2025 Threat Report: Why CFOs Must Lead On Cyber Defence

The financial sector operates with global reach and has limited tolerance for downtime.

This dependence on interconnected systems, combined with the potential for financial gain, makes the industry a constant target for cybercrime.

In the 2025 Finance Sector Landscape Report by Check Point Software, exposure management researchers Shir Atzil, Mariana Raiser and Ruty Davidson explore three disruptive cyber trends impacting finance leaders and the financial sector at large: DDoS attacks, data breaches and ransomware.

Discussing the research on LinkedIn, Ruty wrote: “One key insight I gained from contributing to this report was the sharp rise in hacktivist activity, reflected in the high volume of DDoS and defacement attacks targeting financial institutions globally.

“Campaigns enabled by advances in AI and deepfake technologies have introduced new and material risks for financial institutions.”

The financial sector faced 1,858 attacks in 2025, compared to 864 in 2024. This increase suggests that enterprise security for financial institutions remains highly relevant.

DDoS attacks increase globally

DDoS attacks increased by 105% in 2025 and remained the “most dominant and destructive” form of attack in 2025, Check Point notes. 

While some attacks were financially motivated, others had geopolitical connections.

Coordinated hacktivist campaigns targeted financial platforms in areas of geopolitical tension. Most attacks were launched against Israel (16.6%), the US (5.9%) and the UAE (5.6%), followed by Ukraine (5.2%) and Germany (5%).

The North African hacktivist group Keymous+ was responsible for 121 attacks, while the pro-Russian hacktivist group NoName057 executed 98 operations.

The report says relying on botnets and shared infrastructure allowed even “moderately skilled actors to scale their impact”. 

The evolution of DDoS attacks from one-time disruptions to short-burst attacks, with dozens of operations launched in a single day, has proved capable of overwhelming the mitigation capabilities of institutions.

This development could show that the cyber threat surface has evolved. It suggests a potential need to move past traditional, on-demand scrubbing to always-on detection, multi-CDN routing and layered defence.

Data breaches become stealthier

The report finds a 73% rise in attacks that aimed at causing data breaches. These operations often involve long-term access, silent data exfiltration and later disclosure.

Actors commonly exploit persistent threats and weaknesses in cloud security, identity governance and third-party ecosystems.

The US accounted for 40% of all global incidents, with India and Indonesia following as emerging hotspots. While organised groups operate in this space, 33% of attacks were caused by individuals or groups with unknown identities.

The Check Point report denotes this as a “notable evolution” which portrayed “increased operational security, short lived infrastructure and a shift toward decentralised identities and burner accounts”.

Organised groups such as Breach Laboratory accounted for 43 incidents in 2025. The report shows that these groups exploit misconfigurations, purchase initial access credentials and leverage leak sites for information to run extortion campaigns.

Misconfigurations such as open storage buckets, permissive access controls and unmonitored API endpoints act as entry points for these actors.

Weak points persist within modern cyber infrastructure, which could indicate a requirement for identity-centric security models, automated cloud scanning and strict access governance.

Ransomware ecosystem continues maturing

The financial sector saw 451 cases of ransomware in 2025, displaying an evolution of the RaaS ecosystem. Ransomware presents threats including data encryption, exfiltration, public shaming and pressure on executives and customers.

It targets data for payment and has the ability to impact public trust in organisations.

The US was the primary target, accounting for 196 attacks or 43.5% of total ransomware incidents. South Korea, the UK and Canada followed, marking a concentration of attacks in areas with digital banking infrastructure.

Qilin was responsible for 83 incidents, while Akira and Clop were responsible for 37 and 19 attacks respectively. These groups are known to exploit VPN vulnerabilities, abuse stolen credentials and target third-party service providers (TPSPs).

The report states: “These groups rely on shared tooling, highly-modular malware and well-organised affiliate networks that scale operations quickly and efficiently.”

With the rise of AI and sophisticated attacks, enterprise security in the financial sector may need to reform to guard against these threats.

This could involve automated, AI-powered solutions that integrate identity security, visibility and governance across the ecosystem.