Marcelo Delima | Senior Manager, Global Solutions Marketing
Financial Services organizations are some of the most crucial components in the global economy. They’re also some of the most vulnerable. They handle enormous amounts of valuable data, have a low tolerance for downtime, and are often reliant on legacy systems. Protecting them relies on understanding their strengths, weaknesses, and the threats they face. The Financial Services edition of the Thales 2025 Data Threat Report provides exactly that information.
More Cloud Growth, More Cloud Challenges
Unsurprisingly, FinServ organizations have continued to grow their cloud environments, with the average number of SaaS applications in use rising from 84 last year to 107 this year – a 27% increase. And, as cloud adoption grows, so does the sensitivity of data stored on these platforms: the average proportion of cloud data classified as "sensitive" rose from 44% in 2024 to 59% in 2025.
However, despite this increase, many FinServ organizations still lack even the most basic data security controls. Around 22% have little or no confidence in identifying where their data is stored, and only 15% have encrypted 80% or more of their sensitive data.
AI Concerns (and Opportunities) Abound
As with other industries, FinServ organizations present a healthy level of concern about Generative AI risks, with 59% citing the fast-moving AI ecosystem as their top concern. Encouragingly, this concern translates to action: four in five (81%) are investing in GenAI-specific security tools, and 24% are using newly allocated budget.
That said, the FinServ industry hasn’t just recognized the security risks associated with AI; it’s also aware of – and seizing upon – the opportunities it presents. In 2024, FinServ already outpaced the broader market in AI deployment, leading by 16 points in enabling employees to use AI and 7 points ahead in AI integration, which has continued into 2025. Now, 45% say they are in the “integration” or “transformation” phases of their GenAI journey, compared to just 33% across the overall survey population.
Application Security in the Spotlight
APIs are essential to FinServ operations, powering digital services, enabling data exchange, and boosting efficiency and customer experience. It should come as no surprise, then, that API usage has increased considerably. Just over two in five FinServ organizations (41%) use more than 500 APIs, while 22% use more than 1,000 compared to 34% and 22%, respectively, survey-wide.
Regarding application security priorities, while most FinServ organizations cite shift-left security controls, respondents also emphasized foundational production controls such as dynamic application security testing (DAST), API security tools, and web application firewalls (WAFs).
On the architecture side, secrets management leads DevOps security concerns, but this hasn’t translated to data protection more broadly.
Secrets Management Complacency
Secrets management is crucial for data protection. It securely stores and manages access credentials (passwords, keys). It prevents unauthorized access and data breaches by ensuring only authorized users/systems can unlock sensitive data, thereby reducing risk and aiding compliance.
However, despite its criticality and the rapidly increasing number of APIs in use, only 16% of FinServ respondents identified secrets management as important for data protection. This is particularly surprising considering that FinServ organizations reported credential theft/compromise, including misappropriated secrets, as the top area of increased cloud management infrastructure attacks.
FinServs are Quantum Confident
Looking ahead to the quantum threat, FinServ organizations are more confident than survey respondents at large. Nearly three in five (57%) are concerned about future encryption compromise, compared to 63% survey-wide. The same proportion is concerned about key distribution, compared to 61% survey-wide, and half are concerned about future decryption of today’s data, including harvest now, decrypt later, compared to 58% survey-wide.
Breaches Fall, Complexity Rises
Despite some security gaps, particularly surrounding secrets management, recent data breaches among FinServ respondents have steadily decreased. In 2021, 29% of organizations reported a recent breach. This year, that number fell to just 16%.
We can attribute some of this improvement to healthy adoption of strong multi-factor authentication (MFA): 40% of employees at nearly all FinServ respondent organizations (98%), up from 21% of organizations in 2021.
FinServ Security: A Mixed Bag
The results from this report are simultaneously encouraging and concerning. MFA adoption is strong, breaches have fallen, and investment in AI technology is healthy. However, critical security gaps persist: a significant lack of confidence in data location, low sensitive data encryption rates, and surprising complacency in secrets management remain key – and concerning – vulnerabilities that will plague the sector if business leaders fail to act. These gaps must be closed to address the persistent complexity challenges, which worsen because of the new architectures required to support AI adoption.
Want to find out more about FinServ’s evolving cybersecurity landscape? Read the full Thales 2025 Data Threat Report: Financial Services report, and please join our webinar, Key Findings from the 2025 Thales Data Threat Report - Global Edition, presented by Mark Ehr, Principal Research Analyst at S&P Global 451 Research, with the participation of EDB Postgres AI and Thales.