If only there was a stringent regulatory audit across financial sector that only focused on cyber security as a substance, they you would see that 7 out of 10[1] financial institutions lack even the most basic defenses / ignore the basic sanity measures / or have poorly configured point solutions as their best defense against any cyber attack. A member of my team came across an institution that hosted the PII data for a country on third party cloud accessible via a poorly written API. Since, regulatory laws were pretty lax, they (the institution) simply shrugged it off. The recommendations and remediation measures (wonder if there were any) get lost in the ocean of PPT files.

[1]from my own experience as an IR+Red team guy.

There is such regulation. It's supposedly enforced by the FFIEC.

Agreed, but it is US only. Bank's in Middle East and in South East Asia are in pretty bad shape because of lax regulators.