Every major bank penalty started with a workforce gap — a misconfigured IAM role, a reused credential, a vendor that wasn't vetted deeply enough.
Capital One suffered one of the largest US bank breaches of the decade when a former AWS employee exploited a misconfigured web application firewall (WAF) and an over-permissioned IAM role on Capital One's AWS infrastructure to extract over 100 million customer records — including 140,000 Social Security numbers and 80,000 bank account numbers. The attacker used a Server-Side Request Forgery (SSRF) vulnerability on the WAF's API endpoint to traverse to the EC2 metadata service and harvest the role's temporary credentials. The intrusion went undetected for months until a security researcher tipped off Capital One. The bank paid $190M to settle US Department of Justice and OCC charges, plus an additional $80M in civil settlements.
Key lesson: Cloud misconfiguration is the single most common bank breach vector — and the controls that prevent it are not zero-day defenses. Every engineer with the ability to configure a WAF, an IAM role, or a bucket policy needs training on what an over-permissioned role looks like, how SSRF traverses metadata services, and how to detect the egress pattern in CloudTrail logs. This is a workforce awareness problem dressed up as a technical incident.
In November 2023, LockBit ransomware hit the Industrial and Commercial Bank of China's US clearing arm — forcing ICBC's operators to complete US Treasury trade settlements literally by walking USB sticks of trade data between midtown Manhattan offices. The incident disrupted settlement of billions of dollars of US Treasury bonds, showed DTCC counterparties that even the largest financial institutions can lose critical operations overnight, and made "clear and recover" the watchword for treasury operations at every major bank. ICBC US is now subject to NYDFS Part 500 examination findings that include explicitly the clearing-operations detection and response playbooks.
Key lesson: Treasury ops, clearing, and wire-transfer teams cannot rely on their own systems alone — they must have a documented cutover and recovery runbook for CHIPS, SWIFT, Fedwire, and DTC contingency routing, including which counterparty to call for what message types. The drill needs to happen before the regulator shows up, not during a ransomware event at a counterparty.
In 2014, attackers compromised JPMorgan Chase and exfiltrated contact information for 76 million household accounts and 7 million small-business accounts. The initial access used stolen credentials — credentials that had been reused by a JPMorgan employee on a third-party website that itself had been breached. The attackers then escalated by compromising a sysadmin account that had elevated privileges on JPMorgan's two-factor authentication system itself, effectively neutralizing 2FA for the rest of the network. JPMorgan spent over $250M on remediation, regulator action, and customer trust impact. The incident is now cited in FFIEC 2024 guidance as the canonical case for why credential hygiene at sysadmin level is the highest-priority workforce control.
Key lesson: Two controls most banks trust — credential uniqueness and 2FA — were both defeated by a single workforce gap. Every employee must understand that work credentials cannot be reused on personal accounts, and the IT staff who provision and operate the 2FA system must be held to a heightened standard of credential hygiene and network segmentation. Once the attacker owns the authenticator, every account behind it is theirs.
In 2019, First American Financial Corporation — one of the largest title insurance companies in the United States — exposed an estimated 885 million records of sensitive title insurance documents going back to 2003. The exposure was caused by an insecure direct object reference (IDOR) vulnerability in the company's document delivery platform: anyone who knew or guessed a document ID could retrieve the full document, with no authentication required. The vulnerability had been present for years. Pen-testing had flagged the issue months earlier, but the fix was not made. First American paid a $1M NYDFS Part 500 fine, multiple state-level enforcement actions, and faced years of class-action exposure. NYDFS cited the company's failure to remediate a known vulnerability as grounds for the first cybersecurity enforcement action under its 2017 regulation.
Key lesson: IDOR is a missed design requirement — and a known-found-vulnerability-not-fixed is a regulator's best case. Every engineer who designs or modifies a document retrieval API needs hands-on training on access control design, and every product manager who approves an ID-based document URL needs to understand the authentication requirements that go with it. If you ignore a finding from a pen test, the regulator will find out.
Generic cybersecurity awareness training was not built for environments where a single wire-room mistake can move $40M before lunch. These four vectors require banking-specific training.
