At the ebankIT Summit, Jorge Monteiro, CEO of Ethiak, took the stage to share some insights on cybersecurity and how financial institutions can enhance their digital security.
He highlighted that nowadays, financial institutions face unprecedented cyber risks with complex digital infrastructures, sprawling supply chains, and increasing regulatory pressure.
The traditional “set it and forget it” approach to cybersecurity is no longer viable.
Historically, many banks and fintechs have relied on reactive measures, annual penetration tests, compliance checklists, or defense tools like firewalls and antivirus software.
But in 2025, this strategy falls dangerously short. Attackers are faster, smarter, and more automated than ever before and your security strategy needs to keep pace.
It’s no longer a matter of if a breach will happen but when.
And when it does, will your institution be ready?
Jorge emphasised that financial institutions should have a mindset centered around continuous testing, fast response, and real-time visibility. It has become the smartest investment a financial institution can make.
Traditional methods are outdated and offer a roadmap to protect your assets and reputation.
Cyberattacks are no longer isolated events, they’re a statistical certainty. According to recent data, 1 in 8 businesses suffers a cyberattack with six-figure losses every year, and financial institutions are among the most targeted.
Yet many organizations remain dangerously unprepared, relying on annual audits or one-time penetration tests to identify vulnerabilities.
This leaves months of exposure where critical flaws go undetected while attackers become more efficient every day.
Jorge shared a real-world example in a recent case documented by Cloudflare, a newly disclosed vulnerability (CVE) was actively exploited just 22 minutes after being published online.
That means attackers had weaponized the flaw and launched attacks globally within the time it takes to grab a coffee. If your detection process takes days or worse, weeks.
Another major misconception?
“We’re too small to be a target.”
In reality, attackers often use automated bots to scan entire IP ranges indiscriminately. They aren’t looking for you, specifically, they are looking for any open window.
And those windows are increasing fast.
Financial institutions are becoming more complex. Cloud adoption, APIs, SaaS platforms, third-party vendors, and shadow IT create an ever-expanding attack surface.
Without real-time visibility into these assets, you can’t defend what you don’t know you have.
On top of that, threats are becoming more technical. While phishing and human error are still relevant, reports from Mandiant and Verizon show that exploited software vulnerabilities now account for 20–38% of breaches, more than phishing in many cases.
The implication is clear, If you’re not finding and fixing technical vulnerabilities fast, you’re exposed.
In finance, the cost of inaction isn’t just money—it’s trust. A single breach can damage customer confidence, disrupt operations, trigger regulatory penalties, and tarnish your brand. In a sector where reputation is everything, cyber resilience is not optional—it’s survival.
Key reasons to adopt a proactive cybersecurity approach
Most financial institutions are deeply familiar with regulatory frameworks like DORA, NIS 2, the Cyber Resilience Act, and ISO 27001. These are no longer optional but a basic cost of doing business in finance. However, passing an audit doesn’t mean your systems are secure.
Jorge put it clearly: "You can technically be compliant and still get hacked tomorrow."
Most compliance processes are backward-looking, involving periodic assessments that check whether controls were in place at a certain point in time.
But cyber threats evolve daily. A vulnerability discovered the day after an audit can still take down your systems and expose customer data before the next scheduled review.
Additionally, regulators are increasingly focusing on continuous assurance, especially in supply chain and operational resilience mandates.
NIS 2, for example, requires entities to monitor third-party suppliers and maintain real-time risk awareness.
Proactive cybersecurity practices, such as continuous pen-testing and real-time asset discovery, help meet not just the letter but the spirit of the law.
Even the most secure financial institutions must accept a harsh reality.
Attacks will happen.
The goal of cybersecurity is not just prevention but resilience.
Resilience means being able to detect, respond to, and recover from an attack quickly, with minimal impact on operations, finances, and reputation.
Jorge introduced a simple but powerful cyber risk formula: Cyber Risk = Assets × Vulnerabilities × Threats
The faster you detect and resolve a vulnerability, the less time attackers have to exploit it. Proactive cybersecurity practices such as continuous scanning, retesting, and real-time alerts are the only way to drive these numbers down.
Financial institutions can’t eliminate all threats, but they can build resilience through speed, visibility, and testing.
In a crowded financial market, trust is everything. Customers, partners, and regulators want to know that your institution can be trusted with sensitive data and uninterrupted operations.
That’s where proactive cybersecurity becomes a brand asset.
We’ve seen a similar evolution in sustainability, what was once a regulatory or PR box to check is now a strategic pillar. Security is following the same trajectory.
