The Director’s Cut: U.K. Cyber Tests Expose Banks’ Weakness on Security Basics

U.K. Cyber Tests Expose Banks’ Weakness on Security Basics

New findings from the Bank of England’s 2025 cybersecurity stress tests show that even the U.K.’s most important financial institutions continue to struggle with basic protections. Regulators require banks to undergo realistic, intelligence‑led cyberattacks on their live systems, rather than only talking through scenarios in a meeting room.

The latest results were troubling. Many banks failed on fundamentals such as keeping systems up to date, setting strong access controls, protecting stored data, and ensuring staff could spot fraud attempts. Employees were still being tricked into sharing information that could be used to break into systems or move money.

For directors, the comparison with the United States is important. U.S. regulators tend to rely on tabletop exercises and written assessments. These can be useful for testing decision making, but they do not show how people, processes, and technology hold up when hackers try to break in for real.

The governance message is clear. Boards should not take comfort from policies, certifications, and tabletop drills alone. They need evidence from controlled, realistic attack simulations that show whether basic cyber hygiene is working and where it is failing, before a real attacker exposes those weaknesses.

Questions directors should ask management:

• How do we independently validate that our basic cyber hygiene (patching, configuration, identity, data protection) is actually working in practice?
• Do we routinely conduct realistic, threat-led simulations on live or production-like systems, and what have they revealed?
• How are lessons from these simulations translated into structural improvements, not just tactical fixes?

When AI Supply Chain Risk Becomes Systemic

ServiceNow, an IT platform used by about 85% of the Fortune 500, recently fixed a serious flaw in its AI features that could have allowed criminals to pose as legitimate users and perform actions inside customer environments. Because ServiceNow is tightly connected to HR, customer service, security, and core operations, weaknesses in its AI functions can quickly become weaknesses in its customers.

This is not an isolated case. AI is rapidly being built into almost every business tool. A 2026 Zscaler report found more than 3,400 AI applications in use across its customers—a 425% increase from about 800 a year earlier.. As AI tools and embedded AI features become the norm, third party and supply chain risk takes on a new dimension. Boards need assurance that management can see where AI is used in critical vendor platforms and understands how that changes operational, security, and compliance risk.

Question directors should ask management:

• How are we gaining visibility into where AI is embedded in our most critical third party systems, and how are we assessing and managing the risks that creates for our business?

Business Email Compromise: Old Fraud, New AI Fuel

Warren County’s $3.3 million fraud loss is a familiar story: a basic payment change scam exploiting weak controls and poor internal communication. Law enforcement called it “easily preventable,” a reminder that business email compromise remains a low tech, but high impact threat. The FBI reports BEC cost U.S. businesses around $2.7 billion in 2024, more than many headline cyber incidents.

What is changing is the risk profile. AI driven ‘deepfake-as-a-service’ offerings on the dark web make it easier for unskilled attackers to convincingly impersonate executives or vendors across email, voice, and video, increasing pressure on staff to bypass controls. There is also the possibility of insider involvement in altering payment instructions or sidestepping verification steps.

With this in mind, boards should treat BEC as a strategic fraud and governance issue, not just an IT problem, focusing on approval workflows, culture, and verification discipline for high value payments.

Question directors should ask management:

• How are we hardening our payment approval processes against business email compromise, including deepfake-enabled impersonation and potential insider involvement?

Ransomware in 2026: Faster, Smarter, More Relentless

Ransomware remains a systemic threat in 2026, with 793 known victims in January 2026, a 28% increase over January 2025 figures. The U.S. accounts for about 40% of global victims, and both manufacturers and technology firms each represent almost one in every five cases. The most active ransomware group has claimed over 100 victims this year alone and around 1,400 over its four known years of operation, underscoring the industrial scale of this criminal business model.

AI is now a force multiplier for attackers: it accelerates target selection, exploit development, social engineering, attack automation, data analysis, and even ransom negotiations. For boards, this raises the bar on what “reasonable” preparedness looks like. Stopping ransomware should be a top strategic priority for 2026, with zero trust architectures designed to shrink the attack surface, significantly reduce the chance of a compromise, and limit the blast radius if breaches occur.

Question directors should ask management:

• How are we using modern architectures such as zero trust to specifically reduce our ransomware exposure and limit attacker movement if they gain a foothold?

***

Zscaler is a proud partner of NACD’s Northern California chapter. We are here as a resource for directors to answer questions about cybersecurity or AI risks, and are happy to arrange dedicated board briefings. Please email Rob Sloan ([email protected]), VP Cybersecurity Advocacy at Zscaler, to learn more or to get a free hardcopy version of Cybersecurity: Seven Steps for Boards of Directors.