Author: Kalyeena Makortoff Banking correspondent

Metro Bank shares have surged to a two year-high after news of a takeover approach by a London private equity firm that could create uncertainty for customers and staff.It emerged over the weekend that Pollen Street Capital has sounded out Metro bosses over a potential deal, which could take the listed lender off the London Stock Exchange and back into private hands.The rumours have also sparked speculation that Metro would ultimately be merged with another of Pollen’s companies, the specialist business lender Shawbrook.The news sent Metro Bank shares up by more than 15% to a high of 130p on Monday.A private equity takeover and potential merger would create further uncertainty for the bank’s employees, who have just emerged from a cost-cutting programme that resulted in roughly 1,000 job losses. About 3,000 staff survived the latest round of cuts, which were part of turnaround efforts following the bank’s near failure in October 2023.Any further cuts could raise questions about services for Metro’s 3 million customers, including those services offered across its costly branch network. The bank has already cut back on opening hours across its 75 branches, which were originally open seven days a week.While no price has been attached to Pollen’s prospective offer, a sale could result in a windfall for some of Metro’s shareholders, who saw shares dip to nearly 30p months after the bank was forced into a rescue deal.Metro was the first high street bank to open in the UK in more than 100 years when it was launched by the US billionaire Vernon Hill in 2010. It attracted a wave of customers, and offered dog-friendly branches with seven-day opening.But the bank suffered in the years that followed. Its share price was all but wiped out in 2019 after an accounting error led to the resignation of it top executives and founder. It took a further dive in 2023 when it emerged that the bank would need more cash from investors after it failed to convince regulators that Metro could be trusted to assess its own risks.skip past newsletter promotionafter newsletter promotionThe Colombian billionaire Jaime Gilinski Bacal now holds a 53% stake in the lender as part of the £925m rescue deal in 2023, which was three years after he started building a stake.Metro Bank, Pollen Capital and Shawbrook all declined to comment.

It is every bank boss’s worst nightmare: a panicked phone call informs them a cyber-attack has crippled the IT system, rapidly unleashing chaos across the entire UK financial industry.As household names in other industries, including Marks & Spencer, grapple with the fallout from such hacks, banking executives will be acutely aware that, for them, the stakes are even higher.Within hours of a successful bank hack, millions of direct debits could fail, leaving rents, mortgages and wages unpaid. Online banking may be blocked, cash machine withdrawals denied, and commuters left in limbo as buses and petrol stations reject payments. News of the attack could spark panic, leading to a run on rival lenders, as customers pull money from their accounts amid fear the disruption could spread.This situation may seem far-fetched but it is not a long way off from the government’s “reasonable worst-case scenario” if a sophisticated cyber-attack hit a big UK bank. With the financial industry among 14 sectors categorised as “critical national infrastructure”, it is no surprise that a hack is listed on the national risk register, which models some of the biggest threats facing the UK.Billions of pounds are being spent preventing the kind of devastating attacks that shut down systems at three retailers, Harrods, the Co-op and M&S, this spring.“The amount of money [that] banks, all of us, will be spending on our systems is enormous today. And it has to be,” the UK chief executive of HSBC, Ian Stuart, told MPs last month. “We are being attacked all the time.”View image in fullscreenHSBC alone is having to invest hundreds of millions of pounds to protect itself, Stuart said. “This is our biggest expense.”Globally, banks are expected to allocate 11% of their IT budgets to cybersecurity in 2025, according to an EY study. With those IT budgets forecast to hit $290bn (£214bn) this year, according to the research body Celent, banks could end up shelling out $32bn on cybersecurity by December.It is a new era for high street banks, as attempted heists evolve from criminals in balaclavas hitting physical branches and vaults to state-sponsored hackers and independent cybergroups looking for ransom payments or merely to cause mass disruption.“Banks have understood the risk far better than probably a lot of other industries. They’ve invested far more in security,” said Stuart McKenzie, a managing director for Mandiant Consulting, a Google-owned cybersecurity company that works closely with a number of lenders in the UK.Last month the governor of the Bank of England told the BBC that cybersecurity was a risk that was never going away because it continually evolved. “We’re dealing with bad actors who will continually refine the lines of attack. And I always have to say to institutions: ‘You’ve got to continue to work at this,’” Andrew Bailey said.However, protecting systems is a complex task. Most high street banks operate on an onion-like IT system, with layers upon layers of updates, patches and add-ons. Throw third-party software and cloud providers into the mix, and banks are left playing whack-a-mole.