Skip to main content

Finance & Banking · Commercial / Investment / Correspondent · Cybersecurity Training

Capital One $190M. JPMorgan 76M households. ICBC $9B ransom. The fine is always bigger than the fix.

Banks are operating the most-examined threat surface in American business — and the regulator's first question after an incident is almost always about workforce awareness. Live, expert-led training built for treasury, wire room, capital markets, AML/BSA, and IT teams that own the systems examiners will review.

Book Personal — $150 → Executive / CISO Briefing →

$250M+

Combined fines & breach costs

4

Named breach case studies

8

Compliance frameworks covered

3

Training drills per session

The Incidents That Define Bank Risk

Every major bank penalty started with a workforce gap — a misconfigured IAM role, a reused credential, a vendor that wasn't vetted deeply enough.

⚠ CLOUD MISCONFIGURATION / OCC ENFORCEMENT

Capital One — SSB WAF misconfiguration, $190M fine (2019)

AWS SSRF · Over-Permissioned IAM Role · 100M+ Customer Records · OCC Penalty

Capital One suffered one of the largest US bank breaches of the decade when a former AWS employee exploited a misconfigured web application firewall (WAF) and an over-permissioned IAM role on Capital One's AWS infrastructure to extract over 100 million customer records — including 140,000 Social Security numbers and 80,000 bank account numbers. The attacker used a Server-Side Request Forgery (SSRF) vulnerability on the WAF's API endpoint to traverse to the EC2 metadata service and harvest the role's temporary credentials. The intrusion went undetected for months until a security researcher tipped off Capital One. The bank paid $190M to settle US Department of Justice and OCC charges, plus an additional $80M in civil settlements.

Key lesson: Cloud misconfiguration is the single most common bank breach vector — and the controls that prevent it are not zero-day defenses. Every engineer with the ability to configure a WAF, an IAM role, or a bucket policy needs training on what an over-permissioned role looks like, how SSRF traverses metadata services, and how to detect the egress pattern in CloudTrail logs. This is a workforce awareness problem dressed up as a technical incident.

⚠ RANSOMWARE ON MARKET INFRASTRUCTURE

ICBC US Clearing Arm — LockBit ransomware disrupted US Treasury settlement (Nov 2023)

LockBit 3.0 · $9B Treasury Trades Disrupted · USB-Sick Workaround · DTCC Routing Failure

In November 2023, LockBit ransomware hit the Industrial and Commercial Bank of China's US clearing arm — forcing ICBC's operators to complete US Treasury trade settlements literally by walking USB sticks of trade data between midtown Manhattan offices. The incident disrupted settlement of billions of dollars of US Treasury bonds, showed DTCC counterparties that even the largest financial institutions can lose critical operations overnight, and made "clear and recover" the watchword for treasury operations at every major bank. ICBC US is now subject to NYDFS Part 500 examination findings that include explicitly the clearing-operations detection and response playbooks.

Key lesson: Treasury ops, clearing, and wire-transfer teams cannot rely on their own systems alone — they must have a documented cutover and recovery runbook for CHIPS, SWIFT, Fedwire, and DTC contingency routing, including which counterparty to call for what message types. The drill needs to happen before the regulator shows up, not during a ransomware event at a counterparty.

⚠ CREDENTIAL REUSE / 2FA BYPASS

JPMorgan — Credential reuse, 2FA bypass, 76M households (2014)

Reused Credentials · 2FA Bypass via Sysadmin · 76M Households · $250M Cost

In 2014, attackers compromised JPMorgan Chase and exfiltrated contact information for 76 million household accounts and 7 million small-business accounts. The initial access used stolen credentials — credentials that had been reused by a JPMorgan employee on a third-party website that itself had been breached. The attackers then escalated by compromising a sysadmin account that had elevated privileges on JPMorgan's two-factor authentication system itself, effectively neutralizing 2FA for the rest of the network. JPMorgan spent over $250M on remediation, regulator action, and customer trust impact. The incident is now cited in FFIEC 2024 guidance as the canonical case for why credential hygiene at sysadmin level is the highest-priority workforce control.

Key lesson: Two controls most banks trust — credential uniqueness and 2FA — were both defeated by a single workforce gap. Every employee must understand that work credentials cannot be reused on personal accounts, and the IT staff who provision and operate the 2FA system must be held to a heightened standard of credential hygiene and network segmentation. Once the attacker owns the authenticator, every account behind it is theirs.

