Why resiliency is the new currency of trust in financial services

Cyber security conversations in financial services have fundamentally changed. For years, organisations approached cyber through the lens of protection – preventing breaches, blocking malware and securing the perimeter.

But the reality facing financial institutions today is far more confronting: in a hyper-connected economy, perfect defence no longer exists.

The question is no longer whether an organisation will face disruption. The question is whether it can continue operating when disruption arrives.

That is why resilience – not prevention – is emerging as the defining security priority across financial services over the next 12–24 months.

As critical infrastructure operators, financial institutions now sit at the intersection of economic continuity, national trust and digital dependency. The stakes are materially different.

Cyber security is no longer an isolated technology function operating in the background of the business. It is becoming deeply intertwined with operational resilience, enterprise governance and long-term business viability.

And importantly, resilience demands a very different mindset.

Shift to operational resilience

Traditional cyber security strategies focused heavily on stopping attacks. Modern resilience strategies assume something eventually gets through.

That subtle shift changes everything.

It changes how organisations prioritise investments. It changes how boards govern cyber risk. And it changes how technology leaders define success.

The most mature financial institutions are no longer measuring readiness purely through technical controls or compliance checklists.

They are asking harder operational questions:

• What is the minimum viable business during a major cyber incident?
• Which systems genuinely matter most?
• What data absolutely cannot be compromised?
• How long can critical services operate under degradation?
• Which third parties create operational concentration risk?

Those questions force organisations to confront uncomfortable realities around dependencies, ownership and preparedness.

In many institutions, critical systems remain deeply interconnected, while accountability for data, operational processes and vendor relationships can still be fragmented across teams. Under pressure, those gaps become exposed quickly.

This is why resilience is increasingly being embedded within broader operational risk frameworks such as APRA CPS 230 and the Reserve Bank’s self-assessment obligations via PFMI.

Cyber risk is no longer being viewed separately from enterprise resilience. It is becoming one component of a much larger operational trust equation.

Defining (and defending) the ‘Crown Jewels’

One of the most important maturity shifts occurring across financial services is the focus on defining ‘crown jewel’ assets.

Historically, many organisations attempted to protect everything equally. That approach is becoming unsustainable.

Modern financial environments generate enormous data volumes across payments, customer systems, cloud environments, applications, APIs and third-party ecosystems. Trying to treat every dataset or platform with identical criticality creates noise, complexity and operational inefficiency.

Resilient organisations are becoming far more deliberate.

They are identifying the systems, datasets and operational functions that represent the absolute core of the business – the assets that underpin customer trust, financial continuity and regulatory obligations.

That clarity changes decision-making dramatically.

It informs incident response priorities. It shapes recovery sequencing. It influences technology architecture. And it creates far greater executive alignment during crisis situations.

Importantly, this is not simply a technology exercise.

The process of defining minimum viable business requires direct involvement from executives, boards, operational leaders, legal teams and communications functions. Because when major disruption occurs, the impact extends far beyond IT systems alone.

The rise of third-party resilience

Some of the biggest operational vulnerabilities in financial services no longer sit inside the enterprise perimeter. They sit across the supply chain.

As financial ecosystems become increasingly dependent on external providers, software platforms, cloud environments and strategic technology partners, third-party resilience has rapidly evolved into a board-level issue.

The weakest link is often external.

This is forcing organisations to redesign third-party risk management frameworks end-to-end – from procurement through to vendor retirement.

More mature institutions are introducing structured vendor tiering models, explicit governance cadences, reciprocal KPIs and clearly defined decision rights across both internal teams and suppliers.

But the relationship itself is also changing.

Critical infrastructure organisations increasingly expect partners to align with broader resilience objectives, sovereignty requirements and national-interest responsibilities.

Vendors are no longer simply service providers delivering a contract. They are participants within the operational resilience posture of the organisation itself.

That raises the bar significantly.

The 5 ‘so what?’ scenarios

One of the biggest problems in cyber security is abstraction.

Threat discussions often become overly technical, disconnected from operational or commercial consequences. Mature organisations are increasingly simplifying cyber through defined business-impact scenarios.

At the centre of this approach is a simple question: ‘So what?’

The most important attack scenarios are no longer measured purely by technical severity. They are measured by business impact.

