Ian Stuart, CEO of HSBC, recently stated that cyber threats keep him awake at night, emphasizing the “enormous” investments banks are making to secure their IT systems. His remarks reflect broader industry concerns, as financial institutions face increasingly sophisticated attacks targeting both core banking infrastructure and adjacent digital ecosystems like ad-tech platforms.
Banking Sector Cybersecurity Challenges
Financial institutions remain prime targets for cybercriminals, with 50% of banks now deploying six or more layered defenses including AI monitoring and zero-trust frameworks. The Verizon 2023 Data Breach Investigations Report notes that 24% of ransomware attacks specifically target financial data, while AI-powered phishing campaigns increasingly mimic executives via platforms like LinkedIn Ads. HSBC itself faced a fraud attempt using deepfake technology impersonating senior leadership.
Third-party risks compound these challenges. The 2025 Rubicon Project/Magnite Inc. merger exposed vulnerabilities in programmatic ad supply chains, while cookie hijacking attacks leverage social media trackers to steal banking credentials. Malvertising campaigns through platforms like DoubleClick have delivered payloads via seemingly legitimate ad networks.
Emerging Attack Vectors in Financial Services
The cyberattack lifecycle now frequently incorporates digital advertising infrastructure:
| Stage | Ad-Tech Exploitation |
|---|---|
| Reconnaissance | Attacker scans LinkedIn Ads for employee roles |
| Weaponization | Malware embedded in Taboola native ads |
| Delivery | Phishing emails with DoubleClick tracking pixels |
| Exploitation | Stolen cookies bypass multi-factor authentication |
Cookie-based attacks present particular challenges. Functional cookies from platforms like HubSpot have been hijacked to bypass security controls, while social media cookies enable cross-site tracking that exposes session tokens. The GDPR EU 2024 guidelines now recommend disabling third-party cookies as a baseline security measure.
Mitigation Strategies for Financial Institutions
HSBC and other banks are implementing several key defenses:
- Vendor audits: Rigorous scrutiny of ad-tech partners including Amazon Associates and AppNexus/Xandr
- Zero Trust architecture: Applied to ad networks like Microsoft Bing Ads to prevent lateral movement
- AI monitoring: Google APIs deployed to detect anomalies in ad traffic patterns
- Cookie controls: Strict policies for social media and tracking cookies
The Wipfli 2023 Banking Industry Cybersecurity Trends report highlights that leading institutions now treat ad-tech vendors with the same scrutiny as core banking software providers. This includes mandatory security questionnaires, continuous monitoring, and contractual obligations for breach notification.
Technical Recommendations
For security teams protecting financial systems, several technical controls prove particularly effective:
// Example HTTP header for cookie security
Set-Cookie: sessionID=abc123; Secure; HttpOnly; SameSite=Strict; Path=/bankingNetwork defenders should monitor for suspicious traffic patterns from ad-tech CDNs, particularly unpkg and Brightcove, which have been exploited for backdoor installations. DNS over HTTPS monitoring can detect command-and-control communications masked as legitimate ad traffic.
Conclusion
The HSBC CEO’s concerns mirror broader industry challenges as cyber threats evolve to exploit both financial systems and their digital advertising dependencies. Financial institutions must extend security controls beyond traditional perimeters to encompass ad-tech supply chains and cookie-based attack surfaces. Continuous monitoring, vendor risk management, and Zero Trust principles provide the most effective defense against these evolving threats.
References
- “HSBC CEO on AI Deepfake Scams,” Yahoo Finance, 2025. [Online]. Available: https://finance.yahoo.com
- “Data Breach Investigations Report,” Verizon, 2023. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/
- “Cost of a Data Breach Report,” IBM, 2023. [Online]. Available: https://www.ibm.com/reports/data-breach
- “AI in Cyberattacks,” Blue Ridge Tech, 2025. [Online]. Available: https://blueridgetech.com/research
- “Banking Industry Cybersecurity Trends,” Wipfli, 2023. [Online]. Available: https://wipfli.com/insights
- “Supply Chain Breaches in Ad-Tech,” BBC, 2025. [Online]. Available: https://www.bbc.com/technology
- “Cyberattack Lifecycle,” DNV. [Online]. Available: https://www.dnv.com/cybersecurity
- “Malvertising Threats,” Cisco, 2023. [Online]. Available: https://www.cisco.com/security
- “Cookie Compliance Guidelines,” GDPR EU, 2024. [Online]. Available: https://gdpr.eu/cookies/
