As cyberattacks become increasingly sophisticated and frequent, UK banks are investing billions to defend against the growing threat — with cybersecurity now ranked as the sector’s largest single expense.
Following a wave of high-profile attacks this spring targeting Marks & Spencer, the Co-op, and Harrods, banking executives have expressed alarm over the potential for similar breaches to cripple the UK’s financial infrastructure.
“We are being attacked all the time,” said Ian Stuart, UK CEO of HSBC, during a recent parliamentary hearing. “The amount of money banks spend on their systems today is enormous — and it has to be. This is our biggest expense.”
The implications of a large-scale cyberattack on a UK bank are staggering. According to the government’s national risk register, a worst-case scenario could see millions of direct debits fail, wages delayed, ATMs go offline, and a run on banks triggered by public panic. It would be a national crisis.
The modern “bank robbery” no longer involves ski masks and getaway cars. Instead, state-sponsored hackers and independent cybergroups seek ransom payments or widespread disruption by exploiting vulnerabilities in outdated or complex systems.
UK banks’ IT infrastructures are layered and interconnected, often dependent on third-party software and cloud providers. This “attack surface”, as cybersecurity experts call it, continues to expand.
“The opportunities for attackers to look for ways in have increased,” noted Prof. Alan Woodward, cybersecurity expert at the University of Surrey.
In 2016, Tesco Bank suffered one of the UK’s most damaging cyber breaches, when hackers stole nearly £2.5 million from 9,000 customer accounts, forcing a temporary freeze on card payments and lasting reputational damage.
The Bank of England has led the charge to secure the sector. Since 2013, it has recognized cybersecurity as a financial stability risk, launching the CBEST programme — a world-first scheme using ethical hackers to simulate real-world attacks on regulated institutions.
“We’re dealing with bad actors who refine their lines of attack continuously,” said Governor Andrew Bailey, urging constant vigilance from banks.
The Bank coordinates regular SIMEX cyber war games, bringing together firms and regulators to test their ability to respond to large-scale breaches. Emergency protocols allow up to 100 financial institutions to be mobilized for rapid response calls in under an hour.
Trust is the foundation of banking. A single successful hack that compromises customer data or results in fraudulent transactions can lead to long-term reputational damage, as shown by the prolonged fallout from TSB’s 2018 IT meltdown.
“You’re not going to trust that bank again with your money,” said Prof. Woodward.
Between January 2023 and February 2025, the UK’s largest banks and building societies logged over a month’s worth of cumulative IT outages, with or without malicious intent, according to the Treasury committee.
Still, industry leaders express confidence.
“Never rule out a cyberattack,” said Laura Catterick, director at UK Finance. “But there should be confidence in the amount of cyber defences in place.”
As hackers become bolder and more sophisticated, UK banks — and their regulators — are locked in a constant digital arms race to ensure that finance remains one of the most resilient industries in the country.