TL;DR: Financial institutions faced 566 breaches and more than 254 million leaked records by December 2022, while ransomware attacks in the sector rose from 55% in 2022 to 64% in 2023, according to SentinelOne’s analysis. The practical lesson is that resilience now depends on identity controls, segmentation, and recovery discipline, not perimeter assumptions alone.
NHIMG editorial — based on content published by SentinelOne: analysis of cyber attacks on the financial and banking industry
By the numbers:
- As of December 2022, finance and insurance organizations globally experienced 566 breaches, leading to over 254 million leaked records.
- Ransomware attacks on financial services have increased from 55% in 2022 to 64% in 2023, which is nearly double the 34% reported in 2021.
Questions worth separating out
Q: What breaks when phishing leads to credential theft in financial services?
A: Phishing becomes dangerous when stolen credentials unlock broad access to customer systems, recovery tools, or privileged admin functions.
Q: Why do financial institutions need least privilege and segmentation together?
A: Least privilege limits what an identity can do, but segmentation limits where that identity can go.
Q: How do security teams know if breach detection is actually working?
A: They measure how quickly an alert becomes a confirmed compromise assessment, how often the answer is defensible, and whether logs support that conclusion.
Practitioner guidance
- Reduce standing privilege across finance workflows Inventory admin, service, and third-party accounts that can reach payments, customer data, or backup systems.
- Bind MFA to high-risk access paths Require stronger authentication for remote access, privileged functions, and external partner entry points.
- Segment systems that limit ransomware spread Separate business-critical platforms, backup infrastructure, and identity administration so one compromised account cannot traverse the entire recovery chain.
What's in the full article
SentinelOne's full blog covers the operational detail this post intentionally leaves for the source:
- A finance-sector breakdown of ransomware cost categories, including ransom payments, legal exposure, and recovery overhead.
- The article's full checklist for response and recovery planning, including incident workflows, contacts, and cyber recovery exercises.
- Specific guidance on network hardening, email protection, and segmentation choices for financial environments.
- The identity and access management section covering MFA, RBAC, least privilege, and account monitoring in more detail.
👉 Read SentinelOne's analysis of cyber risk, resilience, and IAM in financial services →
Financial sector cyber resilience: what IAM teams need to know now?
Explore further
Identity control is the pivot point between a security incident and a business outage. In financial services, phishing and credential theft matter because authenticated access can bypass many perimeter assumptions. When access scopes are broad, an attacker does not need to “break in” again to move toward critical systems. The practical conclusion is that finance teams should treat identity governance as operational resilience, not just account administration.
A question worth separating out:
Q: Who is accountable when identity failures disrupt critical financial services?
A: Accountability sits with the teams that own identity governance, security operations, and resilience planning together, because DORA links access control to business continuity. If those functions are separated, no one can prove that identity risks were understood, monitored, and contained before services were affected.
👉 Read our full editorial: Financial-sector cyber resilience depends on identity, recovery and segmentation