⚠ INSECURE DIRECT OBJECT REFERENCE (IDOR)

First American Title — IDOR vulnerability exposed 885M documents (2019)

Title Insurance Records · IDOR Authentication Gap · NYDFS Part 500 · $1M Penalty

In 2019, First American Financial Corporation — one of the largest title insurance companies in the United States — exposed an estimated 885 million records of sensitive title insurance documents going back to 2003. The exposure was caused by an insecure direct object reference (IDOR) vulnerability in the company's document delivery platform: anyone who knew or guessed a document ID could retrieve the full document, with no authentication required. The vulnerability had been present for years. Pen-testing had flagged the issue months earlier, but the fix was not made. First American paid a $1M NYDFS Part 500 fine, multiple state-level enforcement actions, and faced years of class-action exposure. NYDFS cited the company's failure to remediate a known vulnerability as grounds for the first cybersecurity enforcement action under its 2017 regulation.

Key lesson: IDOR is a missed design requirement — and a known-found-vulnerability-not-fixed is a regulator's best case. Every engineer who designs or modifies a document retrieval API needs hands-on training on access control design, and every product manager who approves an ID-based document URL needs to understand the authentication requirements that go with it. If you ignore a finding from a pen test, the regulator will find out.

Four Threat Vectors Unique to Finance & Banking

Generic cybersecurity awareness training was not built for environments where a single wire-room mistake can move $40M before lunch. These four vectors require banking-specific training.

💰

Wire / CHIPS / SWIFT Interception & Callback Verification Failure

Treasury operations staff handle wire transfers worth tens of millions daily — and the FBI IC3 reports BEC losses of $2.9B in 2024. A compromised inbox, a routed call to a bad actor's cell phone, or a manipulated SWIFT MT103 message can move funds outside the bank's recovery window in minutes. Training covers: callback verification protocol for every wire (dual-control, known-good phone number, voice verification), SWIFT MT103 message tampering detection, the difference between in-band and out-of-band verification, and the structure of a wire-room that enforces separation of duties.

📈

Capital-Markets IP / MNPI Exfiltration by Rogue Employee or Vendor

Investment banks hold material non-public information (MNPI) on upcoming M&A, IPOs, and earnings releases — and a single insider exfiltration event can be a Securities and Exchange Commission enforcement matter as well as a cybersecurity incident. Vendor sell-side analysts at third-party research firms are an underappreciated vector. Training covers: insider threat indicators in trading environments, DLP monitoring of large file movements to personal cloud storage, MNPI identification and handling procedures, and the SEC Cyber Disclosure Rule (Form 8-K Item 1.05) reporting requirement.

🔍

AML / BSA Evasion Tooling Inside the Perimeter (FATF Travel Rule Gaps)

Money laundering and Bank Secrecy Act evasion tooling is now digitally native — Lazarus Group's FASTCash scheme (30+ countries, tens of millions withdrawn in coordinated bursts) showed that correspondent-banking message formats themselves can be exploited. FATF Travel Rule enforcement requires originator/beneficiary data on every cross-border wire, and that data must be captured and stored securely. Training covers: how correspondent banking message formats (ISO 8583, MT103) are exploited for layering, how to identify anomalous transaction patterns in real time, and what the technical integration required for Travel Rule compliance looks like.

🌐

Correspondent-Banking & BaaS Sub-Processor Exposure

A bank's risk surface is not only its own vendors — it is its correspondents' correspondents. Banking-as-a-Service (BaaS) platforms extend this network: if your sponsor bank's sponsor bank has a sub-processor breach, you inherit the regulatory liability. The SanctionSec Treasury Department settlements of 2022–2024 (multiple banks cited for AML gaps in fintech-BaaS partnerships) established the doctrine. Training covers: vendor due diligence depth for correspondent banking relationships, BaaS sponsor-bank risk allocation language, and the FinCEN advisory expectations for ongoing monitoring of partner-bank sub-processors.

Compliance Frameworks That Apply to Finance & Banking

If you're a US commercial bank, investment bank, or BaaS platform, these frameworks are not optional. Here's how SecurEveryone's training maps to each one.

