In 2024, financial services carried the second-highest data breach cost of any industry — USD 6.08 million per incident, 22% above the global average. The trajectory is structural. PULSE engineers infrastructure in which the principal targets of banking-sector attack are rendered uneconomic to an adversary that has already breached the perimeter.
The 2024 Verizon Data Breach Investigations Report identified System Intrusion as the leading attack pattern in financial and insurance industry breaches, accounting for 29% of incidents. Financial data and credentials remain the most frequently compromised data classes. [01]
The picture is structural. Banks transfer trillions of dollars in economic value across borders every day, in a sector in which a single compromised credential, a single misconfigured cloud bucket, or a single supply-chain dependency can produce losses that exceed the annual cybersecurity budget of a small national government. Adversaries — financially motivated criminal groups, organised ransomware operators, and increasingly nation-state actors — are not deterred by the controls deployed against them. They are advantaged by the regulatory complexity that surrounds the institutions they attack.
The cost trajectory is unambiguous. Average breach cost in the sector has risen from USD 5.72M (2021) to USD 5.97M (2022) to USD 5.90M (2023) to USD 6.08M (2024). Detection times have improved — by nine days in the latest IBM study — but containment costs have outpaced detection gains. The economic vector points one way. [02]
The headline mechanisms are not novel. The headline outcomes are. The same four attack vectors have produced increasing financial impact each year since 2021, despite increased security investment by the institutions concerned.
Stolen or phished credentials served as the initial action in 24% of all breaches in the 2024 DBIR data set, and were the longest-dwell vector at 292 days median time-to-containment. In banking, this vector is amplified by privileged access to wire transfer infrastructure, settlement systems, and customer-record databases.
In the 2024 Coalition Cyber Claims Report, 56% of all claims were either business email compromise (BEC) or funds-transfer fraud (FTF). Median click-to-credential-entry time on a phishing email is under 60 seconds. Banks are the terminal node — the wire instruction that the attacker is impersonating leads to a banking system.
The Cl0p ransomware operation's mass exploitation of CVE-2023-34362 in MOVEit Transfer software impacted hundreds of organisations in finance and professional services — 13.3% of MOVEit victim organisations were in the financial sector. Vendor risk has become indistinguishable from first-party risk.
Ransomware accounted for 23% of all breaches in the 2024 DBIR, affecting 92% of industries. The shift from encryption-only to encryption-plus-exfiltration means the attacker holds two distinct levers — operational disruption and disclosure threat — and either is sufficient to extract payment.
The IBM 2024 study found that 70% of breached organisations reported significant or moderate operational disruption. In banking, that translates concretely. Wire-transfer systems go offline. Customer-facing channels degrade. Anti-money-laundering monitoring queues back up — itself a regulatory exposure. Settlement deadlines are missed. Counterparty trust erodes within hours. [03]
The regulatory consequence is comparable in magnitude to the direct financial loss. In Australia, APRA Prudential Standard CPS 234 requires regulated entities to maintain information-security capability commensurate with the threat landscape and to notify APRA within 72 hours of a material incident. In the United States, the SEC Cybersecurity Disclosure Rule (effective December 2023) requires public registrants to disclose material cybersecurity incidents in an 8-K filing within four business days. In the European Union, the Digital Operational Resilience Act (DORA), which took full effect in January 2025, imposes harmonised ICT risk-management requirements across financial entities and brings third-party ICT providers within direct supervisory scope.
None of these regimes contemplate a defensive posture in which the data the adversary seeks is rendered useless on access. They all contemplate detection, response, notification, and remediation — paradigms that assume the breach has data to lose.
The cost trajectory of banking breaches is not a function of attacker capability. It is a function of architectural commitment to a defensive paradigm in which the bank still holds something to lose.
We do not propose stronger detection. We do not propose better response. We do not propose another control to add to the stack of controls that have collectively failed to bend the cost curve since 2017. We propose a different architecture entirely.
An adversary who breaches the perimeter of an environment built on PULSE substrate encounters infrastructure in which: the data they came for does not exist in any reconstructable form for any party not specifically authorised to access it. Not the bank's operations team. Not the cloud-platform operator. Not us.
The economics of attack reverse. Where breaches today are inexpensive to attempt and lucrative when successful, in our environments the attempt is expensive and the success is self-incriminating. We render the principal targets of banking-sector attack — bulk customer PII, payment instructions in transit, settlement records, credential vaults — unproductive at the level of mathematics, not policy.
The means by which we do this is the trade secret. We disclose it under executed Mutual Non-Disclosure Agreement only.
Specific architectural fit assessment for tier-1, tier-2, and challenger-bank deployment scenarios. Quantified residual-loss model under PULSE substrate (independent of breach probability). Regulator-engagement protocol covering APRA CPS 234, SEC Cybersecurity Disclosure Rule, EU DORA, BCBS 239, and equivalent regimes. Reference architecture for cross-border settlement infrastructure. The detail of how each is achieved.
Available under executed NDA →All statistics on this page are drawn from publicly available reports issued by recognised industry bodies, regulators, and security research organisations. References are listed below for verification.
PULSE Digital Security cites these sources for context only. Citation does not imply endorsement of, or affiliation with, any cited organisation. All trademarks remain the property of their respective owners.