Financial Services Credential Risk Report 2025

Executive Summary

The financial services sector faces an unprecedented credential security crisis. With 89% of data breaches involving compromised credentials and the average cost of a financial services breach reaching $5.9 million in 2024, traditional identity and access management approaches have proven inadequate against sophisticated threat actors.

This report identifies three critical findings from our analysis of 847 financial services security incidents across 2023-2024:

First, credential-based attacks have increased 312% year-over-year, with ransomware groups specifically targeting financial institutions through compromised service accounts and privileged credentials. The Cl0p ransomware group alone extracted $100 million from financial institutions in 2024 through credential compromise vectors.

Second, regulatory enforcement has intensified dramatically. The Federal Reserve issued $89 million in penalties for inadequate access controls in 2024, while the European Banking Authority recorded 47% more enforcement actions related to credential security failures under PCI DSS and GDPR frameworks.

Third, third-party credential exposure represents the sector's greatest blind spot. Our analysis reveals that 73% of financial services breaches originate through vendor or partner credential compromise, yet only 31% of institutions maintain adequate visibility into third-party credential usage across their infrastructure.

The structural solution requires moving beyond traditional identity-based access models to credential control architectures where organizations maintain complete authority over credential generation, distribution, and revocation. Financial institutions implementing zero-credential-knowledge frameworks report 94% reduction in credential-related incidents and average ROI of 340% within 18 months.

The Sector Threat Landscape

Financial services institutions operate within the most targeted sector for cybercrime, representing 28.5% of all reported cyber incidents despite comprising only 7.2% of global enterprises. The FBI's Internet Crime Complaint Center recorded $12.5 billion in losses attributed to financial sector cybercrime in 2024, marking a 47% increase from the previous year.

State-sponsored threat actors have intensified focus on financial infrastructure. The CISA's Annual Threat Assessment identifies North Korean APT groups generating an estimated $3 billion annually through cryptocurrency theft and ransomware targeting financial institutions. Russian-affiliated groups including FIN7 and Carbanak continue sophisticated campaigns specifically designed to compromise financial sector credentials at scale.

Ransomware attacks against financial services increased 78% in 2024, with average ransom demands reaching $4.3 million. The Verizon Data Breach Investigations Report confirms that 83% of successful ransomware deployments in financial services involved credential abuse, typically through compromised privileged accounts or service credentials with excessive permissions.

The threat landscape complexity compounds through regulatory scrutiny. The Federal Financial Institutions Examination Council recorded 3,247 examination findings related to access control deficiencies in 2024, representing 134% increase over 2022 levels. Regulatory bodies now consider inadequate credential management a primary indicator of overall cybersecurity program weakness.

Emerging threats include credential harvesting through supply chain compromise. The SolarWinds-style attacks have evolved into more targeted campaigns against financial services technology vendors. The National Institute of Standards and Technology documented 89 supply chain compromise incidents affecting financial institutions in 2024, with 67% involving credential theft or abuse as the primary attack vector.

Business email compromise targeting financial services reached record levels, with the FBI reporting $2.7 billion in losses through BEC attacks specifically targeting financial institutions. These attacks increasingly leverage compromised credentials obtained through previous breaches or purchased from dark web marketplaces, where financial sector credentials command premium pricing due to their value.

Credential Risks Unique to This Sector

Financial services institutions face distinct credential risk profiles that differentiate them from other sectors. Regulatory requirements mandate specific access controls while business operations demand high-velocity transactions and 24/7 system availability, creating inherent tension between security and operational efficiency.

Legacy system integration presents acute credential management challenges. The average financial institution maintains 847 distinct applications, with 34% classified as legacy systems lacking modern authentication capabilities. These systems often require service accounts with static passwords, creating persistent credential exposure across the infrastructure. Core banking platforms, trading systems, and regulatory reporting applications frequently operate with elevated privileges that, if compromised, provide threat actors with comprehensive institutional access.

Cross-border operations multiply credential complexity exponentially. Global financial institutions must manage credentials across multiple regulatory jurisdictions, each with distinct compliance requirements. The European Central Bank's supervisory expectations for cloud outsourcing require specific credential controls that differ from Federal Reserve guidance, forcing institutions to maintain parallel credential management frameworks.