Framework Key Requirement Training Coverage
SOX ITGC
Sarbanes-Oxley IT General Controls
Public company financial reporting controls; ITGC domains include program change management, system access, computer operations, and program development; PCAOB auditors test effectiveness of segregation of duties Full coverage
GLBA Safeguards Rule
16 CFR Part 314, FTC revised rule 2023
Requires financial institutions to implement comprehensive information security program; 2023 revision expanded scope to include service providers and added specific training, MFA, and incident response requirements Full coverage
FFIEC IT Handbook + 2024 Update
AIO booklet, IT Examination, Cybersecurity Assessment Tool
Prescribes risk-based examination expectations for IT controls, cybersecurity, and audit; 2024 updates emphasize identity protection, third-party risk management, and operational resilience for community and regional banks Full coverage
NYDFS Part 500
23 NYCRR 500, second amendment effective 2024
NY-regulated financial institutions and their third-party service providers; requires CISO designation, annual penetration testing, multi-factor authentication, cybersecurity events reporting within 72 hours, and business continuity and disaster recovery planning Full coverage
OCC Heightened Standards
Applies to banks >$50B in assets
Heightened risk governance and oversight expectations for large national banks; covers risk management framework, three lines of defense, board oversight, and independent risk management of operational, cyber, and compliance risks Full coverage
Basel III Operational Risk
BCBS 356 capital floor standards
Capital requirements for operational risk including cyber and IT failure losses; banks must classify cybersecurity events by event-type and use incident data in operational risk loss estimation Full coverage
Dodd-Frank 314(b) Information Sharing
31 CFR §1010.540 — voluntary
Voluntary information sharing among financial institutions for cybersecurity threats; requires a process for receiving, storing, and acting on Section 314(b) requests; ongoing training on what triggers a sharing event Full coverage
PCI-DSS 4.0
Effective March 2025 for new requirements
For banks that issue or process payment cards; v4.0 expanded requirements on phishing-resistant MFA, targeted risk analysis, and authenticated vulnerability scans; service provider responsibility matrix Full coverage

Three Training Drills — Built for Finance & Banking Environments

Each drill reconstructs a real incident, walks participants through the decision points, and produces documented evidence your CISO can present to OCC, NYDFS, or FFIEC examiners.

DRILL 1

ICBC LockBit Ransomware Tabletop — "Settlement Is in 90 Minutes"

Participants are given a real-time scenario: a counterparty bank's clearing system has been compromised by ransomware and US Treasury settlement must be routed around them in 90 minutes. The wire room has standing CHIPS/SWIFT cutover protocols — but the cutover routing has not been drilled with this specific counterparty in over a year. The group works through: which DTCC member to call for backup routing, how to validate the cutover SWIFT messages are authentic, when to escalate to Treasury operations leadership, and what gets recorded for FFIEC and NYDFS reporting.

Takeaways:

  • CHIPS / SWIFT / Fedwire cutover runbook with current counterparty contact verification
  • SWIFT MT103 message authentication checks — what an authentic message looks like, what a tampered one looks like
  • Counterparty incident communication protocol: who calls whom, what gets logged, what triggers a NYDFS 72-hour report
DRILL 2

Capital One SSB Misconfig Reconstruction — "An Engineer Provisioned a Role They Shouldn't Have"

The simulation: the CISO receives a tip that a security researcher has identified an SSRF-vulnerable API on a public-facing host. Within the next hour, the SOC team must (1) reproduce the SSRF in a sandbox, (2) determine whether the underlying EC2 role has been exploited for credential harvesting, (3) trace the role to the engineer who provisioned it and the change ticket that approved it, and (4) decide whether this crosses the NYDFS 72-hour reporting threshold. Participants leave with an updated CloudTrail detection query, an IAM provisioning checklist, and an SSRF incident reproduction procedure.

Takeaways:

  • IAM provisioning checklist for engineers (least-privilege role templates, change-ticket approvals, peer review)
  • SSRF detection and reproduction in CloudTrail + VPC flow logs
  • NYDFS 72-hour report trigger matrix — what class of incident crosses the threshold and what doesn't
DRILL 3

JPMorgan Credential Rotation & Vendor Due Diligence — "The Vendor Just Got Notified"

Participants receive a notification: a third-party vendor that handles wire-room authentication has disclosed a breach. The vendor is a small fintech that integrates with the bank's 2FA system — exactly the configuration that allowed the 2014 JPMorgan escalation. The bank must now (1) rotate every credential shared with the vendor within 24 hours, (2) audit every active session token from the vendor's integration, (3) review the vendor's response posture and decide whether to terminate the relationship, and (4) update the vendor due-diligence questionnaire to surface this risk in future procurement.

