Cybersecurity and geopolitical risks in financial markets

The profile of cyber-attackers has also diversified. While profit-driven cybercrime syndicates remain prominent, the geopolitical dimension has intensified. State‑linked actors target financial infrastructures not just for monetary gain, but also for strategic, geopolitical, or ideological reasons. These state‑linked cyber operation attackers may aim to undermine trust in a rival’s financial system, disrupt cross-border payment networks, or influence political negotiations (IMF, 2024[11]). The emergence of “hacktivist” collectives and ideological groups that seek to highlight socio-political grievances has added another layer of complexity, with attacks often timed to coincide with diplomatic tensions, sanctions announcements or high-level summits (NATO, 2024[24]).

Attackers are deploying increasingly complex and innovative techniques to target trading venues, clearinghouses, custodian banks, insurance providers, and other market participants. Cloud-based infrastructures, while offering scalability and cost-effectiveness, can become single points of failure if not properly secured (OECD, 2019[25]). Ransomware operators increasingly offer customisable exploits, while “Ransomware-as-a-Service (RaaS)” business models provide streamlined access to hacking tools for lower-skilled criminals. DDoS attacks, once relying on brute‑force attempts to overwhelm servers, now frequently use compromised IoT devices and leverage AI to target system vulnerabilities more accurately. Steganography, which conceals malware within seemingly benign data streams or transaction records, further complicates detection by blending malicious code with legitimate operations.

Simultaneously, cryptojacking (unauthorised cryptocurrency mining) and data manipulation attacks are on the rise. These subtler interventions can skew market data, slow settlement times, or alter pricing feeds from social media, thereby distorting risk assessments and eroding market integrity (ECB, 2022[26]). Repeated cases of “crypto hijacking” in which attackers steal or take over actual cryptocurrency assets or wallets, also underline the central role of cyber intrusions in many large thefts from the crypto‑asset ecosystem. In such cases, stolen assets are typically moved through various obfuscation techniques and across jurisdictions before re‑entering the financial system.

Anti-money laundering and countering the financing of terrorism (AML/CFT) systems are essential, but they come into play only once stolen crypto assets start being laundered. To limit the scale of losses and reduce the broader impact on financial markets, institutions must also strengthen ex‑ante protections, including robust cyber‑risk management, access controls, monitoring, and governance, to reduce opportunities for criminals to steal assets in the first place. Therefore, co‑ordinating cybersecurity standards, regulatory responses, and incident reporting frameworks across jurisdictions is now viewed as a critical pillar of global financial stability, since local breaches can assume systemic proportions as digital finance infrastructures become more seamlessly integrated worldwide (OECD, 2022[1]; 2019[27]; 2022[28]). Finally, detailed case studies and emerging areas of can be found in Annex A.

The geopolitical landscape is increasingly intertwined with digital finance and cybersecurity. Organisation-driven intelligence actors and organised cybercriminal syndicates are regularly implicated in attacks that appear designed not merely to steal resources but to achieve broader strategic objectives (Crosignani, Macchiavelli and Silva, 2023[10]). Russia’s aggression against Ukraine in 2022 exemplifies how geopolitical tensions can catalyse a surge in region-specific financial cyber-attacks aimed at disrupting liquidity flows, undermining investor sentiment, and exerting indirect pressure on political adversaries (IMF, 2024[11]) Other geopolitical flashpoints, such as trade disputes, territorial disagreements, and regional tensions create conditions conducive to cyber aggression directed at financial intermediaries.

Notably, organised cybercriminal groups and, in some cases, state‑linked actors may align cyber incidents with geopolitical events (e.g. sanctions, critical negotiations or international summits) (CERT-EU, 2026[33]; OECD, 2022[1]). Attacks on cross-border payment networks, clearance systems, and trade finance platforms can hamper the free flow of capital and goods, thereby negatively impacting foreign policy goals. In this sense, financial cybersecurity is no longer merely a technical or compliance issue; it has become a domain of international security and diplomatic strategy (IMF, 2024[11]; BIS, 2023[34]).

Figure 3.2 indicates that the number of cyber incidents has increased in the regions exposed to these geopolitical risks. One prominent example is the ransomware NotPetya attacks1 against Ukrainian banks, firms, and the government in mid-2017. This attack resulted in large‑scale disruption of IT systems, including compromised access to information and disrupted supply chains. Notably, attackers did not keep track of the decryption codes, suggesting that financial gain was not a primary goal (Crosignani, Macchiavelli and Silva, 2023[10]).

Geopolitical tensions increasingly shape both the motives and the capabilities for disruptive cyber operations. In periods of heightened geopolitical risk, financially motivated crime can overlap with strategically motivated campaigns that seek to disrupt payment flows, undermine confidence, or impose costs on rivals, making financial institutions and financial market infrastructures attractive targets. Importantly, the impact is rarely contained to a single victim: modern financial institutions and markets are closely interconnected through digital media, enabling cyber incidents to propagate through third‑party providers and supply chain relationships. These features can amplify operational disruptions into broader liquidity strains and potentially systemic impacts, including disruptions to critical financial functions, erosion of market confidence, and contagion across interconnected institutions and markets. Figure 3.3 therefore provides a descriptive illustration of whether cyber incident activity tends to co-move with geopolitical risk over time (Crosignani, Macchiavelli and Silva, 2023[10]).

