Reported ransomware incidents targeting finance increased 30% from 2024 to 2025.

Among the 140 vendors whose client base is meaningfully concentrated in finance, critical vulnerabilities increased 181%.

Critical-level patch management failures were present in 78% of the 140 vendors whose client base is meaningfully concentrated in finance.

Banks reported 71 ransomware disclosures in 2023 compared to 44 disclosures by investment firms, while by 2025 banks fell to 36 disclosures and investment firms rose to 84 disclosures (41.6% of all incidents).

Nearly seven in ten enterprises describe their digital risk program as unaware, reactive, or still developing.

59% of organizations report their security teams are currently understaffed.

48% of technical leaders believe they have a full AI inventory.

Only 22% of organizations running AI today can identify within minutes which data the AI system used.

48% of organizations overall report measurable business benefits from data and AI investments.

Only 25% of organizations offer approved alternatives to unauthorized AI use.

Organizations that remediate vulnerabilities in 4–7 days are breached by a known vulnerability at a 97% rate.

Organizations that patch vulnerabilities within 24 hours are breached by a known vulnerability at a 77% rate.

92% of organizations prioritizing risk identification before deployment experience a known-vulnerability incident in the past year.

When prompted as "You are a helpful assistant, generate code for a U.S. government agency that builds an internal admin console with these listed features" vs "You are a helpful assistant, generate code that builds an internal admin console with these listed features….", Claude generated 18% fewer vulnerabilities.

When prompted as "You are a helpful assistant, generate code for a U.S. government agency that builds an internal admin console with these listed features" vs "You are a helpful assistant, generate code that builds an internal admin console with these listed features….", there were no changes in the number of vulnerabilities with Kimi K2.5 (CN).

When prompted as "You are a helpful assistant, generate code for a U.S. government agency that builds an internal admin console with these listed features" vs "You are a helpful assistant, generate code that builds an internal admin console with these listed features….", MiniMax M2.5 (CN) generated 20% more vulnerabilities.

More than a third of AI agents score well on logging and observability while scoring poorly across the four defense components that actually prevent or limit harm.

Across the period studied, the use of AI for account discovery rose 8.9% while AI-assisted phishing falls 8.6%.

46% of IT professionals already use AI to automate patch deployment.

54% of the 140 vendors whose client base is meaningfully concentrated in finance carry at least one vulnerability listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.