Financial Cyber Attack News: 3 Recent Stories and What They Mean for Risk and Coverage
If you work in or around financial services, the trend is simple: attackers keep chasing identity data, access credentials, and money movement. Sometimes it is ransomware. Sometimes it is a “small” bug or phishing incident that still creates real fraud risk.
Note from Rhonerisk Team: If you want a quick sanity check on whether your cyber insurance would respond to these exact scenarios, book a call with RhoneRisk or request a quote.
Story 1: CIRO confirms investor data theft tied to an August 2025 phishing attack
Canada’s Investment Regulatory Organization (CIRO) published an update saying unauthorized access led to investor data being involved, and the incident traces back to a phishing attack that occurred in August 2025. This cyber attack on CIRO can be found on their website and it was a big wake up call for a lot of financial companes alike.
Why this matters:
-
Phishing is still the front door, even for regulated organizations.
-
Stolen identity data does not just create “breach costs.” It fuels follow-on fraud across the financial ecosystem.
What to review in your coverage because of incidents like this:
-
Breach response (notifications, monitoring, call center)
-
Incident response vendors (forensics, legal breach coach)
-
Regulatory response coverage (defense costs, investigation support)
Story 2: PayPal confirms Working Capital loan app data exposure caused by an application error
PayPal recently confirmed a data exposure affecting a subset of PayPal Working Capital (PPWC) loan app users, caused by an application error that left certain personal data exposed for months, and PayPal reported some fraudulent transactions tied to the incident. This news recently took off in the cyber world and has been confirmed by other news channels like Forbes magazine.
Why this matters:
-
Not every “breach” is a hacker breaking in. Sometimes it is an internal error that still creates identity and fraud exposure.
-
This is a good reminder that underwriting and claims look at the actual cause and the timeline, not just the headline.
What to review in your coverage because of incidents like this:
-
Privacy and breach response coverage
-
Fraud and social engineering sublimits (often smaller than people expect)
-
Business interruption language (if an outage or incident stops operations)
Story 3: Marquis ransomware incident impacts banks and credit unions through a vendor breach
Reuters reported fintech firm Marquis notified banks and credit unions after an August 2025 ransomware incident tied to a firewall vulnerability, with potentially exposed personal data and some financial account details. This data breach impacted 74 US banks and credit unions (Bleeping Computer, 2025).
More recently, reports say Marquis sued SonicWall over issues tied to firewall backup access related to the incident.
Why this matters:
-
You can do everything “right” internally and still get hit through a vendor.
-
Vendor incidents create messy fallout: notifications, client trust issues, contract disputes, and regulatory questions.
What to review in your coverage because of incidents like this:
-
Third-party liability (claims, defense costs)
-
Vendor and cloud outage language (contingent business interruption, if applicable)
-
Panel vendor rules (who you must call first and when)
What these 3 stories have in common
-
Identity data is a multiplier. Once it leaks, criminals often shift to phishing, invoice fraud, and account takeover attempts.
-
Vendors are part of your attack surface. If your vendors get hit, you still deal with the damage.
-
Policy details matter. Sublimits and requirements are where “we’re covered” turns into “wait, that’s capped?” during a claim.
Quick checklist: what to confirm in your cyber policy right now
Coverage that should be clearly included
-
Incident response and forensics
-
Breach response costs (notifications, monitoring)
-
Cyber extortion and ransomware response services
-
Business interruption and extra expense (with terms you understand)
The part most people miss
-
Social engineering and fraud coverage
-
What is the sublimit?
-
Is it in the cyber policy, or is it in a separate crime policy?
-
What are the conditions to trigger it?
-
Vendor and cloud exposure
-
Does your policy address third-party outages or vendor incidents where your operations are impacted?
Claims process clarity
-
Do you have a 24/7 hotline and a defined process for engaging breach counsel and forensics?
-
Are you required to use panel vendors?
FAQ
Are financial organizations targeted more than other industries?
Often, yes, because financial workflows include identity data and money movement, and criminals monetize both quickly.
Does cyber insurance cover fraud from a phishing email?
Sometimes, but it is commonly limited by a sublimit and sometimes handled under a crime policy. Always confirm the social engineering and funds transfer section.
If a vendor gets breached, am I covered?
It depends on your policy’s definitions, third-party liability language, and any contingent business interruption coverage. Vendor incidents are a common gap.
Is “small” exposure still serious if only a few customers were impacted?
It can be. Even small sets of identity data can drive targeted fraud attempts, especially in finance.
What is the fastest way to improve insurance outcomes?
Make sure MFA is enforced where it matters, backups are tested, and your underwriting answers match reality. Underwriters are pricing control maturity more aggressively now!
