Insider threats – whether accidental, negligent, or malicious – remain a major risk for financial firms. With rising concerns tied to remote work, AI-powered deepfakes, and overseas contractors, SIFMA’s Insider Threat Best Practices Guide (3rd Edition, July 2024) offers a timely roadmap for building resilient programs.

The Evolving Risk Landscape

Today’s threats stem not just from hackers but from within: trusted employees, vendors, and contractors. Most incidents (up to 80%) are unintentional or negligent. But recent cases, such as North Korean IT workers using stolen identities and bribery of overseas staff in the $400M Coinbase breach, highlight the growing sophistication of attacks.

SIFMA’s Key Recommendations

The following starting point can help you establish or enhance your organization’s framework to manage insider threats:

1. Establish Strong Governance and Culture
   Build cross-functional insider threat teams (HR, IT, Legal, Security), involve the board, and promote a security-first culture through clear communication and ongoing training. Use anonymous reporting tools and enhance vetting for remote hires to counter risks flagged by the FBI.
2. Enhance Detection Capabilities
   Combine tech (DLP, IAM, SIEM) with behavioral analytics to monitor high-risk users and detect anomalies. Watch for AI-enabled threats like deepfakes and unusual access patterns, especially from third parties.
3. Strengthen Response and Recovery
   Prepare incident response plans that classify and escalate threats quickly. Conduct thorough investigations, engage forensics, and ensure post-event audits to improve processes.
4. Measure Program Effectiveness
   Use clear metrics to gauge program maturity and report to risk committees or the board. Track trends, audit regularly, and adjust based on findings.
5. Manage Legal Risks
   Align monitoring with U.S. privacy laws (e.g., ECPA, FCRA) and adapt global practices to local regulations, including GDPR and India’s DPDPA.
6. Stay Ahead of Emerging Threats
   Monitor AI’s dual role—both a security asset and a threat vector. Strengthen third-party oversight and heed law enforcement alerts, such as those involving foreign threat actors.

Final Thoughts

Insider threats are not hypothetical – they’re happening now, with real financial, operational, and reputational consequences. As attacks become more sophisticated and harder to detect, firms must move from reactive to proactive. SIFMA’s guide arms financial institutions with practical tools to reduce risk, respond faster, and strengthen trust with clients and regulators alike. By embedding these best practices into your culture and systems, you’re not just protecting data – you’re safeguarding the future of your organization and the capital markets at large. Access the full guide at sifma.org.

Author

Stephen Byron is Managing Director, Head of Technology, Operations, and Business Continuity at SIFMA.

Thomas Wagner is Managing Director of Financial Services Operations for SIFMA.

Related Resource

• Guide

  Best Practices for Insider Threats