Can cyberwar be limited by international law and diplomacy? Those who believe in international "norms" for cyberwar usually argue that cyberattacks on financial institutions are beyond the pale.
For example, Harold Koh has declared the State Department's view that cyberwarriors "must distinguish military objectives ... from civilian objects, which under international law are generally protected from attack." And Richard Clarke, a former White House adviser, claimed in 2010 that "most countries would agree to sign a treaty not to attack each other’s international financial and banking system networks. They don’t want to cross that Rubicon, or the entire international banking system could go down."
I can't help noticing that, since these speeches were given, DDOS attacks on Western banks have been attributed to Iran and North Korea has been blamed for cyberattacks on banks in South Korea. If you're looking for norms in actual conflicts, as opposed to speeches, cyberattacks on the financial sector are starting to look, well, normal.