What is the phishing cost in financial services?

Average breach cost is $5.90M in IBM 2025, second only to healthcare. APWG 2025 places 23.5 percent of all phishing volume against the financial-services sector, the largest single-sector share. Per-record cost is $295.

What is NYDFS 23 NYCRR 500?

The New York Department of Financial Services Cybersecurity Regulation, first effective 2017 and substantially amended in November 2023. It requires 72-hour notification of any cyber event with reasonable likelihood of material harm, 24-hour notification of ransomware payments, board-attestation, and MFA enforcement. Applicable to most financial entities licensed in New York.

What does FFIEC require on phishing?

FFIEC supervisory guidance updated in October 2024 effectively requires phishing-resistant authentication for high-value accounts and customer-side MFA where applicable. The guidance is not regulation in itself but supervisors use it as the standard against which examination findings are scored.

What is the wire-fraud recovery rate?

Approximately 30 percent gross across all phishing-initiated wire-fraud loss in financial services. Rises to 71 percent for wires reported through the FBI Financial Fraud Kill Chain (FFKC) within 72 hours and routed to a US domestic bank. International wire destinations recover at single-digit percentages.

What is the dominant phishing vector in finance?

Business email compromise and credential-harvest tied for the top spots. BEC against treasury and wire-operations teams produces the largest per-event losses. Credential-harvest against retail-banking customers produces the highest volume but lower per-event impact.

Are payment-fraud losses also tracked here?

Partially. Card-not-present fraud, ACH fraud, and check fraud are tracked separately in industry-loss reporting but frequently trace upstream to phishing-initiated credential or account-detail theft. The Federal Reserve and Federal Trade Commission both publish parallel loss statistics that overlap with the IC3 figures.

Filing 03.02.00Field 27 APR 2026Classification PublicStatus Open

Phishing cost in financial services: 23.5% of all phishing volume lands here

Average breach cost $5.90M, $295 per record (IBM 2025). APWG 2025 places 23.5% of all phishing volume against the sector, the largest single-sector share. The regulatory stack (NYDFS, FFIEC, GLBA, GDPR) layers on top of the direct-loss line.

Exhibit A

Why financial services attracts the largest phishing share

Financial services receives 23.5 percent of all phishing volume according to APWG 2025 measurement, the largest single-sector share of attacker attention. The structural reason is obvious: the sector moves money. Successful phishing against a finance-team mailbox enables business email compromise wire-fraud (see /by-attack/bec); successful phishing against a retail-banking customer enables account takeover and ACH fraud; successful phishing against a wholesale-banking treasury team enables outbound wire transfers measured in tens of millions. The attacker economics favour the sector because the conversion path between successful credential theft and realised dollar loss is shorter than in any other vertical.

The defender economics in finance are unusual because the regulatory layer is heavier than in any other sector except healthcare. NYDFS 23 NYCRR 500 (for New York-licensed entities), FFIEC supervisory guidance (for federally-regulated banks), GLBA Safeguards Rule (for any financial institution), state Department of Financial Services or equivalent rules in most US states, and the EU DORA framework (for EU-regulated entities) all impose overlapping cyber-control requirements that materially raise the cost of both pre-event compliance and post-event remediation. Per-incident breach cost of $5.90M reflects the regulatory layer on top of the direct loss; without the regulatory layer the figure would be materially lower.[IBM 2025 financial-services cohort + APWG 2025 sector-share table]

Exhibit B

NYDFS 23 NYCRR 500: the most-cited single regulation

REFERENCE

The New York Department of Financial Services Cybersecurity Regulation, effective March 2017 and substantially amended in November 2023, is the single most-frequently-cited cyber regulation in US financial services. The applicability scope is broad: any financial institution or insurance entity licensed to do business in New York State is in scope, which includes most major US banks, most major US insurance carriers, and a significant share of non-US financial entities operating in the US through a New York subsidiary.

