According to research by KnowBe4, 18 percent of all cyberattacks in Europe are aimed at banks and insurers. The total financial damage is enormous: an average data breach cost the sector over 4.7 million euros in 2025 and led to an average of fifteen days of downtime. Nearly half (46 percent) of all attacks were DDoS attacks, just like the attack on La Banque Postale. But financial institutions are also facing cyberattacks that target people. Phishing and spear phishing, where staff are deliberately misled, account for 30 percent of incidents at European banks and insurers.
European regulators have already responded with tightened requirements, particularly through the Digital Operational Resilience Act (DORA) and the NIS2 directive. These require financial institutions to strengthen ICT risk management, conduct structural resilience tests, and enforce stricter controls on third parties. Only 4 percent of institutions had fully integrated DORA into operations by March 2025. At the same time, 96 percent of Europe’s largest financial institutions had already experienced a data breach via a supplier.
Financial institutions must opt for a comprehensive approach that brings together technology and people. Cybersecurity must be embedded from the start in digital transformation, according to the principle of 'security by design'. This also includes stricter controls on suppliers and structural resilience tests. It is crucial that organizations invest in their employees: through adaptive awareness training, simulated attacks, and targeted behavioral interventions. Only then does the human factor change from a vulnerable element into an active line of defense.
