Securing the inside: insider threat prevention in financial services - Kearney

Skip to main content Skip to menu Skip to footer Open Accessibility Menu This website utilizes technologies such as cookies to enable essential site functionality, as well as for analytics, personalization, and targeted advertising. To learn more, view the following link: Cookie Policy Securing the inside: insider threat prevention in financial services Financial Services / Article October 14, 2025 Cyber breaches cause significant harm, especially for financial services firms. We explain how to defend against them, with special attention to internal risk. Cybercrime has long been a reality in every industry, but financial services companies are especially prone to be targeted. These organizations are prime targets due to the sensitive data they hold and the high-value transactions they facilitate. These crimes bring serious ramifications; per an IBM report, the average cost of a data breach for a financial services firm in 2024 reached nearly $6.1 million. While much of the industry’s cybersecurity focus has rightly centered on external threats, which are becoming increasingly sophisticated, a more insidious risk is gaining ground that could have significant impact: the threat from within. Insider threats, whether malicious or accidental, are becoming more prominent, costly, and difficult to detect. As shown in figure 1, nearly one-third of cybersecurity breaches are caused by insiders targeting high-value assets. Companies tend to be laxer than they should be about the possibility of insider threats. This is somewhat understandable; in an era in which so many businesses emphasize teaming and transparency, many don’t want to undermine their culture by making their people feel policed. But these threats still must be guarded against under the time-proven “trust, but verify” philosophy. Every financial services firm needs to be aware of the evolving cyber-threat landscape, the risk that their particular business faces from internal actors, and the measures that can be taken to prevent breaches and theft from insiders. The evolving financial services cyber-threat landscape On the whole, digital transformations have brought far more positives than negatives to businesses. That said, they have increased companies’ “attack surface,” or number of potential vulnerabilities within a system that attackers can take advantage of to gain unauthorized access. Increasingly, cybercriminals are employing AI-driven attacks instead of more traditional methods such as ransomware to target high-value assets like client financial records, credit histories, investment portfolios, trading algorithms, and proprietary research. Cybersecurity breaches are surprisingly common. Per a 2024 Verizon report, there were 3,348 breaches at financial services firms in 2024, or more than nine per day on average. More than a third of those breaches resulted in confirmed data disclosures, and approximately a third were a result of internal actors. Privilege misuse of access to financial services systems poses a sizeable hurdle for businesses, and is steadily rising, with motivations spanning from financial gains to ideological mismatches. Notably, as organizations continue to modernize, those relying on legacy systems have experienced a 40 percent surge in insider risk incidents in recent years, per an IBM study. Financial services providers cannot afford to ignore such vulnerabilities, with average breach costs rising to $6.08 million—$1.2 million higher than the cross-industry average—not to mention the reputational damage, regulatory fines, and risk of license revocation. These risks are complex and multifaceted, requiring an exploration not only of the actors and their motivations, but also of the digital channels and structures within a financial services company that enable them. Understanding insider threats: a crucial cybersecurity weakness Generally speaking, insider threats fall into two categories: accidental and intentional. Accidental insider breaches, which can come about through phishing attempts, mis-delivery of sensitive information, misconfigured systems or parameters, lost or stolen devices, or even unauthorized “shadow IT,” aren’t as harmless as they may sound. These breaches can cause damage to systems, expose sensitive data, compromise compliance, and more, and can result in lawsuits, fines, loss of consumer confidence, and operational disruption while also incurring remediation costs. Insiders acting with deliberate, malicious intent to access financial records, account details, client identity information, or proprietary confidential corporate information have the potential to bring an even greater negative impact. Insider-related breaches are on the rise in the financial services industry. They’re evolving from isolated incidents into systemic challenges that demand attention at all organizational levels. According to a Thales Group report, more than 70 percent of financial institutions have experienced insider threat incidents in the past year, reflecting both deliberate actions and inadvertent errors. Regular employees such as bank tellers, personal bankers, traders, fund managers, as well as “privileged” IT administrators all pose some degree of security risk within a financial institution. These high-risk actors with insider access may have a multitude of motivations to choose to harm a business. On a systems level, human error can create vulnerabilities around aspects such as access controls, which can then be intentionally exploited (a common example is when IT administrators assign users broader access rights than necessary, beyond their role or for longer than required, violating the principle of least privilege). These overextended permissions could be discovered by malicious insiders using social engineering methods to gain unauthorized access to sensitive systems or privileged information. Others breach systems for a range of reasons, be it to conduct espionage, engage in theft or sabotage out of feelings of disgruntlement, or as a product of social engineering through which cybercriminals obtain and then exploit the trust of others to access systems through deceptive means. (See sidebar, “Reducing insider threats at a pan-African bank,” for an example of how Kearney helped a financial services firm build resilience against internal cyber threats). As with all cyberattacks, insider threats bring notable negative business impacts that every company should seek to minimize in order to protect themselves against regulatory fines, reputational damage, operational downtime, and other consequences. To help reduce risk from insiders, the UK’s National Protective