Figure 3.3 presents how the relationship between geopolitical risk and cyber incident activity evolves over time. To capture this dynamic behaviour, the figure presents rolling correlations over moving windows (e.g. 8, 12, or 16 quarters). Each point on the chart reflects how the two variables have co-moved during the preceding window.

This approach makes it possible to observe whether the association between geopolitical tensions and cyber incidents strengthens or weakens as global conditions shift. Although correlation does not imply causality, the rolling estimates reveal that in several periods, especially during episodes of heightened geopolitical uncertainty, the two series tend to move together more closely. This persistent positive co-movement suggests that rising geopolitical risk is often accompanied by elevated cyber activity, including disruptions affecting supply chains and critical infrastructure.

By allowing the correlation to vary through time rather than imposing a single average measure, the rolling-window method highlights that the link between geopolitics and cyber threats is not constant but becomes more pronounced during specific periods of inter-state tension.

Geopolitical tensions could amplify these risks. Targeted cyber operations can be used to circumvent sanctions, disrupt cross-border capital flows or send political signals. Financial institutions, particularly those involved in cross-border payment and settlement, become attractive targets in this context. Episodes around recent conflicts illustrate how cyber activity can increase in periods of heightened geopolitical stress, targeting not only financial institutions but also critical infrastructures that support trade and capital flows.

Recent work on state‑linked cyber activity targeting crypto‑asset markets further highlights the economic-security dimension of cyber risk (Chainalysis, 2026[36]). In this context, “economic security” refers to the risk that cyber incidents facilitate illicit cross-border flows, support sanctions evasion or proliferation finance, and undermine confidence in payment, settlement, and digital-asset market infrastructure. It demonstrates its increased scale and sophistication, and illustrates how cyber operations, financial crime and geopolitical considerations are becoming increasingly interlinked. These developments highlight the growing interlinkages between cyber risk, financial crime and geopolitical dynamics, and underscore the importance of understanding how such risks can propagate through interconnected financial systems, including by testing the resilience and adaptability of AML/CFT frameworks.

Building on the link between geopolitical tensions and increased cyber activity discussed above, the growing incidence of disruptions affecting critical ICT and service dependencies suggests that cyber risk is also taking a more networked form. For financial stability purposes, the relevant supply chain is not the broad logistics or manufacturing chain, but the set of critical third-party services on which financial firms and market infrastructures rely, such as cloud providers, managed service providers, software vendors, data centres, messaging services, and other outsourced technology functions. When many institutions depend on the same provider or service for critical operations, a disruption has the potential to create simultaneous operational stress, delay recovery, and amplify spillovers across markets. However, the potential for this type of cascading disruption depends on how the service provider designs and distributes these services, and how financial institutions use these services and develop their own operational resilience. Figure 3.4 shows that the level of exposure of financial institutions’ third-party service providers to cyber-threats has risen steadily over time, particularly in recent years, while episodes of high geopolitical risk appear intermittently. This suggests that the exposure level is driven by both increasing global interconnectedness and recurring geopolitical tensions.

Cybersecurity safeguards are integral to broader economic security agendas, particularly as economies digitise and become increasingly reliant on interconnected systems (Barbara and Grewe, 2024[37]). In financial markets, this increasingly translates into heightened attention to cross-border dependencies and third-party concentration risks, where disruptions at a shared provider can spill over rapidly across markets and sectors (FSB, 2024[2]).

The connection between cybersecurity and economic security is illustrated by the fact that an attack can disrupt not only the operations of directly hit firms but also severely affect downstream customers through global supply chains (OECD, 2022[1]). Evidence from the 2017 NotPetya cyberattack shows that estimated losses of indirectly affected firms were several times larger than those borne by directly targeted firms, highlighting how vulnerabilities in digital infrastructure can propagate widely and jeopardise the broader economy (Crosignani, Macchiavelli and Silva, 2023[10]).The July 2024 global IT outage caused by a software update highlighted that even non-malicious disruptions at concentrated technology providers can generate widespread operational outages, testing operational resilience and affecting market confidence (FCA, 2024[15]).

Firms’ responses, such as shifting to suppliers and providers with stronger security postures, underscore that robust digital security is increasingly a competitive and strategic advantage, particularly under geopolitical uncertainty (Crosignani, Macchiavelli and Silva, 2023[10]). These findings suggest that cyber shocks can propagate through production and supply‑chain networks, generating indirect exposures that extend well beyond initially affected firms and may give rise to broader financial spillovers.

Effective digital security frameworks bolster investor confidence, supporting stable capital flows and resilient financial systems. In the context of heightened geopolitical uncertainty, countries with strong cyber safeguards are perceived as safer investment destinations, contributing to sustained FDI inflows, favourable credit ratings, and long-term economic stability. This link is especially salient for economies transitioning to advanced internet societies, where vulnerabilities in digital infrastructure can directly threaten national economic performance and strategic interests (Huang, Jiang and Zhang, 2021[38]).

Cyber resilience matters not only within the financial sector, but also in the non-financial corporate sector, where cyber incidents can weaken firm’s balance sheets and transmit risk to the financial system through credit channels (IMF, 2024[11]). Clear distinctions of the transmission mechanism are essential for effective policy design. The relationship is also increasingly shaped by policy and regulatory expectations that seek to strengthen cyber resilience, helping market participants price risk and respond to disruptions in a more orderly way.