The 2023 amendments substantially raised the compliance bar in three ways relevant to phishing-cost analysis. First, the notification window for any cyber event with reasonable likelihood of material harm tightened to 72 hours after determination; ransomware-payment notification was added at a separate 24-hour window. Second, MFA enforcement became mandatory for any access to non-public information, with phishing-resistant MFA required for privileged accounts. Third, board-attestation was added: the board must attest annually that the cyber program is adequate. The board-attestation requirement turned cyber from a CISO concern into a director-personal-liability concern in New York-licensed entities, with parallel knock-on effects in other state regulations that subsequently followed the NYDFS template.

The NYDFS enforcement record through 2023-2025 includes multiple seven-figure settlements driven by phishing-initiated breaches. The most-cited cases involve enforcement actions for failure to implement MFA in line with the 2023 amendments; several settled in the $1M to $5M band. The enforcement cadence has been steady and predictable, which has shifted finance-sector CISO incentives substantially toward control deployment rather than risk-acceptance posture.[NYDFS 23 NYCRR 500 + 2023 amendments + enforcement annex 2023-2025]

Exhibit C

Cost-line build-up against the $5.90M figure

Cost line	Share of $5.90M	Dollar figure	Driver
Direct wire / payment-fraud loss	28%	$1.65M	BEC pivots; see /by-attack/bec
Incident response + forensics	16%	$944K	Privileged-counsel-led work, retainer-rates
Regulatory fines (NYDFS + FFIEC + state)	15%	$885K	Stacked regulatory layers
Notification + monitoring	13%	$767K	$295 per record at scale
Legal + class-action exposure	11%	$649K	Routine class trigger for retail-customer-data breach
Customer churn	8%	$472K	Higher than baseline in retail banking
Security-control rebuild	5%	$295K	NYDFS-driven post-event capex
Insurance-premium increase	4%	$236K	Multi-year annualised drag

The regulatory-fines line is structurally larger in finance than in any sector other than healthcare. The customer-churn line is elevated in retail-banking contexts because deposit-side customer mobility responds rapidly to security disclosures.[IBM 2025 financial-services cohort + NYDFS + FFIEC supervisory record]

Exhibit D

The retail-banking customer-facing phishing surface

Financial-services phishing has two distinct customer surfaces that require separate analysis. The first is the workforce-facing surface (treasury, wire operations, finance, IT-admin) where the phishing attack targets bank employees and the loss is the bank's direct cost. The second is the customer-facing surface, where the phishing attack impersonates the bank to its retail or commercial customers, and the loss is split between customer (direct fraud loss), bank (regulatory reimbursement under Reg E for unauthorised consumer transactions), and brand-trust drag.

The Regulation E reimbursement framework places the cost burden of unauthorised consumer account access on the financial institution rather than the customer, provided the customer reports the unauthorised activity within prescribed timeframes. The effect is to internalise the customer-side phishing loss into the bank's cost basis, which is one driver of why retail-banking phishing-defence investment has been heavier than in other sectors. Major US banks routinely deploy customer-side education campaigns, transaction-anomaly detection on customer accounts, and customer-side phishing-resistant MFA for high-value accounts.

The commercial-banking surface is less Reg-E-protected and carries higher per-event loss exposure for the customer. Commercial customers (small and mid-market businesses, professional service firms, healthcare providers, real-estate offices) are frequent BEC targets where the loss path goes through the customer's banking portal rather than the bank's internal systems. The bank's exposure here is reputational and regulatory rather than direct, but cumulative across many customers it remains material to the sector's annual loss profile.[Federal Reserve Reg E + FFIEC supervisory record 2023-2025]

Exhibit E

Controls: the mandatory list under NYDFS-style enforcement

#1Phishing-resistant MFA for all privileged access

~95% of credential-pivot value

Cost: $50 per privileged user one-time

Mandatory under the NYDFS 2023 amendments for privileged-access roles. The single most-leveraged control under the modern phishing threat model and the most-cited finding in NYDFS enforcement actions.

