By Ralfi Vaso
Cyber risk is becoming faster, more deceptive and more personal. AI is sharpening phishing, deepfakes and identity fraud, while third-party concentration keeps systemic risk high. The next phase of resilience for Europe’s financial institutions will depend on layered controls, verification and closer collaboration between insurers, banks and technology partners.
For years, cyber risk in financial institutions was framed around a familiar set of concerns: ransomware, business interruption, data theft and the ever-present question of who might be next. Those concerns have not gone away. But in 2026, the character of the threat is changing.
It is becoming faster, more convincing and more difficult to spot early.
Artificial intelligence is a big reason why. What was once a numbers game built around mass phishing emails and blunt social engineering has become far more personalised. Fraudsters can now mimic tone of voice, generate convincing identity documents, build believable fake investment content and automate attacks across multiple languages at scale. European regulators are already warning that AI is being used to power online financial fraud and scams, while industry data points to a sharp rise in deepfake-led fraud attempts across the financial sector.
That matters enormously for banks, lenders, asset managers and other financial institutions because trust is the product as much as the balance sheet is. A successful cyber event does not need to take core systems offline to cause real damage. In many cases, the greater harm comes from manipulated payments, compromised onboarding, impersonated executives, poisoned communications and shaken customer confidence.
The challenge now is that AI is not replacing traditional attack methods. It is sharpening them. Phishing becomes more believable. Fraud becomes more targeted. Identity abuse becomes easier to industrialise. Criminals do not need perfect deepfakes to succeed. They only need something plausible enough to get past an overworked employee, a rushed customer or a weak verification process.
That is why the risk horizon for European financial institutions now feels broader than a pure cyber conversation. It sits at the intersection of cyber security, fraud prevention, operational resilience and reputational risk. Payment controls, identity assurance, customer communication, third-party governance and crisis response are all part of the same story now.
There is another uncomfortable truth here. Many of the sector’s most serious vulnerabilities are not always sitting inside the institution itself. They sit in the surrounding ecosystem. The ECB has repeatedly highlighted the concentration risk created by reliance on a limited number of external technology and cloud providers, and that concern is not theoretical. Recent years have already shown how third-party exposure can quickly become a frontline issue for major financial brands.
That is one reason DORA matters. Since coming into force for application in January 2025, it has raised the floor for digital operational resilience across the EU financial sector. It pushes firms to think beyond prevention and toward recovery, dependency mapping, testing and governance. That is the right direction. The ECB’s cyber resilience work has also reinforced an important point: institutions may have frameworks in place, but the real test is whether they can recover quickly and coherently when preventive controls fail.
So what does a sensible response look like? First, firms need to treat identity as a live battleground. Strong customer authentication remains effective, according to the EBA and ECB, but fraudsters are adapting. That means institutions should be stress-testing onboarding journeys, callback procedures, privileged-access controls and payment approval workflows against AI-assisted impersonation, not just against yesterday’s phishing playbook.
Second, they need sharper human verification disciplines. In an AI-shaped threat environment, old-fashioned friction can be valuable. Secondary approvals, out-of-band verification, known-contact callbacks and tighter escalation rules may feel cumbersome, but they are often what stops a sophisticated deception from becoming a major loss.
Third, resilience planning has to extend beyond the perimeter. The question is no longer simply whether a firm has robust internal controls. It is whether it understands the resilience of the vendors, platforms and service dependencies that support critical operations, and whether it can continue functioning if one of those dependencies fails or is compromised.
Finally, firms need to accept that cyber preparedness is now a market-wide issue. The most effective response will come from collaboration, not siloes. Banks, insurers, brokers, technology providers and regulators are all looking at the same threat actors from different angles. That collective view matters. It improves intelligence, sharpens underwriting, strengthens controls and helps institutions build practical response plans before the event, not after it.
The risk outlook is serious, but it is not hopeless. European financial institutions are not standing still, and neither is the insurance market. Insurers are working closely with the market to keep pace with a changing threat environment, helping clients think harder about controls, dependencies, incident response and recovery. At its best, it supports resilience strategies that are realistic, tested and commercially useful when it matters most. While AI is sharpening the tools of the attacker, it is also the engine behind modern defence; we are witnessing a high-stakes arms race where AI-backed infrastructure and real-time detection are currently keeping the edge over automated threats.
That is where the conversation should be now. Not whether AI-driven cyber crime is coming for financial institutions. It already is. The real question is which firms are adapting quickly enough to stay credible, resilient and trusted when the next incident lands.
About the Author
Ralfi Vaso is an Underwriter at Alta Signa, focused on complex financial institutions risk across Europe. He works closely with brokers and clients on evolving cyber and professional indemnity exposures, with particular interest in operational resilience, technology dependency and how insurance can support stronger preparedness, response, recovery and contingency planning.
Source link
#Cyber #Risk #Horizon #European #Finance #European #Financial #Review
