Why Regulators Are Sounding the Alarm
In August 2025, Australia’s prudential regulator, APRA, warned the banking sector that rising geopolitical tensions are increasing both the likelihood and severity of cyberattacks. To meet this growing risk, APRA has established a dedicated geopolitical risk unit and has made it clear that banks will be expected to collaborate more closely with regulators on incident response, resilience testing, and intelligence sharing. Artificial intelligence was also singled out as a challenge, both in terms of how it might strengthen defences and how it could be misused by attackers.
This warning from Australia is part of a wider global pattern. The UK’s National Cyber Security Centre has repeatedly emphasised that state-linked actors are conducting long-term campaigns against energy grids, transport systems, and financial services. In the United States, CISA has urged energy and transport operators to prepare for politically motivated attacks, pointing specifically to the role of Iranian-aligned actors. In Europe, regulators have gone further still: under the EU’s new Digital Operational Resilience Act (DORA), banks must stress-test their systems against geopolitical disruption as a core regulatory requirement.
For risk managers, the message is simple: geopolitical tension accelerates cyber risk. When sanctions are introduced, elections are contested, or conflicts flare, organisations should expect the digital fallout to follow quickly.
How Politics Turns Into Cyber Risk
Political disputes today rarely remain confined to borders. Cyber operations have become a convenient extension of power for states and their proxies: cheaper than military campaigns, faster than economic sanctions, and often easier to deny publicly. The attraction is obvious. A country can send a message, test a rival’s resilience, or destabilise an opponent without firing a single shot.
The global interconnection of digital systems magnifies this risk. Banks, logistics operators, government agencies, and corporations all rely on the same cloud providers, software vendors, and payment networks. That interconnectedness means a single point of compromise can ripple across dozens of countries. Disruption in one region can create consequences far from the original conflict.
And at the heart of it all lies trust. Financial systems, energy grids, and communications networks do not just provide services; they underpin confidence in political and economic stability. When adversaries disrupt them, they generate political capital as much as technical damage.
No company can predict every risk. But leaders can create a culture where supplier due diligence is more than paperwork. At its core, it comes down to three principles:
Ukraine: Lessons from a Digital Battlefield
The war in Ukraine made these dynamics painfully clear. Ukrainian banks and ministries were targeted with waves of denial-of-service attacks that disrupted online banking at the same time as physical strikes were taking place. Malware such as WhisperGate was deployed to wipe systems and spread chaos inside government and corporate networks.
Perhaps the most famous example, however, was NotPetya. Originally seeded through a compromised Ukrainian accounting platform, it spread uncontrollably across the globe in 2022. Companies like Maersk, Merck, and FedEx were crippled, with losses estimated at $10 billion. These organisations were not involved in the conflict, yet they became collateral damage simply because they were digitally connected to systems in Ukraine.
This case illustrates a crucial point for global businesses: you do not need to be directly involved in a geopolitical dispute to feel its impact. If your vendors, suppliers, or technology providers are entangled, you can be drawn in through your digital supply chain. The practical lesson is to map these dependencies carefully and stress-test how long you could operate if one of those partners went offline.
Why Banks Are in the Crosshairs
Banks occupy a unique position. They are not only commercial entities but also symbols of national resilience and trust. This makes them high-value targets for states seeking leverage.
Disrupting a payment system or interbank settlement chain can destabilise markets almost instantly. Even a short outage can erode confidence, slow cross-border trade, and ripple across entire economies. The visibility of banks compounds the risk: a breach at a large financial institution makes immediate headlines, creating reputational shock that outstrips the technical damage.
Real-world examples underline the point. The 2016 Bangladesh Bank heist revealed how state-backed actors, linked to North Korea, were able to exploit gaps in the SWIFT payment network in an attempt to steal nearly $1 billion. Russian ransomware groups have mixed financial crime with politically convenient disruption, striking banks in ways that serve both profit and national interest. The SolarWinds breach in 2020 demonstrated how a single compromised software update could provide attackers with access to banks and US federal agencies simultaneously.
