U.S. banks tighten cyber defenses as Middle East strikes drive elevated threat posture

Major U.S. financial institutions and industry trade groups increased cyber monitoring and tightened defenses on Tuesday as a widening U.S.-Israel campaign against Iranian targets raised the risk of retaliatory operations against the banking sector. The move follows a wave of strikes and counterstrikes in the region and prompted immediate operational changes at global firms.

Retail Banker International and Yahoo Finance reported that JPMorgan Chase and Citigroup directed employees in the Middle East to work remotely, while Goldman Sachs advised its regional workforce to work from home and follow local guidance. Standard Chartered, Sumitomo Mitsui Financial Group and Mitsubishi UFJ Financial Group advised staff to postpone travel to the region, and Mizuho indicated it is considering voluntary evacuation for some Dubai and Riyadh employees. Citi provided a formal statement: “The safety of our employees is our number one priority, and we are continuing to take measures to help keep our employees and their families safe. We are continuing to serve our clients and we have robust contingency and resilience plans in place for that purpose.”

The cybersecurity threat picture sketched by government and industry sources emphasizes a mix of low-cost disruptive tactics and longer-term intelligence collection. The U.S. cyber advisory body SISA warned that recent coordinated U.S. and Israeli strikes have “materially elevated the cyber threat environment across the Middle East” and said the episode is “now into its fourth day.” SISA labeled current activity “Scenario C - Hacktivist Surge & Reputational Attacks (Active Now)” and issued operational guidance: “Decision trigger: This scenario is active now and does not require a trigger event. Maintain elevated detection posture for at least 6 weeks beyond any diplomatic development.”

Industry intelligence mirrors that assessment. A 2025 FS-ISAC report cited by industry outlets found that “the financial services sector was the top target of DDoS attacks in 2024, with the Hamas-Israel and Russia-Ukraine wars fueling a surge in hacktivism.” U.S. intelligence assessments reported in industry briefs warned Iran-affiliated hacktivists may favor low-level distributed denial of service attacks, while SISA highlighted persistent credential harvesting and network access operations by Iranian advanced persistent threats. Morningstar DBRS warned that cyber activity could rise and observed that “Iran could increase its cyberattacks against Western entities, including banks.”

The response blends near-term containment with continuity planning. Banks say they do not expect widespread operational disruption, but the sector is explicitly defending against tactics that have precedent. American Banker recalled a 2011 to 2013 campaign that used systematic DDoS attacks against roughly 50 U.S. financial firms, and recent incidents include a 2023 ransomware disruption at the U.S. broker-dealer unit of a major Chinese bank that affected Treasury trade settlement. Security analysts also note adversaries are experimenting with generative AI and large language models to scale phishing and social engineering.

Beyond direct cyber risk, credit analysts and geopolitical advisers flagged broader secondary exposure. Morningstar DBRS highlighted that the most significant near-term risks to global banks and asset managers remain indirect shock vectors such as sustained higher oil prices and stressed borrowers, while Lazard’s advisory team has flagged commercial cyber risk to financial systems as a policy concern. American Banker also warned that a major foreign-policy crisis could divert congressional attention from banking-related legislation, citing recent moves in the Senate to prioritize housing and community banking measures.

With SISA and industry groups urging a sustained elevated posture and firms already shifting personnel and travel policies, U.S. banks face a test of operational resilience. The period ahead will hinge on whether disruptions remain limited to low-level attacks or escalate into campaigns that affect payment flows, markets or critical infrastructure.