Takeaways:

  • 24-hour shared-credential rotation runbook with vendor-by-vendor scope
  • Active-session token audit procedure for vendor-integrated systems
  • Vendor due-diligence questionnaire updates — adding credential-staff privileges, 2FA-system privileges, and breach-disclosure timing as scored criteria

Book a Session for Your Bank Workforce

Live, expert-led, structured for OCC / NYDFS / FFIEC reporting and examiner evidence packages. Sessions are 60–120 minutes, held over Zoom.

Personal — $150 → Executive / CISO — $390 → Business — $900 flat →
💸

Free Resource

Wire Fraud Defense Playbook

13-page playbook covering the wire interception kill chain, callback-verification protocol with dual-control approval, the ICBC $9B LockBit scenario from the treasury desk perspective, and FinCEN FFKC reporting timelines. Built specifically for wire-room leadership and treasury operations.

Download Free Playbook →

Common questions from bank security, treasury, and CISO teams.

What did the Capital One SSB misconfiguration cost, and what training control would have caught it?

A former AWS employee exploited a misconfigured WAF and over-permissioned IAM role via SSRF to extract 100M+ Capital One customer records. Capital One paid $190M to settle DOJ/OCC charges plus $80M+ in civil settlements. Training control: every engineer who provisions WAF rules, IAM roles, or VPC configurations needs hands-on training on what an over-privileged role looks like, what SSRF is and how it traverses metadata services, and how to detect the egress pattern in CloudTrail logs. The breach was detected by an external researcher, not Capital One's own monitoring.

How did the JPMorgan 2014 breach expose 76 million households, and what does it teach about credential hygiene?

Attackers compromised JPMorgan using credentials reused on a third-party site that itself had been breached, then escalated by compromising a sysadmin account that had elevated 2FA-system privileges. Total incident cost exceeded $250M. The training takeaway is twofold: work credentials cannot be reused on external sites, and IT staff who provision and operate the 2FA system itself must be held to a higher standard of credential hygiene and segmentation — because once the attacker owns the authenticator, every account behind it is theirs.

What happened with the ICBC US clearing arm LockBit ransomware, and why should every bank now tabletop CHIPS/SWIFT cutover?

In November 2023, LockBit encrypted the systems ICBC used to clear US Treasury trades, forcing operators to route trades via USB stick between offices. The incident disrupted billions of dollars of US Treasury settlement. Every bank's treasury operations, clearing, and wire-transfer teams need a documented cutover and recovery runbook — not just for their own systems, but for counterparty systems as well, including CHIPS, SWIFT, Fedwire, and DTC contingency routing.

What went wrong in the First American Title 885 million record exposure, and how does training impact that class of bug?

An IDOR vulnerability in First American's document delivery platform allowed anyone to retrieve over 885M title insurance documents going back to 2003, with no authentication required. The issue had been flagged in pen testing months earlier and not fixed. First American paid a $1M NYDFS Part 500 fine plus multiple class actions. Training takeaway: every engineer who designs a document retrieval API needs hands-on training on access control design, and every product manager who approves an ID-based URL needs to understand the authentication requirements. A known-found-vulnerability-not-fixed is a regulator's best case.

How did the FASTCash ATM scheme work, and what is the AML/BSA training control?

The Lazarus Group FASTCash scheme exploited card-issuer systems and correspondent-banking BIN tables at multiple banks, coordinating tens of millions of dollars in ATM withdrawals across 30+ countries in coordinated bursts. AML/BSA officers and the IT staff who support them need ongoing training on how correspondent-banking message formats (ISO 8583, MT103) are exploited for layering, how to identify anomalous transaction patterns in real time, and what FATF Travel Rule technical integration requires.

Related Training Programs

🏦 Community Banks, Credit Unions & Fintech → 💼 Insurance Sector Training → 🏛 All 35 Industry Programs →

Every bank incident started with a workforce gap. Train your people before the examiner does.

Book a live session today. Each session produces a documented OCC/NYDFS/FFIEC-ready workforce training record, a wire-room tabletop after-action package, and an AML/BSA officer annual training certificate — suitable for the next regulator visit. Sessions from $150, held over Zoom, with no per-seat pricing on Business tier.

Book Personal — $150 → Executive / CISO — $390 → Book Business (Unlimited) →

Sessions from $150 · OCC/NYDFS/FFIEC evidence packages · AML/BSA officer annual training

SecurEveryone · SOX / GLBA / FFIEC / NYDFS Part 500 / OCC · $150–$900 · Live expert coaching