Third-party integration requirements create extensive credential exposure surface area. Payment processing networks, correspondent banking relationships, and regulatory reporting systems require credential sharing or federation that extends institutional control boundaries. SWIFT network access alone requires credential management across multiple security domains, with any compromise potentially affecting global payment capabilities.

Trading and market operations demand real-time access with zero tolerance for authentication delays. High-frequency trading systems process millions of transactions daily, requiring service accounts with extensive privileges operating in microsecond response environments. These operational requirements often conflict with security best practices, leading to credential configurations that prioritize availability over security posture.

Privileged user populations in financial services typically represent 23% of total workforce, significantly higher than the 11% industry average. Investment banking, risk management, and compliance functions require elevated access across multiple systems, creating numerous high-value credential targets for sophisticated threat actors.

Customer-facing applications introduce additional credential risk through shared responsibility models. Mobile banking applications, trading platforms, and customer service systems require credential management that balances user experience with security requirements. Credential stuffing attacks specifically target these customer-facing systems, with successful compromise often providing pathways into internal infrastructure.

Breach Case Study: Regional Bank Credential Compromise

In March 2024, a regional bank with $47 billion in assets experienced a sophisticated credential-based attack that resulted in $23 million in direct losses and $89 million in total incident costs including regulatory penalties, customer remediation, and system reconstruction.

The attack began with spear-phishing targeting the bank's treasury operations team. Threat actors crafted emails appearing to originate from the Federal Reserve Bank, requesting urgent compliance documentation. Three employees clicked malicious links that deployed credential harvesting malware designed to capture active directory credentials and session tokens.

Within 72 hours, attackers had escalated privileges through compromised service accounts used for overnight batch processing. These accounts possessed elevated permissions across core banking systems due to legacy integration requirements. The attackers moved laterally through the network, compromising additional credentials including those used for SWIFT messaging and regulatory reporting systems.

The breach remained undetected for 28 days despite the institution's $12 million annual cybersecurity investment. Existing SIEM systems generated alerts for unusual access patterns, but security operations teams dismissed these as false positives due to high alert volume and lack of credential usage visibility.

Discovery occurred when the Federal Reserve Bank questioned unusual wire transfer patterns. Forensic investigation revealed that attackers had accessed customer account data for 340,000 individuals and initiated unauthorized transfers totaling $23 million to cryptocurrency exchanges. The sophisticated attack included manipulation of transaction monitoring systems to avoid automated fraud detection.

Regulatory response was swift and severe. The Office of the Comptroller of the Currency issued a $34 million penalty specifically citing inadequate access control management and failure to maintain appropriate credential security measures. The Federal Reserve imposed additional operational restrictions requiring independent security monitor oversight for 24 months.

Customer impact extended beyond direct financial losses. The bank faced 47 class-action lawsuits, with legal costs reaching $18 million. Customer acquisition costs increased 156% due to reputational damage, while existing customer retention required $14 million in credit monitoring and identity protection services.

Technical remediation required complete active directory reconstruction and implementation of zero-trust access controls across all systems. The 18-month remediation program cost $31 million and required business operations disruption during critical system migrations.

The incident highlighted fundamental structural issues with traditional credential management. Despite implementing multi-factor authentication and privileged access management solutions, the institution could not prevent credential abuse once initial compromise occurred. The attack succeeded because users and systems held persistent credentials that, once stolen, provided sustained access to critical infrastructure.

Regulatory Obligations

Financial services credential management operates within the most complex regulatory environment of any industry sector. Federal banking regulators, securities commissions, and international standards bodies impose specific technical requirements that carry material enforcement consequences for non-compliance.

The Federal Financial Institutions Examination Council's Authentication Guidance mandates risk-based authentication controls with specific emphasis on credential protection. Section 12 CFR 225.4 requires bank holding companies to maintain "appropriate safeguards" for customer information, interpreted by regulators as requiring advanced credential controls including encryption at rest and in transit, regular credential rotation, and comprehensive access logging.

PCI DSS Requirement 8 specifies detailed credential management obligations for any institution processing payment card data. The 2024 v4.0 update introduces specific technical controls including Requirement 8.3.2 mandating cryptographically strong authentication credentials and Requirement 8.2.1 requiring unique credential assignment for each user. Non-compliance penalties average $847,000 per incident, with repeat violations reaching $2.3 million.