Security Authority has released a framework for insider-risk mitigation, as shown in figure 2. As a starting point in the quest to elevate insider threat prevention from an IT or HR issue to a strategic business priority, financial services industry CEOs need to ask the right questions to drive awareness, action, and alignment at the board level along four key dimensions (see sidebar, “Key questions to drive awareness, action, and alignment around insider threat prevention”). Insights and strategies to strengthen organizational defenses The insider-threat-prevention strategy is a crucial aspect of the cybersecurity framework for all financial services firms. But positioning it solely as a strategy or part of a framework is insufficient; insider-threat prevention should be embedded in the firm’s overall business direction and factor in both the current and future threat landscape as well as industry best practices to maximize its benefits. Statistics regarding attacks show that insiders continue to pose a major threat because they have so many opportunities to misuse data. Consider that: Ninety percent of organizations have found that insider attacks are equally or more challenging to detect than external cyberattacks. Eighty-eight percent of breaches surrounding log-in or access privilege misuse were motivated by financial gain for employees. Forty-three percent of insider threats were related to intellectual property or data theft. Fifty-five percent of error-related breaches were related to misdelivery (sending something to the wrong recipient). While insider attacks are motivated by a number of different factors, the two greatest are financial gain and espionage. Unfortunately, some insiders see an opportunity to exploit their position at a financial services provider and put in the planning time to ultimately manipulate or transfer financial assets for their own gain. In other cases, an insider may be bribed or blackmailed into stealing sensitive information for another party. Much less frequently, insiders choose to make a political or social statement by leaking data, decide to take revenge for a perceived injustice or slight, or steal a company’s data for their own future use at a competing business. As shown in figure 3, our insider threat prevention strategy, linked to the organizations’ existing cybersecurity framework, has three central pillars: organizational resilience, prevention techniques, and the cyber-data vault. We go into detail on each pillar below. Increasing organizational resilience Enhancing organizational resilience to insider threats involves building and embedding a unified culture of cybersecurity across the financial services organization’s multiple business units through vigilance, mindfulness, awareness training, tailored simulations, and shared accountability. One proven technique to instill such a culture is the implementation of recurring risk assessments that focus on internal vulnerabilities. Beyond just focusing on compliance, these audits are the catalyst to enhancing cybersecurity through: Cross-functional collaboration and shared accountability. Multiple departments such as IT, risk, operations, and legal work together in a non-siloed manner to consider the diverse business needs to enhance cyber resilience and co-own the insider risk agenda—aligning on controls, monitoring, and escalation protocols. Third-party risk management. Contractors, vendors, and service providers often have privileged access, requiring insider risk criteria to be tightly integrated into procurement processes and vendor relationship management. Business-aligned cybersecurity planning. Cybersecurity goals are integrated into all business unit strategies across the organization (for example, banking, insurance, asset finance, global markets, and so on) ensuring insider-risk controls are prioritized, budgeted for, and built into decision-making. Continuous insight and adaptive response. Audit findings and monitoring tools feed back into central security functions’ control design, enabling dynamic adjustment of policies, user privileges, and mitigation measures in response to changing risk patterns. Scenario-based response planning. Crisis response teams simulate insider-led breach scenarios to test how quickly and effectively the organization can detect, escalate, and contain internal threats. Embedded training, culture-building, and awareness programs. Security awareness programs are tailored to insider-risk scenarios, helping employees identify and respond to red flags such as social engineering or privilege misuse. Robust data governance and ownership. Data owners and compliance teams collaborate to ensure robust data protection that aligns with regulatory and business requirements, while enforcing least-privilege access and real-time monitoring for the protection of sensitive financial and client data against inappropriate internal use. Zero-trust architecture. Treat every user and device—internal or external—as untrusted by default and require continuous verification and authorization for every access request. Zero-trust frameworks minimize unnecessary access, require continuous authentication, and help detect anomalous behavior early. According to the Thales Group, organizations that combine stringent data governance with a zero-trust framework experience a 30 percent reduction in unauthorized internal access events, which highlights the efficacy of continuous validation of user identities and access rights. Together, these measures help financial services firms create a culture of resilience on top of their perimeter of defense, where insider threats are anticipated, detected, and contained before they cause harm. Putting prevention techniques to work While culture is critical to preventing insiders from committing cybercrimes, so too are more tactical techniques, especially ones that are centered on technology. This includes employing user behavior analytics tools and the development of a “trust profile” for each employee. Absa Group achieves this through their Insider Trust program, which aims to mitigate the risk associated with privilege misuse through conducting thorough employee assessments across multiple domains 24/7. Artificial intelligence (AI), including advanced analytics and machine learning, plays a crucial role in insider-cyber-threat detection. Machine learning is used in behavior-based detection by establishing baselines of normal behavior for both individual users and systems, then flagging anomalies. Applications range from initial detection to further remediation of anomalies. These technologies have been shown to reduce threat detection time by 40 percent, with complementary methods