TL;DR: Banks are facing credentialed insider threats from state-linked operatives and malicious insiders who already hold valid access, while the control gap is shifting from perimeter defense to lateral movement containment, according to Illumio’s analysis. The governance failure is not access alone, but the assumption that cleared or credentialed users can be trusted to behave safely inside the network.
NHIMG editorial — based on content published by Illumio: Trusted, Credentialed, Dangerous: The New Insider Threat Facing Banks
By the numbers:
- The U.S. Treasury confirmed in March 2026 that North Korean IT workers generated nearly $800 million by sitting inside U.S. company networks on legitimate payrolls.
- On March 3, 2026, the New York State Department of Financial Services sent an industry letter to the CISOs of every institution it regulates.
- The FBI has warned since January 2025 that these workers also steal proprietary data and position themselves for long-term sabotage.
Questions worth separating out
Q: What breaks when banks treat valid credentials as proof of trust?
A: When banks equate valid credentials with trust, they create a blind spot for insiders and credentialed adversaries who can move normally after login.
Q: Why do credentialed insiders increase lateral movement risk so quickly?
A: Credentialed insiders increase lateral movement risk because they already sit inside the trust boundary and can use ordinary tools, permissions, and workflows.
Q: How can security teams tell whether containment controls are actually working?
A: Teams should test whether a valid user can reach systems outside their normal role, whether privilege escalation is visible in time, and whether east-west movement is constrained by design.
Practitioner guidance
- Map trusted-access kill chains Document how a valid user, contractor, or privileged session could progress from onboarding to lateral movement, data access, and destructive action.
- Tighten east-west privilege boundaries Reduce what any authenticated identity can reach by default, especially administrative consoles, sensitive data stores, and orchestration tools.
- Correlate identity and session telemetry Combine login source, device trust, privilege escalation, and access path data so plausible behaviour still becomes visible when it crosses normal operating boundaries.
What's in the full article
Illumio's full blog covers the operational detail this post intentionally leaves for the source:
- The specific signs of lateral movement containment failure in bank environments and how they show up in telemetry.
- The regulatory context behind NYDFS Part 500 certification and how banks are being asked to evidence resilience.
- The article's examples of North Korean and Iranian-linked activity, including how credentialed access was used in practice.
- The author’s framing of how banks should think about containment architecture when the attacker is already inside.
👉 Read Illumio's analysis of credentialed insider threats facing banks →
Credentialed insider threats in banking: what controls are missing?
Explore further
Credentialed insider risk is now a governance problem, not a perimeter problem. The article shows that attackers do not always need to defeat authentication when they can inherit it through hiring, identity compromise, or cleared employment. That means control ownership sits across identity operations, hiring risk, and privilege governance, not only SOC tooling. Practitioners need governance models that assume trusted access can become hostile at any point.
A question worth separating out:
Q: Who is accountable when a credentialed insider causes harm?
A: Accountability should be shared across IAM, HR, security operations, and the business owner of the access process, because the failure spans onboarding, privilege assignment, monitoring, and response. In regulated banking environments, supervisory expectations increasingly focus on least privilege, monitoring, and resilience testing. That makes ownership of containment evidence as important as access approval.
👉 Read our full editorial: Credentialed insider threats are exposing bank resilience gaps