GUEST ARTICLE
Put resilience first: how financial institutions can prepare for the next disruption
Author: Lourens Bordewijk - Partner, Deloitte Netherlands
4 June 2025
Guest author Lourens Bordewijk is the Global Cyber Attack Surface Management Leader and a partner in Deloitte Netherlands' cyber practice, specialising in banking and capital markets and offensive security.
What if, overnight, your core banking system was taken offline by a sophisticated cyberattack? What if, at the same time, misinformation spread on social media triggered a surge of customer panic and withdrawal requests? Would your bank be able to keep critical services running, maintain customer trust, and meet regulatory expectations?
"What if" scenarios are no longer a remote possibility
In an era of increasing volatility, these “what if” scenarios have now become everyday realities that every bank must be ready to face.
The financial services industry is navigating a landscape where threats are not only more frequent, but also more sophisticated and far-reaching than ever before. In a recent news release, DNB President Klaas Knot urged financial institutions to strengthen financial and digital resilience in response to growing geopolitical threats. Recent stress tests show while Dutch banks can handle trade tensions, integrating geopolitical risk into operational planning is vital.
In the first half of 2024 alone, vishing operations surged by an astonishing 442%, while ransomware attacks rose by 63% in the USA and 67% in the UK. Even more concerning, 79% of detected threats were malware-free, making them harder to spot and stop. Shockingly, one eCrime breakout was recorded in just 51 seconds.
As a result of this evolving threatscape, board directors and C-Suite leaders now widely view cyber risk as a core business risk to manage, not a technology problem to solve, pivoting from a prevention mindset to a resilience focus. Because today, it’s not a matter of if there is a disruption, but when.
Resilience is more than a compliance exercise.
Banks today are not just financial institutions; they are pillars of societal stability. In recognition of this, regulators are raising the bar. The EU’s Digital Operational Resilience Act (DORA) represents a shift from simply having plans on paper, to demonstrating their effectiveness in practice. Financial institutions must demonstrate, with tangible evidence, that they can withstand and recover from severe disruptions to protect customers, markets, and society at large.
But what if a regional power outage disabled your data centre for 24 hours? What if a ransomware attack encrypted your customer data, leaving your team locked out of essential systems? What if a critical third-party provider suffered an outage, impacting your ability to process payments? These are the kinds of scenarios that are happening every day and which customers, and boards are demanding answers for.
Resilience is more than a checklist or a compliance exercise. While robust cybersecurity and availability remain essential, true resilience means being able to continue delivering critical services, such as payments and customer access, even when core systems are compromised. Successful risk management is a holistic approach which requires the integration of technology, processes, people, and culture and one that can be measured through specific metrics and KPIs that assess readiness and recovery capabilities.
Resilience in practice: calculating the cost of IT outages
In January 2025, a global UK-based bank faced a major three-day outage caused by a software failure in its UK mainframe operating system. This affected millions of customers with over half of online payments failing and customers unable to complete essential transactions.
Though the outage was caused by internal software problems, not cyberattacks, the bank has committed up to £7.5 million in compensation to affected customers.
This example highlights the vulnerabilities of legacy banking systems and has since prompted scrutiny from regulators and MPs, who have raised concerns about the resilience of digital infrastructure in the banking sector - underscoring the critical need for resilient IT infrastructure.
The dawn of the ‘back-up bank’?
One approach which is gaining traction is the concept of a ‘backup bank.’ This is the creation of a fully functional, parallel system that can take over critical operations in the event of a major disruption. It’s an approach Monzo has taken with Monzo Stand-in, a separate banking infrastructure to take over from their primary platform in the event of an outage.
While this might appear to be a significant investment at a time where cost efficiency is front of mind, banks don't have to tackle this challenge alone. Partnerships with technology providers and industry experts, such as Mambu and Deloitte, can provide valuable insights and solutions.
Financial institutions working with legacy systems and siloed processes undoubtedly face real challenges in building resilience, but driving meaningful change is still possible. By embracing modern, multi-core, composable platforms, banks can overcome complexity and gain the agility needed to adapt, recover, and innovate. In turn, creating more adaptable, resilient systems that are better equipped to manage unforeseen challenges.
Meanwhile, banks that have already adopted modern, composable architectures are better positioned to innovate, respond to disruption, and meet evolving cybersecurity demands. Regardless of where they begin, all banks must and can take steps toward greater resilience and agility.
Resilience in practice: setting the standard for operational resilience
JPMorgan Chase exemplifies operational resilience by investing an estimated $1 billion annually in cybersecurity.
Unifying its cyber and physical security operations under one roof, the bank’s Operations & Intelligence Fusion Center is a joint initiative that brings together Global Security and Cybersecurity Technology & Controls, integrating intelligence and global operations to address threats which cross both physical and cyber boundaries.
By co-locating cybersecurity analysts with global security personnel, the bank enables real-time collaboration and coordinated threat responses. This integrated approach ensures that risks are detected earlier and addressed faster.
From risk to readiness: the time to act is now!
Wherever you are on the journey, one thing is certain: the next disruption won’t be the last. Now is the time to assess your readiness, question old assumptions, and invest in solutions that keep your services running, even when challenges arise. What can you do to move from asking yourself ‘what if’, to ‘we’re ready’? Here are some pointers to get you started.
- Identify essential services. In the event of a crisis, identify which services, such as payments, account access, and customer communications for example, must remain operational.
- Adopt composable, modular solutions. Modern banking solutions allow you to build a composable approach and operate a dual, or even multi-core system. Cost effective and easy to deploy, in the event of an outage, this makes it easier to activate a secure, cloud-based backup environment much quicker than legacy, monolithic solutions
- Test and test again. Truly test and stretch your systems by regularly simulating disruptions, validate backup processes, and show that your plans work in practice.
- Foster a resilient culture. Empower teams to respond decisively and embed resilience thinking at every level.
- Communicate with customers. Develop an effective communication strategy to build and maintain customer trust during crises. Clear communication can make a significant difference in how customers perceive the bank's handling of disruptions.
- Remember, you’re not alone. Banks don’t have to tackle this challenge alone. By partnering with technology providers and industry experts, and leveraging cloud-native, API-first platforms, financial institutions can build more adaptable, resilient systems that are ready for whatever comes next.
At Deloitte, we believe resilience is a collective responsibility and a source of strategic advantage. Regulatory compliance is a starting point, not the finish line, and financial institutions that invest in operational resilience not only reduce risk and regulatory exposure, they also build trust with customers, strengthen their reputations, and gain a competitive edge in a world where disruption is the new normal.