UK cyber test reveals weaknesses in banks on security fundamentals
New findings from the Bank of England’s 2025 Cybersecurity Stress Test show that even the UK’s most important financial institutions continue to struggle with basic protection. Regulators want banks to undergo realistic, intelligence-driven cyberattacks on real systems, not just discuss scenarios in boardrooms.
The latest results were alarming. Many banks have failed in fundamental ways, such as keeping systems up to date, putting in place strong access controls, protecting stored data, and ensuring that employees are able to spot fraud. Employees were still being tricked into sharing information that could be used to infiltrate systems and transfer funds.
Comparisons with America are important for the director. US regulators tend to rely on tabletop exercises and written evaluations. While they are useful for testing decisions, they do not indicate how your people, processes, or technology will hold up in the face of a real hacker attempt.
The governance message is clear. Boards should not rest only on policies, certifications, and desk training. Before real attackers expose weaknesses, we need evidence from controlled, realistic attack simulations that show whether basic cyber hygiene is working and where it is failing.
Questions directors should ask management:
- How can you independently verify that basic cyber hygiene (patching, configuration, identity, data protection) is actually working?
- Do we routinely run realistic, threat-based simulations on production or production-like systems, and what do the results reveal?
- How do the lessons learned from these simulations translate into structural improvements, not just tactical modifications?
When AI supply chain risk gets codified
ServiceNow, the IT platform used by approximately 85% of Fortune 500 companies, recently fixed a critical flaw in its AI functionality that could allow criminals to impersonate legitimate users and perform actions within customer environments. Because ServiceNow is tightly tied to human resources, customer service, security, and core operations, weaknesses in AI capabilities can quickly become weaknesses for customers.
This is not a special case. AI is rapidly being incorporated into nearly every business tool. A 2026 Zscaler report found more than 3,400 AI applications in use across customers. This is a 425% increase from approximately 800 the previous year. As AI tools and embedded AI capabilities become the norm, third-party and supply chain risks take on new dimensions. Boards need assurance that executives can understand where AI is being used across critical vendor platforms and how it changes operational, security, and compliance risks.
Questions directors should ask management:
- How do you gain visibility into where AI is embedded in your most important third-party systems? And how do you assess and manage the risks to your business?
Business email compromise: old scams, new AI fuel
Warren County’s $3.3 million fraud loss is a well-known story. It’s a basic payment modification scam that takes advantage of weak controls and poor internal communications. Law enforcement said this was “easily preventable” and reminded that business email compromise remains a low-tech but high-impact threat. The FBI reports that BEC will cost U.S. businesses approximately $2.7 billion in 2024, more than many major cyber incidents.
What is changing is the risk profile. The availability of AI-driven “deepfake-as-a-service” services on the dark web makes it easier for unskilled attackers to impersonate executives and vendors via email, voice, and video, increasing pressure on staff to evade control. Insiders may also be involved in changing payment instructions or circumventing verification steps.
With this in mind, boards must treat BEC as a strategic fraud and governance issue, not just an IT issue, and focus on high-value payment approval workflows, culture, and verification discipline.
Questions directors should ask management:
- How do you harden your payment authorization processes against business email compromises, such as impersonation using deepfakes or potential insider involvement?
Ransomware in 2026: Faster, Smarter, More Relentless
Ransomware remains a systemic threat in 2026, with 793 known victims in January 2026, a 28% increase compared to January 2025. The United States accounts for about 40% of the world’s victims, with manufacturers and technology companies each accounting for nearly one in five cases. The most active ransomware group has claimed more than 100 victims this year alone, and approximately 1,400 victims in its four known years of operation, highlighting the industrial scale of this criminal business model.
AI is now a power multiplier for attackers. AI accelerates target selection, exploit development, social engineering, attack automation, data analysis, and even ransom negotiation. For boards, this raises the bar for what “reasonable” preparations look like. Stopping ransomware should be a top strategic priority in 2026. Zero Trust architectures are designed to reduce the attack surface, significantly reduce the likelihood of a breach, and limit the explosion radius if a breach occurs.
Questions directors should ask management:
- How are modern architectures such as Zero Trust used to specifically reduce the risk of ransomware and limit the movement of attackers once they gain a foothold?
***
Zscaler is a proud partner of the NACD Northern California Chapter. We are here as a resource for directors to answer their questions about cybersecurity and AI risks and are happy to arrange dedicated board briefings. Please email Rob Sloan ([email protected]), Vice President of Cybersecurity Advocacy at Zscaler, Learn more or get a free hardcopy copy of Cybersecurity: 7 Steps for Boards of Directors.
