AI enabling threat actors to evolve
Whilst AI can play a critical role in enhancing cybersecurity and organisational efficiencies.
The caveat to that is threat actors have been able to utilise AI to evolve their phishing campaigns to be more sophisticated and establish more harmful malware.
According to an article published by SecurityBrief (opens a new window), 2024 saw a number of phishing attacks involving the impersonation of financial institution representatives.
However, correctly leveraging AI-driven tools within security teams will be crucial in establishing cyber resilience for organisations.
Thoe organisations that effectively integrate AI into their cybersecurity strategies will be more advantageous in protecting their IP, data and systems from rapid proliferation of threats.
Following the Cybersecurity Act and Privacy Act Reforms from the end of 2024, we anticipate that data exposure will continue to be a focus for 2025 with regulatory updates expected later this year.
Safeguarding personal information will need to be a top priority for organisations, especially those holding mass data, this is likely to intensify as threat actors mature.
We anticipate that threat actors will have a focus on extortion tactics and resource exploitation, such as crypto mining and targeting sensitive data. This marks a shift towards more complex and resource-intensive cyberattacks.
C-Suite Executives need to be mindful that threat actors are resulting in disinformation and deepfakes to influence outcomes. Therefore, taking strict measures and implementing policies to ensure they’re protected at an individual as well as at an organisational level, will help safeguard them from this type of exploitation.
Reliance on third party vendors and exposure to PI
With the growing interconnectivity of systems, FinTechs have a greater reliance on third and even fourth party vendors.
It’s crucial that FinTech organisations undertake thorough due diligence of external parties such as third parties like vendors and suppliers and their third and fourth parties.
Unlike the services rendered, the risk and liability cannot be outsourced. If a third party fails to deliver or suffers a breach, the organisation that is client facing will face the consequences. The impact can be fiscally, operationally, reputationally, regulatory, and in most cases, contractually significant. The impact can extend beyond data being shared and ultimately lost. This is especially the case in financial ecosystems where there is an expectation of resilience and security.
CPS 230 is another example of ongoing action from Australian regulators to expand the scope of privacy and cybersecurity obligations and specifically address third-party provider risk management. APRA is focusing on regulated entities that are placing increased reliance on third parties to undertake critical operations on their behalf.
Amongst other obligations, CPS 230 looks to enforce ongoing monitoring, testing, and assurance of the risk management controls implemented by third-party service providers, utilised by regulated entities.
Operational risks such as human error or systems issues can enable threat actors to use the situation for their advantage and create adverse events such as large outages or shutdowns, and leaked data.
Last year, we witnessed the disastrous effect such shutdowns and operational inefficiencies can have, not only on the organisation itself, but for all the businesses that rely upon its services or product.
These types of scenarios are a great reminder for any organisation, but especially FinTechs given the nature of their business and the digital aspect of their product, to have in place effective risk management and operational resilience strategies.
Fraud, financial crime, and data leaks pose significant threats to FinTechs. According to FinTech Magazine (opens a new window), investment bank JPMorgan revealed it faces up to 45 billion hacking attempts daily. One of the more common types of phishing attempts in recent time is distributed denial-of-service (DDoS) attacks (opens a new window), this creates disruption to web traffic and can block consumer access to financial services.
Another fallout from threat actors targeting the FinTech space is reputational harm which can have a detrimental impact on a FinTechs customer/client base.
Penalties for FinTechs often attract significant interest from the media and these types of high-profile fines are among the most common downfalls for FinTechs.
Given the financial model of most fintech organisations with tight financial margins – substantial penalty payments can have a significantly larger impact than other larger entities.
Insurance considerations for 2025 and onwards
With reliance on third party tech systems, organisations in the sector need to focus on their risk transfer solutions.
Additionally, as regulators hold organisations accountable and liable, organisations should ensure their protection limits have affirmative cover for third parties, with sufficient limits for coverage.
Directors and Officers should also ensure their coverage is expansive and responsive to both third party failures as well as general cyber exposures as they are liable for the decisions of the firm under the Directors’ duties and obligations.
The contents of this publication are provided for general information only. Lockton arranges the insurance and is not the insurer. While the content contributors have taken reasonable care in compiling the information presented, we do not warrant that the information is correct. The contents of this publication are not intended as a legal commentary or advice and should not be relied on in that way. It is not intended to be interpreted as advice on which you should rely and may not necessarily be suitable for you. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content in this publication.
© 2025 Lockton Companies Australia Pty Ltd.