The lesson for leaders is that defending your IT perimeter alone is insufficient. Banks must recognise that they are attractive because of their political and symbolic weight. That means monitoring geopolitical triggers such as sanctions, elections, or regional conflicts that could make them targets, and feeding those triggers into cyber risk frameworks.
AI: Tool and Threat in Cyber Conflict
Artificial intelligence has already changed the cyber landscape. For defenders, AI has accelerated detection and response, helping security teams sift through huge volumes of data. For attackers, it has lowered the barrier to entry and made deception easier to scale.
We have already seen examples in practice. AI is being used to craft convincing phishing emails that replicate a company’s style and tone. In 2023, criminals in Hong Kong cloned the voice of a CFO and convinced staff to authorise a $25 million transfer. AI-driven reconnaissance tools now allow attackers to scan networks for vulnerabilities in a fraction of the time it once took. And synthetic media has been deployed by state actors to push false narratives during elections and conflicts.
Leaders should treat AI like any other powerful tool: with governance, oversight, and clear boundaries. Two basic questions need to be asked whenever AI is deployed internally: what data is it learning from, and what safeguards prevent misuse? Without these controls, AI risks amplifying vulnerabilities faster than it strengthens defences.
When Risks Collide: Hybrid Threats
Cyber incidents increasingly spill over into other domains, creating what are often called hybrid threats. These are crises where technical disruption quickly becomes financial, reputational, and political.
The 2021 Colonial Pipeline attack is one example. A ransomware campaign by a criminal group caused fuel shortages across the US East Coast. Panic buying ensued, the government declared an emergency, and the geopolitical significance of the attack outweighed the criminal motive. Analysts have also pointed to Taiwan’s semiconductor sector as a likely flashpoint: a cyberattack on chipmakers would cascade through supply chains for cars, electronics, and defence. In the Middle East, flare-ups have repeatedly combined physical attacks on shipping with cyber disruptions to ports and tracking systems.
The key point is that no cyber incident stays “just IT” anymore. Organisations must rehearse crisis responses that bring in operations, compliance, communications, and senior leadership. The longer decisions are delayed or fragmented, the more severe the impact becomes.
Practical Steps for Leaders
Resilience in this new environment is not about technical quick fixes but about building organisational muscle memory. Leaders should consider four priorities:
- Run geopolitical scenarios. Tabletop exercises should not be confined to ransomware or outages. They should simulate live flashpoints such as sanctions, regional conflicts, or election interference, and test not only technical resilience but also communications and compliance.
- Strengthen supplier oversight. Attackers often exploit the weakest link. Relying on supplier questionnaires is no longer enough. Organisations should demand evidence of monitoring, incident response, and rapid access shutdown capability.
- Treat regulation as the floor, not the ceiling. Frameworks like DORA or APRA’s standards set minimum expectations. True resilience requires independent testing, scenario rehearsals, and leadership involvement.
- Work as one team. Crisis response cannot be divided between IT, compliance, and risk. All must share a single threat picture and rehearse together.
What This Means for Leaders
The link between political tension and cyber activity is no longer hypothetical. It is playing out across financial systems, infrastructure, and supply chains. State-backed groups are expanding their reach, and private organisations will continue to be caught in the middle.
The practical message is that cyber resilience must now include geopolitical awareness. Leaders need to track political events as indicators of digital risk, prepare for ripple effects from conflicts they are not directly involved in, and rehearse cross-functional responses before a crisis arrives.
Geopolitics once sat in the background of risk registers. Today, it shows up in payment queues, vendor portals, and boardroom discussions. The APRA warning is another reminder that defending networks in isolation is no longer enough. Resilience is not achieved through compliance alone. It is built through intelligence, practice, and recognition that political shocks now flow directly into digital and financial systems.