“We call it the attack surface,” Alan Woodward, a professor and cybersecurity expert at the University of Surrey, said. “The attack surface has actually increased, so the opportunities for attackers to try to look for ways in have also increased.”No bank hacks to date have been disruptive enough to bring a country to an economic standstill – although April’s power blackout across the Iberian peninsula exposed how reliant modern societies are on digital payments. Where hackers have been successful, they have more often than not targeted banks’ customer data and accounts.In 2021, attackers on the US bank Morgan Stanley stole personal information belonging to its corporate clients by hacking into a server used by a third-party consulting company.A year earlier, at the start of the Covid pandemic, attackers got hold of staff mailboxes at the Italian state-owned bank Monte dei Paschi, and sent emails to clients with voicemail attachments.View image in fullscreenMeanwhile, one of the most devastating hacks on a UK bank came in 2016, when criminals found a way to guess bank card details and steal almost £2.5m from 9,000 accounts at Tesco Bank. Tesco was forced to halt all online and contactless card transactions after struggling to block fake purchases taking place around the world, including Spain and Brazil.Tesco Bank eventually reimbursed customers in full.The National Cyber Security Centre says customers who suspect a hack should contact their bank using their official website or social media channels, and avoid using any links or contact details they have been sent. The organisation should be able to confirm if a hack has actually taken place, how they have been affected and what they need to do next.The Bank of England has tried to stay a step ahead. Policymakers officially recognised cybersecurity as a risk to financial stability in 2013 and started to implement cyber resilience standards for all regulated banks and insurers under its supervision.skip past newsletter promotionafter newsletter promotionThat involved the launch of “CBEST”, a world-first scheme in which ethical hackers test a single bank’s potential vulnerabilities with a cutting-edge attack.“Nothing is 100% secure,” Woodward said, but the UK banking system comes close. “A lot of it has to do with the oversight”, particularly by the central bank. “They gather threats and intelligence from MI5, GCHQ, NCSC, all the usual people, and then they actually try real scenarios out to see how robustly a bank can withstand that,” he said.The central bank also coordinates multiday cyberwar games as part of its SIMEX – simulation exercise – programme every two years to test City companies’ security.Authorities are tested, too, and the Bank, the Financial Conduct Authority, the Treasury and the National Cyber Security Centre review their response to a range of devastating scenarios.Regulators are not just checking banks’ preventive measures. Policymakers assume a cyber-attack will eventually be successful and are therefore pushing banks to prepare their response and recover plans that would avoid long-lasting outages that could bring pockets of the economy to a standstill.The Cross Market Business Continuity Group, which brings together regulators and members of the bank industry body UK Finance, boasts the ability to summon about 100 companies for emergency group calls in under an hour to discuss a potential attack.Fending off a hack is seen as vital to protect an industry that ultimately trades on trust: customers expect lenders to keep their information, wages and life savings protected from outside threats.“If somebody breaks in there and manages to make a fraudulent transaction … you’re not going to trust that bank again with your money, are you?” Woodward said.Banks have already experienced the backlash that can erupt from mere IT outages, without any malicious actors trying to disrupt the banking system or steal data and cash.TSB has for years been working to restore its reputation after its IT meltdown in 2018, caused by its botched separation from Lloyds’ internal systems, which left millions of banking customers locked out of their accounts for weeks. The lender was subsequently fined £48m for “widespread and serious” failings.View image in fullscreenOutages have continued to plague customers of Britain’s largest banks and building societies, who suffered the equivalent of more than a month of IT failures between January 2023 and February 2025, according to the data gathered by the parliamentary Treasury committee.“The security of customer money and data is of paramount importance to banks, not just because it’s a requirement under regulation but because it’s the way that banks do business,” Laura Catterick, a director focused on resilience and cybersecurity at UK Finance, said.“I would say, never rule out a cyber-attack. But I would say, there should be confidence in the amount of cyber defences in place.”