of prevention, such as blockchain-based audit trails and automated incident response, to further enhance the agility in identifying and containing insider threats. AI-driven systems can provide continuous user and system monitoring, real-time risk scoring based on unusual behaviors, and automatic alert triggering and preventive actions such as session termination. Leveraging advanced user behavior analytics not only helps in early detection of anomalous activities but also aids in constructing detailed employee trust profiles, which have enabled some institutions to reduce detection time by effectively mitigating potential damages before incidents escalate. For example, DBS Bank leverages its internal AI platform, ADA (“Advancing DBS with AI”), to centrally govern and secure data across the bank, capabilities that inherently support proactive monitoring and mitigation of insider threats and privilege misuse through structured data governance and stringent access control. Securing information in a cyber-data vault The third pillar of a robust cybersecurity framework is the creation of a cyber-data vault. These vaults serve as a centralized repository for all cyber-related intellectual property, including information on incidents, defenses, techniques, and algorithms. In order to drive continuous cyber-defense improvement, cyber-data vaults employ a closed feedback loop. This loop refers to a continuous process through which information pertaining to events like cyberattacks and security breaches is utilized to help improve security measures and prevent future incidents. This loop, then, involves ongoing assessment, response, and feedback to constantly strengthen the organization's security posture. Four actionable recommendations for financial services leaders We believe there are four key ways that financial services firms can improve their stance on cybersecurity, specifically from internal threats. The first recommendation is to implement proactive measures. Among the most vital needs is to invest in predictive threat modeling that can help anticipate potential insider breaches by analyzing behavioral patterns, access anomalies, and contextual risk factors of medium- and high-risk insiders. These models should also take into account the motivations of insider threats and the elevated access privileges many financial services employees possess, especially with regard to protected client and markets data. Inasmuch as firms need to tighten their access control measures, especially for privileged accounts, and compartmentalize critical resources, they should also leverage the pre-existing specialized control frameworks to directly address the insider threat: transaction monitoring systems, trader surveillance programs, and real-time fraud detection systems, which have traditional applications in detection of external threats, but which can be repurposed to identify suspicious internal activity. The integration of these tools with bespoke insider threat detection protocols affords firms enhanced visibility into employee actions and enables faster and more effective risk response. The second recommendation is to embed a cybersecurity-aware insider trust culture across the organization. This requires more than just training and governance—it demands a shift in mindset, especially for staff who frequently handle sensitive data, such as traders, compliance officers, or personal bankers. Financial institutions are already innately attuned to enterprise-wide risk, compliance, and cybersecurity frameworks as part of regulatory licensing requirements. Building on this foundation, a dedicated insider-threat prevention policy would further strengthen organizational resilience by addressing the unique risks posed by internal actors. Cybersecurity and insider-threat prevention must be baked into the fabric of the organization’s business plans, operational frameworks, decision-making processes, and cascaded down through to teams. When treated as an enterprise-wide priority rather than a siloed function, cybersecurity becomes a shared responsibility embedded in culture, values, and day-to-day behaviors. Thirdly, it’s important to undertake collaborative initiatives across the financial services sector on both a macro and a micro level. Financial services firms should look to partner with peer institutions and regulatory bodies to share insights and best practices and to lobby for improved policies, such as SABRIC (South African Banking Risk Information Centre), a collaborative not-for-profit organ aimed at combatting financial crimes, of which the majority of South Africa’s commercial banks are members. On an enterprise level, they should look to engage third-party experts for independent security audits, gamified cybersecurity training, and mindfulness, focusing on internal threats. Finally, businesses must treat cybersecurity as a strategic business imperative—one that demands ownership at the executive board level. It can no longer be viewed as solely an IT problem; rather, it must sit at the top of the agenda for every member of the C-suite. Given its vital role in risk reduction, revenue generation, and customer trust, the link between cybersecurity and overall business performance cannot be overstated. The path forward No financial services company can claim to have a comprehensive cybersecurity strategy if it doesn’t understand and proactively address insider threats. Whether accidental or intentional, insider breaches can bring devastating consequences to a firm via lawsuits, fines, loss of consumer confidence, operational disruption, financial losses for the firm or its customers, disclosure of trade secrets, operational disruption, and reputational damage to the brand. With so much at stake, guarding against them requires elevating cybersecurity to a proactive, board-level issue that ties in to the firm’s overall business direction and culture in order to maximize safeguards and minimize event frequency and fallout. The authors wish to thank Hentus Honiball and Daniel Heller for their valuable contributions to this article. Interested in learning more about our Financial Services expertise? Learn more Authors Rob Van Dale Partner Hadi Faraj Partner Jo-Ann Pohl Associated Director Greg Epstein Consultant Also of interest Article Rethinking the data center shell supply chain: from legacy construction to agile orchestration Learn more Article Why AI adoption in banks is an organizational problem Learn more Our best and latest thinking sent to your inbox Sign up InsightsMediaAlumniCareersLocationsContact Site mapPrivacy policyLegal disclaimerClient confidentialityCookie notice Responsible AI use Do not sell or share my personal information