Cybersecurity for Financial Services

Financial institutions are challenging clients for two reasons: they are, first, highly attractive attack targets — direct financial gain, highly sensitive customer data, systemic economic importance — and second, they operate under the most demanding regulatory cybersecurity framework. Those working in financial services have no choice between compliance and security: both are legally mandated.

The threat actor landscape is correspondingly professional. Organised cybercrime, state-sponsored actors, and insider threats are all disproportionately active in the financial sector. Business Email Compromise (BEC), SWIFT attacks, ransomware against administrative systems, and targeted espionage against trading infrastructure are not theoretical scenarios but documented attack patterns with real damage in the billions.

Add to this the complexity of modern financial architectures: legacy core banking systems, modern microservice architectures, external cloud services, and a dense network of ICT third-party providers — data centres, payment processors, data providers, analytics platforms. Each of these providers is a potential attack path. Third-party management is not coincidentally a central pillar of DORA.

DORA (Digital Operational Resilience Act) has been fully applicable since 17 January 2025 and covers banks, insurers, investment firms, payment service providers, and investment funds in the EU — as well as critical ICT third-party providers. The regulation defines five requirement areas: ICT risk management, incident reporting, resilience testing, third-party management, and information sharing.

The ICT risk management framework under DORA goes beyond what BAIT and MaRisk previously required. It demands a complete inventory of all ICT systems and their criticality classification, documented protective measures for each system class, detection mechanisms for anomalies and attacks, and tested response and recovery plans. Management must demonstrably be trained in ICT risk matters.

Particular attention is required for resilience testing: DORA distinguishes between regular testing (vulnerability assessments, penetration tests) and the demanding Threat-Led Penetration Testing (TLPT), required for significant institutions at least every three years. TLPT is based on the TIBER-EU framework and requires specific threat intelligence about the concrete threat actors potentially targeting the institution. This is not a standard penetration test.

Alongside DORA, German BaFin circulars BAIT (banks), VAIT (insurers), and ZAIT (payment service providers) continue to apply, defining minimum technical and organisational requirements for financial institution IT. These national requirements are not fully replaced by DORA — they remain as supplementary regulation. A complete compliance programme must address both levels.

MaRisk (Minimum Requirements for Risk Management) addresses risk management comprehensively and contains specific IT requirements in sections AT 7.2 and BT 3. BaFin supervisory reviews explicitly address compliance with these provisions. Deficiencies in IT security organisation, testing practices, or third-party management result in findings and can trigger supervisory action.

We support financial institutions through the complete regulatory landscape: DORA gap analysis, BAIT/VAIT review, integration of both frameworks into a consolidated compliance programme, preparation for supervisory discussions and external audits. With our background in the insurance sector — Christian Gebhardt served as Deputy CISO of Gothaer Versicherung — we bring practical experience from inside these programmes.