The institutions that can demonstrate ongoing, rigorous testing practices will win over the security-conscious clients and partners.
This is especially critical in the era of interconnected supply chains. Under NIS 2, you're not just responsible for your own infrastructure, you’re expected to evaluate the risk posture of your third-party vendors and providers.
Proactive security gives you the visibility and data to do this confidently.
Moreover, institutions that embed security into their marketing, by sharing test coverage stats, response times, or audit results, can set themselves apart in a saturated market.
Proactive security isn’t just protection, it’s a strategic differentiator and a way to earn long-term trust.
Core Elements of a Proactive Cybersecurity Strategy
Gone are the days when a yearly penetration test was enough. Financial systems are in constant flux with new applications, updates, integrations, and APIs are introduced regularly. Every change is a potential point of failure.
That’s why institutions must "hack themselves first"—before bad actors do.
Proactive testing means:
Performing ongoing vulnerability scans
Running frequent penetration tests, not just annual ones
Simulating real-world attacks to expose critical flaws before attackers can
Jorge compares this to health checks. One wouldn’t visit the doctor once a year and ignore symptoms the rest of the time.
The same goes for cybersecurity. Ethical hackers act as trusted adversaries, helping identify and remediate weaknesses before they become crises.
You can’t protect what you can’t see. One of the biggest challenges facing financial institutions is shadow IT, Unauthorized tools, forgotten services, and untracked APIs running in the background.
Proactive cybersecurity begins with comprehensive asset discovery and continuous attack surface management, including:
Mapping all subdomains, IPs, cloud assets, and exposed services
Identifying what technologies are running, where, and how they’re configured
Monitoring for changes that may introduce new vulnerabilities
Financial institutions often operate across multiple subsidiaries, regions, and platforms. Without visibility, risks go undetected—and attackers thrive in that darkness.
Automation is essential for scale and speed. It enables organizations to run scans daily, flag new vulnerabilities within minutes, and integrate alerts into DevOps workflows.
But humans remain irreplaceable, especially when it comes to:
Validating whether a vulnerability is real and exploitable
Prioritizing which findings matter most to the business
Providing contextual remediation guidance
Jorge described this balance as the difference between snorkeling and deep-sea diving: scanners skim the surface; humans go deep. A truly proactive approach leverages both.
Financial institutions should choose platforms that blend automated tools with on-demand human expertise, allowing security and development teams to collaborate effectively.
Ready to move from reactive to proactive? Here are concrete steps financial institutions can take right now:
A proactive strategy starts with visibility. Financial institutions must identify and inventory all digital assets—including known domains, IP addresses, cloud resources, APIs, and shadow IT. Without a complete map of your attack surface, it’s impossible to assess risk accurately or prioritize security efforts effectively.
Security testing must evolve from a once-a-year exercise to a continuous process. Regular vulnerability scans and ongoing penetration tests help identify flaws as soon as they appear. By retesting fixes and monitoring for regressions, organizations ensure that vulnerabilities stay closed and aren’t accidentally reintroduced.
Speed matters. Reducing Mean Time to Detect (MTTD) and Mean Time to Remediate (MTTR) directly limits the damage an attacker can do. This means building workflows that enable fast detection, automated alerts, and clear ownership of remediation tasks across security and development teams.
Security must shift left—embedded early in the software development lifecycle. By integrating security testing into CI/CD pipelines, teams can catch vulnerabilities during development, before they reach production. This reduces costly fixes later and builds security into the culture of software delivery.
A centralized, real-time view of your security posture helps teams prioritize and act faster. Dashboards should track exposed assets, open vulnerabilities, test coverage, and remediation timelines—making it easier to communicate progress to stakeholders and stay ahead of risk.
Even the best tools can’t replace informed people. Regular security awareness training, phishing simulations, and developer education help build a strong human firewall. When security is understood and owned across teams, institutions become more resilient from the inside out.
Cybersecurity can’t afford to be reactive. The speed and sophistication of modern threats mean that waiting for audits or relying on outdated tools is a dangerous gamble.
Instead, financial institutions must adopt a proactive mindset. One that prioritizes continuous testing, real-time visibility, and operational resilience.
As Jorge emphasized, compliance may keep regulators satisfied, but it won’t stop a breach. Proactive cybersecurity not only reduces risk but also builds trust, strengthens your market position, and prepares your institution for inevitable threats.
The tools are available. The frameworks are clear. The urgency is real.
Now is the time to hack yourself before someone else does.