Why finance talent needs new skills for AI cyber threats

In April 2026, the European Central Bank (ECB) summoned an emergency meeting. The concern? An AI model so powerful that it exposed critical cyber security weaknesses - before the teams responsible for fixing them even knew the weaknesses existed.

The model, Anthropic's Mythos, was made available first to JPMorgan Chase, Microsoft, Google, and CrowdStrike - giving them a head start to find and fix vulnerabilities before bad actors could exploit them. No European bank made the cut, leaving them exposed at precisely the moment the threat landscape shifted.

Having scaled high-volume and new payment tech across international markets at Mollie, I know that with growth comes responsibility - particularly when it comes to protecting your customer data in a trust-based financial industry.

AI can now reverse-engineer software fixes within minutes of their release, collapsing the window between a vulnerability being patched and exploited by cybercriminals. Today, even unskilled criminals can target banks more easily and cheaply than before.

While regulatory frameworks like DORA have introduced mandatory guidelines, what combination of technology, regulation, and human capability do financial institutions need to protect themselves against sophisticated AI-driven attacks?

‍

60% of breaches are human error

What I see is that teams within financial institutions need new capabilities to combat AI cyber threats. 

In the past year, 87% of global organisations experienced an AI-powered cyberattack as the entry barrier for sophisticated attacks keeps falling. But 60% of breaches still involve human error: misconfiguration, poor judgment calls, shadow AI deployments, data inappropriately shared with tools. 

In 2025, ECB uncovered that about half of surveyed banks had not introduced dedicated AI oversight policies or committees. 

The people responsible for managing cyber risk - risk officers, CISOs, compliance leads, and the managers who sit between strategy and execution - are operating in organisations where AI literacy is still not a core leadership capability. That gap between technical understanding and decision-making authority is precisely where I see cyber risk widening.

‍

The human skills banks need for cyber security

The instinct after Mythos has been to focus on tools: better detection software, faster patching infrastructure and AI-assisted threat monitoring. Those are necessary. But the human capability question is being underinvested, and it is more specific than "AI awareness training."

As a former FinTech leader and now a commercial lead in an AI-savvy workplace, there are certain skills I see growing in importance. 

The ECB's own supervisory findings, DORA's incident response requirements, and SoSafe's 2025 Cybercrime Trends data reveal that a weak point in a bank's defence infrastructure is the people operating within it and the specific capabilities they lack.

Threat judgment: the ability to distinguish between a true exploit risk and noise, to prioritise response under pressure, and to make defensible decisions without full information. This demands critical thinking and decision-making capability that most banks are not training at scale.

AI literacy with an ethics layer: understanding what AI systems can and cannot do, where human oversight is non-negotiable, and how to identify when a tool is being used in ways that create regulatory or reputational exposure. The EU AI Act classifies several banking AI applications as high-risk; the people operating within those systems need more than a click-through compliance module.

Incident leadership: how to communicate clearly and credibly during an active incident, manage a team under time pressure, and maintain stakeholder confidence when information is incomplete. These are leadership and communication skills, not technical ones, and they matter most precisely when the systems are failing.

Shadow AI risk management: the ability to recognise and challenge unauthorised AI use within teams, understand data governance boundaries, and build cultures where people raise concerns rather than quietly workaround controls. This requires psychological safety and managerial capability.

Cross-functional coordination: security incidents move into legal, communications, operations, and compliance simultaneously. The people who bridge those functions and translate between technical and non-technical stakeholders at speed are among the most valuable assets in a bank's defence posture, and among the most undertrained.

‍

What modern AI cyber security demands

DORA requires banks to implement consistent ICT third-party risk management and incident response frameworks. What it cannot mandate is the quality of human judgment inside those frameworks.

A risk register is only as good as the person completing it. An incident response plan depends on the team executing it under pressure. A shadow AI policy is as effective as the managers who know how to apply it without killing the innovation it's trying to govern.

The current mismatch in the finance industry is where the budget goes. Tool investment without human capability building produces better-equipped teams who still make the same judgment errors. 

Anthropic has given the financial sector a serious warning. The technical response is already mobilising. The question is whether the human infrastructure - the judgment, the literacy, the leadership capability - will be ready for a more powerful wave of AI tech.

What I firmly believe is that the systems will hold or fail based on the quality of human capability inside them.