their response to a range of devastating scenarios.
Regulators are not just checking banks’ preventive measures. Policymakers assume a cyber-attack will eventually be successful and are therefore pushing banks to prepare their response and recover plans that would avoid long-lasting outages that could bring pockets of the economy to a standstill.
The Cross Market Business Continuity Group, which brings together regulators and members of the bank industry body UK Finance, boasts the ability to summon about 100 companies for emergency group calls in under an hour to discuss a potential attack.
Fending off a hack is seen as vital to protect an industry that ultimately trades on trust: customers expect lenders to keep their information, wages and life savings protected from outside threats.
“If somebody breaks in there and manages to make a fraudulent transaction … you’re not going to trust that bank again with your money, are you?” Woodward said.
Banks have already experienced the backlash that can erupt from mere IT outages, without any malicious actors trying to disrupt the banking system or steal data and cash.
TSB has for years been working to restore its reputation after its IT meltdown in 2018, caused by its botched separation from Lloyds’ internal systems, which left millions of banking customers locked out of their accounts for weeks. The lender was subsequently fined £48m for “widespread and serious” failings.
Outages have continued to plague customers of Britain’s largest banks and building societies, who suffered the equivalent of more than a month of IT failures between January 2023 and February 2025, according to the data gathered by the parliamentary Treasury committee.
“The security of customer money and data is of paramount importance to banks, not just because it’s a requirement under regulation but because it’s the way that banks do business,” Laura Catterick, a director focused on resilience and cybersecurity at UK Finance, said.
“I would say, never rule out a cyber-attack. But I would say, there should be confidence in the amount of cyber defences in place.”
