From cyber defense to financial resilience

Why cyber risk now sits with treasury, procurement and the board

10 March 2026

8 mins

Corporate & investment bankingTransaction bankingTreasury

For many organisations, cybersecurity is still perceived as a technical discipline, something to be managed quietly by IT teams in the background. But recent incidents have made one thing clear: cyber events are no longer just operational disruptions. They are increasingly financial shocks, capable of interrupting payment flows, disrupting supply chains, damaging brand trust and creating material balance-sheet impact.

To understand how this shift is reshaping risk for treasurers, procurement leaders and boards, we spoke with Matthew Bottomley, Director of Client Threat Intelligence & Engagement at Standard Chartered, about how cybercrime is evolving and what organisations must do differently to build resilience in an increasingly interconnected world.

Cybercrime now operates like a value chain – attackers can buy access, tools and infrastructure as a service, making attacks faster,cheaper and more targeted.

Mathew Bottomley

Director of Client Threat Intelligence & Engagement, Standard Chartered

A new cyber landscape and the rise of cybercrime as a value chain

Cyber threats today bear little resemblance to their popular portrayals of dark rooms and blinking screens. Defending against them is a highly intricate ecosystem built on dashboards, data and anticipation – understanding how attackers operate, where they focus, and how small weaknesses can be exploited at speed.

Recent ransomware incidents have involved average payments of around USD1 million, but ransom figures alone significantly understate the true cost. When operational disruption, recovery efforts, lost revenue, reputational damage and knock-on effects to partners and customers are factored in, the financial impact can quickly escalate into the hundreds of millions.

“That’s why threats need to be prioritised based on business impact, not just technical severity,” Bottomley explains. “Cybersecurity today is about knowing where it really hurts – financially and operationally – and ensuring organisations can keep operating when something goes wrong.”

What makes today’s threat landscape more complex is the degree of interconnection. Threats do not respect borders, and an incident affecting one organisation can quickly ripple through financial networks, vendors and supply chains.

At the same time, cybercrime itself has become increasingly industrialised. Rather than operating in isolation, attackers now collaborate through cybercrime-as-a-service models buying access, tools and infrastructure on demand.

“Attackers no longer need to build tools or infrastructure themselves,” Bottomley continues. “They can buy or rent capabilities from affiliates, for a recurring fee or share of illicit profits, including initial access, phishing kits, malware loaders and ransomware as-a-service platforms. This lowers the barrier to entry, allowing attacks to scale faster while becoming more targeted.”

The implication for organisations is stark. When vulnerabilities are disclosed and patches released, those slow to act are often the ones compromised, with cascading operational and financial consequences.

Cyber incidents are no longer just operational disruptions -they are financial shocks thatcan materially impact thebalance sheet.

Mathew Bottomley

Director of Client Threat Intelligence & Engagement, Standard Chartered

The blind spots leaders can no longer ignore

Despite advances in security technology, the most significant cyber risks rarely originate in systems alone. They emerge at the intersection of human behaviour, control gaps and trust.

Subtle warning signs often appear first in everyday operations. Urgent requests that bypass established controls. Over-reliance on email to change supplier or payment details. Informal workarounds designed to keep processes moving. These behaviours, while familiar, frequently create the conditions attackers exploit.

Cybercrime itself has become increasingly industrialised. Rather than operating in isolation, attackers now collaborate through cybercrime-as-a-service models buying access, tools and infrastructure on demand.

Mathew Bottomley

Director of Client Threat Intelligence & Engagement, Standard Chartered

Over 60 per cent of cyber incidents involve a human element, whether through stolen credentials, misuse of access or social engineering. Increasingly attackers focus on identity rather than infrastructure, because stealing credentials and operating as a trusted user is often easier than breaking through technical defences.

“Technology alone won’t stop cyber incidents,” Bottomley says. “Culture makes the difference.”

Organisations with stronger resilience treat cyber security culture as a continuous discipline , rather than an annual compliance exercise. Regular phishing simulations, in-the-moment coaching when mistakes occur and rewarding people for reporting suspicious activity all contribute to faster detection and reduced impact.