Treasury operations staff handle wire transfers worth tens of millions daily — and the FBI IC3 reports BEC losses of $2.9B in 2024. A compromised inbox, a routed call to a bad actor's cell phone, or a manipulated SWIFT MT103 message can move funds outside the bank's recovery window in minutes. Training covers: callback verification protocol for every wire (dual-control, known-good phone number, voice verification), SWIFT MT103 message tampering detection, the difference between in-band and out-of-band verification, and the structure of a wire-room that enforces separation of duties.
Investment banks hold material non-public information (MNPI) on upcoming M&A, IPOs, and earnings releases — and a single insider exfiltration event can be a Securities and Exchange Commission enforcement matter as well as a cybersecurity incident. Vendor sell-side analysts at third-party research firms are an underappreciated vector. Training covers: insider threat indicators in trading environments, DLP monitoring of large file movements to personal cloud storage, MNPI identification and handling procedures, and the SEC Cyber Disclosure Rule (Form 8-K Item 1.05) reporting requirement.
Money laundering and Bank Secrecy Act evasion tooling is now digitally native — Lazarus Group's FASTCash scheme (30+ countries, tens of millions withdrawn in coordinated bursts) showed that correspondent-banking message formats themselves can be exploited. FATF Travel Rule enforcement requires originator/beneficiary data on every cross-border wire, and that data must be captured and stored securely. Training covers: how correspondent banking message formats (ISO 8583, MT103) are exploited for layering, how to identify anomalous transaction patterns in real time, and what the technical integration required for Travel Rule compliance looks like.
A bank's risk surface is not only its own vendors — it is its correspondents' correspondents. Banking-as-a-Service (BaaS) platforms extend this network: if your sponsor bank's sponsor bank has a sub-processor breach, you inherit the regulatory liability. The SanctionSec Treasury Department settlements of 2022–2024 (multiple banks cited for AML gaps in fintech-BaaS partnerships) established the doctrine. Training covers: vendor due diligence depth for correspondent banking relationships, BaaS sponsor-bank risk allocation language, and the FinCEN advisory expectations for ongoing monitoring of partner-bank sub-processors.
If you're a US commercial bank, investment bank, or BaaS platform, these frameworks are not optional. Here's how SecurEveryone's training maps to each one.
| Framework | Key Requirement | Training Coverage |
|---|---|---|
| SOX ITGC Sarbanes-Oxley IT General Controls |
Public company financial reporting controls; ITGC domains include program change management, system access, computer operations, and program development; PCAOB auditors test effectiveness of segregation of duties | Full coverage |
| GLBA Safeguards Rule 16 CFR Part 314, FTC revised rule 2023 |
Requires financial institutions to implement comprehensive information security program; 2023 revision expanded scope to include service providers and added specific training, MFA, and incident response requirements | Full coverage |
| FFIEC IT Handbook + 2024 Update AIO booklet, IT Examination, Cybersecurity Assessment Tool |
Prescribes risk-based examination expectations for IT controls, cybersecurity, and audit; 2024 updates emphasize identity protection, third-party risk management, and operational resilience for community and regional banks | Full coverage |
| NYDFS Part 500 23 NYCRR 500, second amendment effective 2024 |
NY-regulated financial institutions and their third-party service providers; requires CISO designation, annual penetration testing, multi-factor authentication, cybersecurity events reporting within 72 hours, and business continuity and disaster recovery planning | Full coverage |
| OCC Heightened Standards Applies to banks >$50B in assets |
Heightened risk governance and oversight expectations for large national banks; covers risk management framework, three lines of defense, board oversight, and independent risk management of operational, cyber, and compliance risks | Full coverage |
| Basel III Operational Risk BCBS 356 capital floor standards |
Capital requirements for operational risk including cyber and IT failure losses; banks must classify cybersecurity events by event-type and use incident data in operational risk loss estimation | Full coverage |
| Dodd-Frank 314(b) Information Sharing 31 CFR §1010.540 — voluntary |
Voluntary information sharing among financial institutions for cybersecurity threats; requires a process for receiving, storing, and acting on Section 314(b) requests; ongoing training on what triggers a sharing event | Full coverage |
| PCI-DSS 4.0 Effective March 2025 for new requirements |
For banks that issue or process payment cards; v4.0 expanded requirements on phishing-resistant MFA, targeted risk analysis, and authenticated vulnerability scans; service provider responsibility matrix | Full coverage |
Each drill reconstructs a real incident, walks participants through the decision points, and produces documented evidence your CISO can present to OCC, NYDFS, or FFIEC examiners.