#2MFA on all non-public-information access

~70% of bulk credential-takeover

Cost: Platform-licence + integration

NYDFS 2023 amendments require MFA across the population that accesses non-public information, which in most financial institutions is approximately the entire workforce. The most expensive control to deploy but the broadest in coverage.

#3Wire-transfer dual-authorisation above threshold

~80% of treasury BEC wire-loss

Cost: $0 tooling, banking-system policy

Hard rule that wires above a defined threshold require dual approval by two separate individuals through the banking portal itself. Cheap and high-leverage in the BEC-specific cost line.

#4Behavioural email security with finance-specific tuning

~60% of detected BEC attempts

Cost: $42 to $96 per mailbox per year

Behavioural email security catches the residual BEC attempts that DMARC and MFA cannot stop. Finance-specific tuning catches lures referencing wire-instruction changes, vendor-banking-detail changes, and invoice manipulation.

#5IC3 filing playbook + 72-hour drill

~40% of unrecovered wire loss

Cost: $0 tooling, annual tabletop

Finance team knows to file at IC3 within hours of a suspected wire-fraud event. Doubles the wire-recovery rate. The single cheapest dollar-per-recoverable-dollar control in the program.

#6Customer-side MFA enforcement on commercial-banking portals

~85% of customer-banking portal compromise

Cost: Customer onboarding friction

Phishing-resistant MFA enforced on the commercial-banking portal. Increasingly mandatory under FFIEC 2024 supervisory guidance for accounts above defined transaction thresholds.

Exhibit F

The DORA layer for EU operations

For US financial entities with EU operations, the Digital Operational Resilience Act (DORA) became applicable in January 2025. DORA imposes ICT risk-management requirements, incident reporting (with major-incident notification windows), digital-operational-resilience testing, and third-party ICT-service-provider oversight. The effect on phishing-cost analysis is to add an EU regulatory layer on top of the existing US stack. For entities subject to both NYDFS and DORA, the regulatory-fines line of the breach cost can stack to material levels even before the direct-loss line is considered.

DORA includes a notable provision on critical third-party ICT service providers (CTPPs), which subjects designated CTPPs (cloud providers, SaaS vendors of critical-tier services) to direct regulatory oversight. A phishing event at a CTPP that affects an EU financial-sector customer can now trigger DORA reporting against the CTPP itself, not just against the financial-sector customer. The implications for vendor-management and third-party-risk programs are material and still evolving as of mid-2026.[Regulation (EU) 2022/2554 (DORA) + ESMA + EBA technical standards 2024-2025]

Exhibit G

Frequently filed questions

ON RECORD

What is the average phishing-related breach cost in financial services?[open]

$5.90M per IBM 2025. Per-record cost $295. Second to healthcare on per-event cost; first on attacker volume share at 23.5% of all phishing.

What are the main regulatory drivers?[open]

NYDFS 23 NYCRR 500 (for NY-licensed entities), FFIEC supervisory guidance (for federally-regulated banks), GLBA Safeguards Rule, state DFS rules, and DORA (for EU operations).

What did the 2023 NYDFS amendments add?[open]

72-hour notification window, 24-hour ransomware-payment notification, MFA enforcement (phishing-resistant for privileged access), and board-attestation of cyber-program adequacy.

What is the wire-recovery posture?[open]

~30% gross across all events. 71% if filed at IC3 within 72 hours via the FBI FFKC and routed to a US domestic bank. Single-digit % for international destinations.

Are bank customers protected from phishing loss?[open]

Retail consumers, largely yes, under Regulation E reimbursement provided the customer reports promptly. Commercial customers carry more of the loss directly because Reg E protections do not apply to most commercial accounts.

Does DORA affect US financial entities?[open]

If the entity has EU operations, yes. DORA applies extraterritorially to US entities providing services into the EU. Critical third-party ICT service providers (cloud providers) are also subject to direct DORA oversight.

What is the single most-cited NYDFS finding?[open]

MFA enforcement gaps. Failure to deploy MFA in line with the 2023 amendments is the most-cited issue in enforcement actions through 2023-2025, with settlement bands typically $1M to $5M.

Exhibit H