Top three structural vulnerabilities
1. Vulnerability: the innovation - security gap
Financial services are accelerating toward fully digital, automated and AI-enabled operating models at a pace without historical precedent. Cloud adoption, API ecosystems, real-time platforms, robotic process automation and generative AI are shortening change cycles and expanding the technological footprint of the average institution at an extraordinary rate.
Security functions are not keeping pace. They are expanding, but more slowly, more incrementally and with proportionally less investment than the technology capabilities they are expected to protect. The structural consequence is a growing control gap: The attack surface is expanding faster than the defensive perimeter can be drawn. Each new capability introduced without commensurate security maturity becomes latent risk, accumulating quietly until it transitions from invisible exposure to realized impact.
2. Vulnerability: Third-party dependency and supply chain fragility
No financial institution operates in isolation. The modern operating model is built on dense web of third-party dependencies: cloud hyperscalers, software vendors, payment processors, data providers, outsourced operations and niche technology specialists. This structure delivers efficiency and scale but it also creates systemic exposure qualitatively different from traditional operational risk.
The MOVEit breach demonstrated how a single vulnerability in a widely used tool can simultaneously compromise hundreds of organizations across industries. The ION Group ransomware attack showed that a niche but critical vendor can disrupt derivatives trading across major institutions in multiple countries. The CrowdStrike outage illustrated that even trusted, well-regarded security providers can become the source of systemic disruption without any malicious intent.
DORA’s ICT third-party risk management requirements reflect this reality directly: Firms must maintain detailed registers of ICT providers, conduct due diligence as well as contractual assurance, and demonstrate viable exit strategies. FINMA’s expectations align closely. But regulatory requirements have outpaced institutional capabilities in many cases.
The deeper challenge is sub-outsourcing what practitioners increasingly call nth-party risk. Institutions often have reasonable visibility into their direct vendors. They rarely have meaningful visibility into what those vendors depend on. A Tier-1 bank may be confident in its primary cloud provider; however, it may have no visibility into the third-party security software that the provider relies upon. The SolarWinds attack, in which a compromised software build process allowed attackers to distribute malicious updates to thousands of organizations globally, remains the clearest illustration of how deep the exposure chain can run.
3. Vulnerability: Governance fragmentation - When the framework works against you
There is a third vulnerability that receives comparatively little attention, but which may be the most consequential: the fragmentation and misalignment of internal control frameworks.
As organizations have grown, merged and digitalized over the past decade, their governance structures have accumulated layer upon layer of control functions. Operational risk, cyber security, business continuity management, IT risk, data management and third-party oversight have each developed their own frameworks, methodologies, tools and reporting lines often in parallel, sometimes in direct conflict, and rarely in genuine integration.
The consequences are predictable and costly. Risks exist that no function clearly owns. The same controls are tested multiple times by different teams. Accountability in a crisis is ambiguous. Risk appetite statements and tolerances are inconsistent across functions, making consolidated board reporting unreliable. When a disruption occurs, decision making slows at precisely the moment speed is most critical.
DORA and FINMA’s resilience circular both require alignment between cyber risk management and broader operational risk governance; but translating regulatory requirement into organizational reality is a transformation program, not a policy update. Many institutions have made progress on individual frameworks, while the integration between them remains materially incomplete.
As organizations now adopt generative AI, expand multi-cloud environments and extend outsourcing. These fragmented frameworks face new and compounding demands. New risks enter the organization faster than governance structures can absorb them. Blind spots multiply. And when the next incident occurs, as it will, the quality of the institutional response depends entirely on whether the governance architecture is coherent enough to act.
