One in Five Cyberattacks Targets Financial Services: What This Means for Fund Boards

It is no secret that financial firms are among the top targets for cybercriminals — and for good reason. They sit at the intersection of money and sensitive data, two of the most valuable assets an attacker can pursue.

A 2024 study by the IMF found that nearly one fifth of all cyberattacks globally target financial firms, a figure that demonstrates just how exposed the sector is relative to others.

This exposure demands a response that goes beyond technology. It is not enough to invest in security software or hire IT talent; the effort must extend to the board level.

Fund boards and the boards of other financial firms need to engage with cybersecurity as seriously as they do with other business-critical functions such as sales, marketing, or legal. 

The case for doing so is straightforward: according to IBM, financial services firms spend an average of $6.08 million per breach, covering regulatory penalties, customer litigation, and fraud mitigation. 

Investing in prevention is, by any measure, far less costly than managing the aftermath of an attack. So what should fund boards be doing to ensure their firm is not the next victim? That’s what we will discuss in this article.

Cybersecurity Is Now a Board Governance Issue

If you still think cybersecurity is only an IT issue, that mindset puts your firm at risk. Fighting cyberattacks should be an organization-wide endeavor — one that involves every part of the business, including the board. 

Treating cybersecurity as an operational matter delegated to management or an external IT provider is no longer tenable in 2026.

Regulators have also made their expectations explicit. For example, SEC's 2026 examination priorities identify cybersecurity governance as a central focus, with examiners directed to review governance practices, data loss prevention, access controls, and incident response programs. 

In the Cayman Islands, CIMA's Rule on Cybersecurity for Regulated Entities places ultimate responsibility for cybersecurity governance with the governing body of each regulated entity, requiring board-approved cybersecurity risk management strategies and mandatory reporting to CIMA within 72 hours of a material incident. 

CIMA's November 2025 enforcement findings went further, identifying deficiencies in cybersecurity governance, inadequate risk management frameworks, and insufficient oversight of outsourced arrangements as recurring issues across regulated entities, which confirms that supervisory scrutiny is already active. 

The direction of travel is consistent: regulators expect boards to own cyber risk, not merely receive reports on it.

Make cybersecurity a standing board agenda item.

The most basic and frequently overlooked step is ensuring that cybersecurity appears on the board agenda as a regular, structured discussion—not only when an incident occurs.

This means requesting regular briefings that cover the current threat landscape, any incidents in the past quarter (including near-misses), and the top vulnerabilities requiring attention. 

These are issues that belong in the boardroom and should be given high priority because their impact would be massive if they aren’t effectively addressed.

Define and own the firm's cyber risk appetite

Boards are responsible for setting risk appetite across all material areas of a firm's operations.

In practice, this means establishing clear parameters around what data is most sensitive, what systems are mission-critical, what constitutes a material incident, and at what threshold board notification is required rather than management escalation alone. 

The firm's cyber risk appetite should also inform how new technologies such as AI and cloud computing are adopted — given that each introduces its own risk profile that the board needs to understand and sanction before deployment.

Assess cybersecurity expertise at board level

The NACD's 2025 Board Practices Survey found that 45% of private company directors consider improving their cybersecurity expertise a very important priority. 

This does not mean board members need to be cybersecurity experts, but they should have sufficient baseline knowledge to engage meaningfully with security reports, incident briefings, and emerging regulatory developments.

Boards should map existing director knowledge against key areas — cloud security, incident response, third-party risk, and regulatory requirements — and address any gaps through director education, specialist recruitment, or a formal relationship with an independent cybersecurity adviser reporting directly to the board.

Oversee third-party and vendor risk rigorously

IBM's 2025 Cost of a Data Breach Report found that third-party involvement in breaches doubled year-on-year, accounting for 30% of all incidents. 

The Marquis Software breach — affecting up to 1.35 million individuals across at least 74 banks and credit unions — illustrates exactly how a vulnerability at a single shared service provider can cascade across an entire client base.

Boards should require management to maintain a formal vendor inventory and confirm that contracts include the data security and breach notification obligations now required under Regulation S-P. Security oversight cannot stop at the firm's own walls. 

As third-party relationships continue to grow in number and complexity, outsourced arrangements represent an increasingly significant entry point for attackers and deserve the same attention applied to internal controls.

Ensure an incident response plan exists and has been tested. 

A written incident response plan is a regulatory requirement and a basic standard of operational preparedness. But a plan that has never been tested offers limited protection. 

Response plans must be rehearsed through tabletop exercises in which key personnel walk through a simulated attack to identify gaps in communication, escalation, and decision-making under pressure. 

Boards should also request evidence that this testing has occurred and that the findings have been addressed. 

Critically, testing should not be a one-time exercise. As the threat landscape evolves and new attack methods emerge, the plan itself must be updated accordingly — making periodic simulation and review an ongoing governance responsibility, not a box to be ticked once and forgotten.

Treat investor data as a fiduciary responsibility

Investor data that typically includes identification information, tax details, bank account numbers, wire instructions is among the most sensitive information a fund holds. Most regulators require funds to notify affected investors within 30 days of a confirmed breach. 

Under CIMA's governance framework for Cayman-regulated funds, board oversight of operational risk is part of the minimum expectations for sound and prudent governance.

Boards should treat the protection of investor data not merely as a compliance obligation but as a direct expression of their fiduciary duty.

Start Taking Action

Even before reading this article, you were likely already aware of how significant a threat cybersecurity poses to financial firms. 

But in 2026, attackers are becoming increasingly sophisticated, leveraging technologies such as AI to make their attacks even more complex and harder to defend against.

There has also been substantial and growing investment in cybercrime, particularly in attacks targeting sensitive sectors such as healthcare and financial services.

Countering these efforts requires the entire organization to be engaged — not just the IT function. The board sits at the top of the governance structure, and its genuine commitment to cybersecurity will naturally set the tone for the rest of the firm. 

That influence is one of the most powerful tools available. So start taking action today: treat cybersecurity as a board-level priority, give it the same attention as other critical areas of the firm's operations, and build a culture where security is everyone's responsibility — starting from the top.

At Daymer, we work with fund boards and independent directors to strengthen governance frameworks across all material risk areas, including cybersecurity. If you would like to discuss how your board can better oversee cyber risk, get in touch with us today.