Five scenarios increasingly dominate resilience planning across financial services:

1. Ransomware
2. Insider threat
3. Data loss
4. Service degradation and DDoS
5. Supply-chain compromise

Each scenario is mapped directly against operational, financial, reputational and customer impacts. This creates far greater clarity around risk appetite and investment prioritisation.

More importantly, it allows boards and executives to engage meaningfully in cyber discussions without becoming trapped in technical language. The conversation shifts from vulnerabilities and tooling towards operational outcomes, customer trust and organisational preparedness.

That is where cyber security becomes strategically useful.

Why simulations matter, the AI dilemma

Many organisations still overestimate the value of static cyber policies. Under pressure, policies rarely save organisations, preparedness does.

That is why resilience leaders are investing heavily in simulations, tabletop exercises and executive decision-making rehearsals. The objective is not simply to test technology controls, but to test organisational behaviour under stress.

• Who makes decisions?
• How quickly can leadership align?
• Are communications protocols clear?
• Do executives understand escalation paths?
• Are external retainers activated?
• Are call trees current?
• Can critical third parties coordinate effectively?

These exercises often expose weaknesses that traditional audits never uncover. And importantly, they help organisations move beyond theoretical preparedness into operational confidence.

Beyond this, few topics are creating more tension inside boardrooms than AI.

On one side sits understandable caution – concerns around governance, explainability, data leakage and expanded attack surfaces. On the other sits the growing recognition that failing to adopt AI may itself become a competitive and operational risk.

The answer is not avoidance. The answer is responsible adoption.

But responsible AI requires far more than selecting models or deploying copilots. Most organisations are still maturing foundational disciplines such as data governance, stewardship, ownership and lineage.

Without those foundations, AI risks amplifying organisational weaknesses rather than solving them. This is why mature AI strategies increasingly begin with governance rather than technology.

Questions around ownership, custodianship, risk accountability and data integrity are becoming prerequisites before organisations determine whether to pursue machine learning, deep learning, generative AI or proprietary large language model strategies.

The organisations approaching AI most effectively are treating it as a resilience and operational maturity discussion – not simply an innovation exercise.

The growing problem of security complexity

Financial institutions today operate across sprawling security environments covering endpoint, network, identity, cloud and application layers. Yet more tooling is not necessarily creating better outcomes.

In many cases, complexity itself is becoming the vulnerability.

Security teams are drowning in alerts, duplicate signals and fragmented visibility across platforms. This is why signal-over-noise discipline is becoming one of the defining characteristics of mature cyber operations.

Continuous control tuning is no longer optional. It is ongoing business-as-usual activity.

Frameworks such as NIST and Essential Eight remain valuable because they provide structured maturity pathways and help boards understand where targeted uplift investments should occur.

But there is another reality leaders increasingly need to communicate honestly: cyber security maturity eventually plateaus.

The closer organisations move towards higher maturity levels, the harder and more expensive incremental improvement becomes. Maintaining maturity can ultimately become more difficult than achieving it initially.

That is an important board-level conversation.

Because resilience is not a finish line. It is a continuous operational discipline.

How the CIO role has changed

The role of the CIO inside critical infrastructure organisations has evolved significantly.

Cyber security once consumed the majority of executive technology conversations. But as executive understanding improves, technology leaders are increasingly using cyber discussions to drive broader conversations around architecture simplification, operational efficiency, data strategy and long-term business enablement.

That evolution matters.

Because cyber security is no longer simply about defence. It is becoming a strategic mechanism for reducing complexity, modernising operations and enabling sustainable growth.

The best CIOs are no longer positioning cyber as a blocker to innovation. They are positioning resilience as the foundation that allows innovation to occur safely and confidently.

Because financial services has always operated on trust.

Customers trust institutions to move money securely. Regulators trust organisations to maintain stability. Economies trust critical infrastructure operators to remain available under pressure.

Operational resilience is now becoming one of the clearest demonstrations of that trust.

Not because organisations can prevent every disruption. But because they can respond decisively, operate transparently and continue functioning when pressure arrives.

In the modern financial system, resilience is no longer a defensive capability. It is becoming a competitive differentiator.

May Lam is CIO of Australian Payments Plus. As part of Moxie Top Minds, May contributed to Security Outlook: Australia 2025 / 2026 by Moxie Insights. Download the report here.