Why Security Assumptions Can Be Riskier Than They Appear
For years, financial institutions treated cybersecurity primarily as a technology challenge – one centered on preventing breaches, meeting compliance requirements, and minimizing operational disruptions. However, today, cyber risk has evolved into a broader business resilience challenge with far-reaching financial and operational consequences.
The stakes are significantly higher. A single cyber incident can halt critical services, amplify financial losses, accelerate fraud, and expose vulnerabilities that reverberate across customers, markets, and entire financial ecosystems. At the same time, the rapid rise of AI-powered fraud, deepfake impersonations, and increasingly sophisticated threat actors is reshaping the risk landscape in ways that traditional cyber models struggle to capture.
Asdrúbal Pichardo, CEO of Squalify, argues that many financial institutions are still underestimating the true scale of cyber risk. From unrealistic recovery assumptions and overlooked fraud exposures to underfunded recovery capabilities, he highlights the resilience gaps that leave organizations exposed
As a resolution, Pichardo shares his perspective on how leaders can better quantify cyber exposure, prepare for worst-case scenarios, and build organizations capable of recovering from increasingly complex and prolonged cyber events.
Security assumptions are no longer enough
Many financial institutions believe they are prepared for a major cyber event because they have recovery plans, security controls, and compliance frameworks in place. Yet severe incidents often reveal a different reality, one where recovery takes far longer than expected, and financial losses extend well beyond business interruption.
As cyber threats become more disruptive and interconnected, resilience depends not on security assumptions – but on an organization’s ability to validate them under real-world conditions.
Many financial institutions continue to make security assumptions around recovery timelines and incident duration. From your experience, where do these assumptions break down most critically during a major cyber event?
Pichardo: The most critical breakdown is in recovery time assumptions. Banks typically set recovery time objectives in hours.
But our data at Squalify consistently shows that extreme but plausible outages can last days or even weeks. When firms base their risk assessments on best-case targets rather than worst-case realities, they systematically underestimate losses during a major incident and miss strategic actions when planning incident response.
Financial institutions often underestimate the duration and financial impact of severe cyber incidents. What are the systemic blind spots that contribute to this miscalculation?
Pichardo: Several blind spots compound the problem.
First, firms anchor on recovery targets rather than realistic worst-case durations, leading to underestimated financial exposure.
Subscribe to our bi-weekly newsletter
Get the latest trends, insights, and strategies delivered straight to your inbox.
Second, financial theft and fraud risks – such as fake president schemes and AI-powered deepfake impersonations – can be just as costly as business interruption losses. However, these risks are often excluded from cyber risk models. One reason is that fraud-related losses are typically not covered by standard cyber insurance policies. As a result, many institutions underestimate their true financial exposure and may be carrying significant uninsured risk.
Third, weaknesses in supply chain risk management, logging and monitoring, and system lifecycle management create compounding vulnerabilities. These weaknesses can significantly prolong an incident, often far beyond initial estimates.
AI, fraud, and emerging threat vectors
While prolonged outages remain a major concern, they are not the only threat reshaping the financial sector. Artificial intelligence is creating entirely new attack opportunities.
It is enabling fraud schemes that are more convincing, scalable, and difficult to detect than ever before. As a result, institutions must prepare for risks that extend far beyond traditional cyber incidents.
AI-driven impersonation and cyber-enabled fraud are scaling rapidly. What new threat models should banks be preparing for over the next 2 – 3 years?
Pichardo: Banks need to treat AI-enabled fraud as a first-class financial risk, not just a technology problem. Deepfake impersonations of executives, real-time voice cloning for social engineering, and AI-generated synthetic identities are no longer just proof-of-concept threats. They are rapidly becoming operational attack vectors used by cybercriminals.
At Squalify, we see that AI-enabled fraud can cause financial losses on par with those resulting from major system outages or data breaches. The threat is expected to grow significantly over the next two to three years. As AI capabilities become increasingly commoditized, attacks will become more sophisticated, more frequent, and easier to execute.
