PIMFA
Cyber Security
Cyber Security refers to the practices, technologies, and measures required to protect sensitive financial information, systems, and infrastructure from unauthorised access, disclosure, alteration, or destruction. It involves safeguarding firms and individuals against cyber threats such as hacking, data breaches, malware, phishing attacks, and other forms of cybercrime.
- CYBER SECURITY WORKING GROUP
The PIMFA Cyber Security Working Group shares intelligence, explores a wide range of issues impacting our sector, and develops best practices and guidance.
Previous work includes:
- Cyber Security Framework mapping
- Artificial Intelligence (AI) potential impacts on cyber Security
- Cyber Security when travelling and working from home
- Reviews of case studies and learnings
- Cyber Security strategies and culture
If you are interested in joining this member only group, please contact Kevin Sloane.
latest news
The Cost of Complacency: Cyber Threats Facing UK Financial Firms
Read here an article from the PIMFA Journal #32 by Kerrie Machin, Director of Business Development at Mitigo, highlighting that cybersecurity is now a battleground where complacency is no longer an option
HM Treasury: Artificial Intelligence and Cybersecurity – Navigating Risk and Resilience in the Financial System
HM Treasury has published a statement on Artificial Intelligence and Cybersecurity by the G7 Cyber Expert Group (CEG) that advises on cybersecurity policy issues and proactively addresses the emerging and evolving cybersecurity risks AI may pose.
Key areas covered in the CEG statement include:
- Illustrating the Cyber Impact of AI
- Maximising Opportunities While Managing Risks
- Financial Sector Considerations
- Key Considerations for Financial Institutions and Authorities
Read the statement here.
UK Government unveils ransomware measures
On 22 July 2025, the UK Government published its official response to a consultation on proposals aimed at reducing ransomware payments and increasing incident reporting. The measures are part of a broader strategy to disrupt the business model of cybercriminals and enhance national cyber resilience.
- Targeted ban on ransom payments: Critical national infrastructure and public sector organisations will be prohibited from paying ransoms. This aims to reduce the profitability of ransomware attacks and deter criminals from targeting essential services. The consultation response showed strong support (72% of respondents), though the government is still examining implementation details such as liability arrangements.
- Mandatory notification before payment: Private sector organisations not covered by the ban above must notify the government before making any ransom payment. This allows authorities to assess legal risks, including potential sanctions breaches, and potentially block the payment.
- Mandatory incident reporting: A new legal requirement will compel organisations to report ransomware incidents. Further work is expected to align any additional reporting requirements with existing pathways, as far as possible.
Firms that could be designated as critical infrastructure, should prepare for these potential changes to ransomware response strategies.
For any questions or concerns about these measures, please contact Maria Fritzsche.
Bank of England: AI Consortium (inaugural meeting)
The Bank of England (BoE) has published the minutes of the first AI Consortium (AIC) which provides a platform for public-private engagement on AI.
Challenges and risks were discussed, for example:
- The growing reliance on third-party providers
- How widespread use of similar AI models could amplify systemic vulnerabilities,
- Risks of contagion
- The potential for gen AI to introduce misleading information onto financial markets
- The risk of unfairness
- The threat of AI-driven fraud and cyberattacks
Noting that BoE and the FCA’s pragmatic yet flexible approach to regulation to date, the AIC stated the need to coordinate across other regulators, jurisdictions and sectors.
Read the minutes here.