Financial Services

Industry Snapshot

Financial services is a $26 trillion global industry with 2026 tech spending projected to exceed $590 billion (IDC). Cloudflare secures over 2,000 financial institutions, including the four largest global banks. DORA (EU Digital Operational Resilience Act) is now effective, SEC cybersecurity disclosure rules mandate 4-day incident reporting, and hyper-volumetric DDoS attacks surged 700% in late 2025.

Theme 1: Resilience

What's happening: The top 20 global banks are building dual-vendor resilience architectures to eliminate single points of failure. JPMorgan spends $17B+ annually on technology with cybersecurity as a top priority. BNY Mellon oversees $59.3T in assets under custody — a single outage cascades to global capital markets. Cloudflare mitigated a record 31.4 Tbps DDoS attack. DORA mandates ICT risk management, incident reporting, and third-party concentration risk assessment for all EU financial entities.

Key insight: Resilience is no longer a best practice — it's a regulatory mandate. DORA, SEC rules, and industry practice all demand that banks can't depend on a single security vendor.

Cloudflare mapping: Single-pass architecture unifies DNS, L3 (Magic Transit), and L7 (WAF, Bot Management, DDoS) on one control plane for both consolidation and dual-vendor architectures. Terraform-native automation eliminates configuration drift. Data Localization Suite addresses DORA and GDPR data residency.

Theme 2: Security Modernization

What's happening: Shadow AI is surging — BCG reports a 3x increase in unauthorized AI tool usage year-over-year in financial services. The average mid-sized institution has 85+ direct SaaS vendors, 340+ at fourth party, and 1,000+ at fifth party. The Salesloft/Salesforce OAuth breach (August 2025) showed how compromised tokens cascade across SaaS ecosystems. Morgan Stanley protects 80,000+ employees with recursive DNS filtering and Zero Trust access.

Key insight: The attack surface has shifted from the network perimeter to the SaaS supply chain and ungoverned AI tools. The average bank's fifth-party exposure is invisible without specialized tooling.

Cloudflare mapping: AI Gateway and DLP govern AI usage with audit logging. CASB provides SaaS visibility across third-party integrations. SaaS Proxy governs SaaS-to-SaaS data flows with instant key revocation. Cloudforce One delivers threat intelligence from 1T+ daily requests with 70% unique IOCs.

Theme 3: Artificial Intelligence

What's happening: Financial institutions earn $3.50 for every $1 invested in AI, with top performers seeing $8 per $1 (McKinsey). 65% have moved at least one AI use case from pilot to production (BCG). Agentic commerce protocols (ACP, UCP, VIC, MPP, MAP) are emerging for machine-to-machine transactions. Visa and Mastercard are developing verified agent identity for agentic commerce. Coding agents are driving 160% more merge requests year-over-year at companies adopting them.

Key insight: The biggest hurdle in agentic AI isn't the LLMs — it's the data context. Claims data in Guidewire, policies in mainframes, PII in secure databases. Banks are racing to build the secure data pipelines that connect AI to their systems of record.

Cloudflare mapping: Workers, Agents SDK, Durable Objects, R2, and Workers AI provide the platform for agentic applications. AI Gateway provides unified observability and cost controls. Web Bot Auth enables cryptographic agent identity verification for agentic commerce.