Critically, these losses typically fall outside standard cyber insurance coverage, meaning the financial exposure is both underestimated and unhedged.
How does the combination of AI and social engineering change the economics of fraud – and the defensive strategies required?
Pichardo: AI fundamentally changes the cost structure of fraud. Historically, sophisticated social engineering attacks required significant human effort, which naturally limited their scale.
AI-generated voice and video have changed the economics of cyber fraud. Combined with data-driven AI tools, they make attacks both cheaper to execute and harder to detect. Fraud that once required a sophisticated criminal operation can now be executed at scale with minimal resources.
On the defensive side, this asymmetry demands a strategic shift. Organizations need to move away from relying solely on identity-based controls. Instead, they should adopt process-based verification and continuous behavioral analytics. One that can detect anomalies regardless of how convincing an impersonation may appear.
Strategic preparedness and leadership
As cyber threats evolve, resilience requires more than strong security controls. It demands a shift in leadership mindset, strategic planning, and the ability to recover from worst-case scenarios.
What does “cyber resilience by design” look like for a modern bank, beyond compliance-driven controls?
Pichardo: Cyber resilience by design means building for realistic worst-case scenarios, not just regulatory minimums. Genuine resilience requires stress-testing against multi-week outages, not just the hours reflected in most RTOs.
It also means integrating fraud risk quantification into the cyber risk model. AI-driven fraud can cause losses comparable to those from major business interruption events. Yet these risks often fall outside the scope of traditional insurance coverage. True resilience by design treats cyber risk as both a financial and strategic issue. It is quantified, visible to the board, and incorporated into capital planning. And not viewed simply as a compliance requirement.
How should executive leadership teams balance investment between prevention, detection, and recovery in today’s threat landscape?
Pichardo: Recovery capabilities are consistently underfunded relative to prevention, leaving many institutions investing heavily in perimeter defenses while underdeveloping recovery capabilities.
In today’s threat landscape, where sophisticated attackers will eventually find a way in, the ability to detect quickly and recover rapidly is often the difference between a manageable incident and an existential one.
I’d encourage leadership teams to explicitly pressure-test their recovery timelines against worst-case durations – not just stated RTOs – and close the gaps in supply chain risk management and monitoring.
If you were advising a global bank CTO today, what are the top three actions you would prioritize to prepare for a prolonged, high-impact cyber event?
Pichardo: First, recalibrate your risk models to reflect realistic outage durations. Most institutions are planning for hours; the data suggests they should be stress-testing for days or weeks.
Second, close the fraud risk gap – quantify AI-enabled fraud scenarios and recognize that these losses will not be covered by your cyber insurance. This is an unhedged exposure that needs to be visible at the board level. Third, fix the foundational recovery capabilities: incident response readiness and data backup are consistently among the weakest links across the financial sector.
If you can’t recover quickly, every other investment in prevention is less effective.
Next generation of cyber resilience
The future belongs to organizations that can recover, not just defend.
What will distinguish institutions that successfully navigate the next generation of cyber threats from those that struggle to recover?
Pichardo: First, recalibrate your risk models to reflect realistic outage durations. Most institutions are planning for hours; the data suggests they should be stress-testing for days or weeks.
Second, close the fraud risk gap – quantify AI-enabled fraud scenarios and recognize that these losses will not be covered by your cyber insurance. This is an unhedged exposure that needs to be visible to the board. Third, fix the foundational recovery capabilities: incident response readiness and data backup are consistently among the weakest links across the financial sector.
If you can’t recover quickly, every other investment in prevention is less effective.
Key takeaway:
As cyber threats grow in scale and sophistication, the organizations that will emerge strongest are those that move beyond prevention-centric thinking and embrace resilience as a strategic capability.
For leaders, the challenge is no longer simply keeping attackers out – it is ensuring the organization can withstand, recover from, and adapt to inevitable disruptions. From stress-testing for prolonged outages to quantifying AI-driven fraud risks and strengthening recovery capabilities, resilience must become an integral part of enterprise strategy.
