Navigating Cyber Risk in a Shifting Economic Landscape

With rising tariffs, realigned supply chains, escalating geopolitical tensions and an uncertain interest rate environment, cybersecurity might not be the first risk that comes to mind for bank boards trying to navigate today’s shifting economic landscape. Yet, economic volatility also contributes to a more complex and challenging cyberthreat environment.

Macro-level disruptions do not happen in isolation. They reshape how threat actors operate, how data is governed and how banks must prepare. Consequently, cybersecurity is no longer just an operational concern. It is a strategic issue tied directly to business resilience, cross-border exposure and institutional trust — all of which are critical areas of board responsibility.

Economic Fractures, Fraud and Supply Chain Disruptions
Economic instability and shifting trade dynamics are leading to greater reliance on complex third-party ecosystems, which often are globally distributed. While such networks are essential for speed and scalability, they also can become primary attack vectors for cybercriminals.

As banks onboard new vendors in response to tariff-driven sourcing changes or market expansions, they might inadvertently introduce new vulnerabilities. Under pressure to move quickly, due diligence processes sometimes lag behind the pace of business, increasing banks’ risk exposure.

Concurrently, fraud and other forms of financial crime are on the rise, as periods of economic strain typically lead to an uptick in financially motivated cybercrime activity. From business email compromise schemes to real-time payment fraud, bad actors often target financial institutions to exploit uncertainty and accelerate payouts.

Today’s threat actors are faster and more agile, armed with new tools that exacerbate the risk. Using generative AI, they can craft more convincing phishing messages, forge documents and even mimic voices, making impersonation-based fraud harder to detect and quicker to execute. This evolution in fraud techniques demands not only stronger controls but also more proactive awareness from bank leadership.

Data Sovereignty
The reordering of the global economy has also brought a parallel rise in data localization laws and digital sovereignty initiatives. Responding to trade disputes and national security concerns, regulators are increasingly restricting how and where data can be stored and transmitted. For banks operating across multiple jurisdictions, this means grappling with a patchwork of regulatory regimes, each with its own rules about where data can reside, who may access it and under what conditions it may be accessed.

This regulatory fragmentation becomes particularly problematic during a cyber incident. An attack might originate in one country, compromise infrastructure in another and involve customer data governed by laws in several more. During a crisis, these complications can slow incident response, hinder forensic investigations and expose a bank to regulatory penalties or reputational damage if cross-border coordination fails.

Fortunately, many banks do not need to start from scratch to develop a response to these challenges. Their recent experiences in accommodating new and varied global privacy regimes — such as the European Union’s General Data Protection Regulation, the California Consumer Privacy Act and various other state frameworks — can provide a blueprint for building synchronized, risk-based data governance management systems across multiple jurisdictions.

Board-Level Responses to Evolving Cyber Risks
In addition to addressing conflicting or overlapping regulatory regimens, banks must adapt their approach to cybersecurity more broadly to meet regulatory expectations and to protect their banks’ continuity, reputation and long-term competitiveness. Successful boards recognize that cybersecurity is no longer just a cost of doing business but is a key determinant of whether the business will survive in moments of crisis.

That means banks must move beyond compliance checklists to integrate cyber governance into broader enterprise risk discussions. Directors can begin by asking probing questions of their cybersecurity and technology teams, such as:

• How are we integrating global economic and geopolitical risk into our cyber risk models? Are our models keeping pace?
• What controls are in place to vet and monitor third-party vendors, especially those added or changed in response to tariff shifts? How recently have these controls been reviewed and tested?
• Are we equipped to manage a breach that involves assets or data in multiple jurisdictions?
• Are our teams prepared?
• How frequently do we test cross-functional, cross-border response plans?

By asking the right questions, connecting the dots across business functions and treating cyber risk as a core element of strategic resilience and business continuity planning, boards can play a pivotal role in seeing that their institutions are both secure today and prepared to adapt to tomorrow’s cyber risks.