Third-party exposure remains a growing concern for organisations. As supply chains become more digitally interconnected, attackers are increasingly targeting vendors, service providers and subsidiaries that sit just outside an organisation’s direct control – often as a way of gaining indirect access to core systems and processes.

In practice, this risk tends to surface through weaknesses uncovered during vendor assessments and ongoing assurance, including unclear security policies, poorly governed use of SaaS and thirdparty applications that handle sensitive data offsite, inconsistent patching processes, weak incident-response plans and a lack of realistic simulations or playbooks.

“A common gap is failing to apply the same level of rigour to cyber risk as to other third-party risks, such as financial exposure.” Bottomley adds. “Vendor cyber resilience should be checked, not assumed.”

Sector patterns reinforce this shift. In retail and consumer industries attackers are increasingly exploiting identity-based access and third-party weaknesses rather than overt technical flaws. Once trusted access is obtained, malicious activity can blend into normal operations, making detection harder and response slower.

Vendor cyber resilience should be treated like financial risk – checked, not assumed.

Mathew Bottomley

Director of Client Threat Intelligence & Engagement, Standard Chartered

“It’s less about breaking a window and more about stealing an access badge,” Bottomley explains. “Once they’re inside, everything looks normal, but they’re deliberately targeting the systems that hurt most.”

Payments, online ordering and logistics are frequent targets, because disruption in these areas creates immediate operational, reputational and financial pressure.

Increasingly attackers focus on identity rather than infrastructure, because stealing credentials and operating as a trusted user is often easier than breaking through technical defences.

Mathew Bottomley

Director of Client Threat Intelligence & Engagement, Standard Chartered

From intelligence to client protection

In this environment, intelligence becomes the connective tissue between cyber defence and financial resilience. Rather than applying controls uniformly, intelligence helps prioritise where attackers are most likely to strike and where disruption would have the greatest financial and operational impact.

“Intelligence-led defence is about making better decisions,” Bottomley explains. “It allows organisations to anticipate and adapt to threats, not just react after damage has been done.”

At Standard Chartered, this approach sits at the heart of Client & Third-Party Security (CTPS), a function designed to protect the bank while helping clients strengthen their own cyber resilience.

CTPS plays a dual role, combining proactive identification of cyber threats affecting third parties that could impact the bank, while working directly with clients to share intelligence, insights and practical guidance that supports their own decision-making.

Through CTPS, this intelligence is delivered to clients in four practical ways:

Cybersecurity today isn’t something one organisation can solve alone.

Mathew Bottomley

Director of Client Threat Intelligence & Engagement, Standard Chartered

Investing strategically in cyber readiness

Looking ahead, cloud services, AI, IoT, remote working tools, blockchain and digital assets continue to expand the attack surface. These technologies enable emerging threats which are often novel or fast-changing, leaving little time to detect , respond or implement effective protections.

Yet there is reason for optimism. Organisations that invest based on threat intelligence, business impact and response capability are already reducing breach impact materially – not by eliminating risk, but by responding faster, containing damage more effectively, and maintaining operational and financial continuity.

“The same capabilities attackers rely on – automation, scale and speed – can also be applied defensively to build resilience,” Bottomley notes. “When organisations invest intelligently, cybersecurity becomes a strategic enabler – protecting value, enabling innovation and building trust in an increasingly digital economy.”

In an environment where digital and cyber risk are inseparable from financial and operational risk, the question is no longer whether to invest in cybersecurity, but whether those decisions are being made deliberately enough.

Crucially, resilience at this level is rarely achieved alone. In an increasingly interconnected financial ecosystem, collaboration – particularly through shared intelligence and co-ordinated response – is becoming a decisive factor in how effectively organisations contain and recover from cyber threats.

The same capabilities attackers rely on – automation, scale and speed – can also be applied defensively to build resilience.

Mathew Bottomley

Director of Client Threat Intelligence & Engagement, Standard Chartered