Participants are given a real-time scenario: a counterparty bank's clearing system has been compromised by ransomware and US Treasury settlement must be routed around them in 90 minutes. The wire room has standing CHIPS/SWIFT cutover protocols — but the cutover routing has not been drilled with this specific counterparty in over a year. The group works through: which DTCC member to call for backup routing, how to validate the cutover SWIFT messages are authentic, when to escalate to Treasury operations leadership, and what gets recorded for FFIEC and NYDFS reporting.
Takeaways:
The simulation: the CISO receives a tip that a security researcher has identified an SSRF-vulnerable API on a public-facing host. Within the next hour, the SOC team must (1) reproduce the SSRF in a sandbox, (2) determine whether the underlying EC2 role has been exploited for credential harvesting, (3) trace the role to the engineer who provisioned it and the change ticket that approved it, and (4) decide whether this crosses the NYDFS 72-hour reporting threshold. Participants leave with an updated CloudTrail detection query, an IAM provisioning checklist, and an SSRF incident reproduction procedure.
Takeaways:
Participants receive a notification: a third-party vendor that handles wire-room authentication has disclosed a breach. The vendor is a small fintech that integrates with the bank's 2FA system — exactly the configuration that allowed the 2014 JPMorgan escalation. The bank must now (1) rotate every credential shared with the vendor within 24 hours, (2) audit every active session token from the vendor's integration, (3) review the vendor's response posture and decide whether to terminate the relationship, and (4) update the vendor due-diligence questionnaire to surface this risk in future procurement.
Takeaways:
Live, expert-led, structured for OCC / NYDFS / FFIEC reporting and examiner evidence packages. Sessions are 60–120 minutes, held over Zoom.
Free Resource
13-page playbook covering the wire interception kill chain, callback-verification protocol with dual-control approval, the ICBC $9B LockBit scenario from the treasury desk perspective, and FinCEN FFKC reporting timelines. Built specifically for wire-room leadership and treasury operations.
Download Free Playbook →A former AWS employee exploited a misconfigured WAF and over-permissioned IAM role via SSRF to extract 100M+ Capital One customer records. Capital One paid $190M to settle DOJ/OCC charges plus $80M+ in civil settlements. Training control: every engineer who provisions WAF rules, IAM roles, or VPC configurations needs hands-on training on what an over-privileged role looks like, what SSRF is and how it traverses metadata services, and how to detect the egress pattern in CloudTrail logs. The breach was detected by an external researcher, not Capital One's own monitoring.
Attackers compromised JPMorgan using credentials reused on a third-party site that itself had been breached, then escalated by compromising a sysadmin account that had elevated 2FA-system privileges. Total incident cost exceeded $250M. The training takeaway is twofold: work credentials cannot be reused on external sites, and IT staff who provision and operate the 2FA system itself must be held to a higher standard of credential hygiene and segmentation — because once the attacker owns the authenticator, every account behind it is theirs.
In November 2023, LockBit encrypted the systems ICBC used to clear US Treasury trades, forcing operators to route trades via USB stick between offices. The incident disrupted billions of dollars of US Treasury settlement. Every bank's treasury operations, clearing, and wire-transfer teams need a documented cutover and recovery runbook — not just for their own systems, but for counterparty systems as well, including CHIPS, SWIFT, Fedwire, and DTC contingency routing.
An IDOR vulnerability in First American's document delivery platform allowed anyone to retrieve over 885M title insurance documents going back to 2003, with no authentication required. The issue had been flagged in pen testing months earlier and not fixed. First American paid a $1M NYDFS Part 500 fine plus multiple class actions. Training takeaway: every engineer who designs a document retrieval API needs hands-on training on access control design, and every product manager who approves an ID-based URL needs to understand the authentication requirements. A known-found-vulnerability-not-fixed is a regulator's best case.
The Lazarus Group FASTCash scheme exploited card-issuer systems and correspondent-banking BIN tables at multiple banks, coordinating tens of millions of dollars in ATM withdrawals across 30+ countries in coordinated bursts. AML/BSA officers and the IT staff who support them need ongoing training on how correspondent-banking message formats (ISO 8583, MT103) are exploited for layering, how to identify anomalous transaction patterns in real time, and what FATF Travel Rule technical integration requires.
SecurEveryone · SOX / GLBA / FFIEC / NYDFS Part 500 / OCC · $150–$900 · Live expert coaching