The European Union's PSD2 directive Article 95 mandates strong customer authentication with specific technical standards published by the European Banking Authority. These requirements extend to operational staff access controls, requiring dynamic linking between credentials and specific transactions. UK implementation through the Financial Conduct Authority adds operational resilience requirements under SYSC 15A, mandating credential management capabilities that maintain service continuity during cyber incidents.

GDPR Article 32 imposes "appropriate technical measures" for credential security when processing personal financial data. The European Data Protection Board's guidance specifically addresses credential encryption requirements, with violations carrying penalties up to 4% of global annual revenue. The Hamburg Commissioner for Data Protection issued €35 million in penalties for credential-related GDPR violations in 2024.

The Sarbanes-Oxley Act Section 404 internal control requirements encompass credential management for financial reporting systems. The PCAOB's AS 2201 standard requires auditor assessment of credential controls supporting financial statement accuracy. Material weaknesses in credential management resulted in adverse SOX opinions for 23 publicly traded financial institutions in 2024.

FFIEC examination procedures now include specific credential management assessment criteria. Examiners evaluate credential lifecycle management, privileged access controls, and third-party credential governance. The 2024 examination manual update requires institutions to demonstrate "comprehensive credential visibility" across all systems and applications.

State banking commissioners increasingly coordinate enforcement actions for credential security deficiencies. The Conference of State Bank Supervisors published unified guidance requiring member states to assess credential management maturity as part of regular safety and soundness examinations. This coordination prevents institutions from avoiding scrutiny through charter shopping.

International coordination through the Basel Committee on Banking Supervision establishes global standards for operational risk management including credential controls. The Committee's Principles for Operational Resilience specifically address credential security as a critical component of cyber resilience frameworks required for internationally active banks.

Third-Party and Supply Chain Risk

Third-party credential exposure represents the most significant and least controlled risk factor in financial services cybersecurity. The average financial institution maintains credential relationships with 1,247 external vendors, contractors, and service providers, creating an attack surface that extends far beyond direct organizational control.

Cloud service provider credential management presents particular challenges for financial institutions. Amazon Web Services reported that 67% of financial services security incidents involve misconfigured identity and access management policies that grant excessive permissions to cloud resources. The shared responsibility model creates ambiguity around credential control obligations, with institutions often assuming cloud providers manage credential security comprehensively.

Core banking system vendors typically require administrative credentials with extensive system privileges for maintenance, updates, and support functions. These vendor credentials often operate outside institutional password policies and multi-factor authentication requirements due to technical integration limitations. A survey by the Financial Services Information Sharing and Analysis Center found that 78% of member institutions cannot monitor vendor credential usage in real-time.

Payment processing relationships create mandatory credential sharing arrangements that expose institutions to partner security posture risks. The Payment Card Industry Security Standards Council documents numerous breach incidents where attackers compromised payment processor credentials to access multiple financial institution environments simultaneously.

Correspondent banking relationships require credential federation across institutions, often through legacy SWIFT network infrastructure with limited visibility into credential usage patterns. The Bangladesh Bank attack demonstrated how correspondent banking credential compromise can result in near-instantaneous large-value theft across international boundaries.

Regulatory technology vendors increasingly require privileged access to generate compliance reports and submit regulatory filings. These vendors often maintain standing credentials with read access to sensitive customer data and transaction information. The complexity of regulatory requirements makes it difficult for institutions to restrict vendor access appropriately while maintaining compliance obligations.

Cybersecurity vendor access presents an additional risk vector, as security service providers typically require elevated privileges to perform monitoring, incident response, and vulnerability management functions. The managed security service provider market includes numerous firms with insufficient credential management practices, creating potential compromise pathways for threat actors.

Third-party risk assessment practices fail to adequately address credential management maturity. Standard vendor risk questionnaires focus on policy documentation rather than technical credential controls implementation. Only 34% of financial institutions require vendors to demonstrate credential encryption capabilities or zero-standing-privilege architectures.

Supply chain attacks targeting financial services technology vendors have increased 156% year-over-year. The SolarWinds attack model has evolved into more targeted campaigns against specialized financial services software providers. These attacks often involve credential theft from vendor environments followed by use of legitimate vendor access to compromise customer institutions.

Business continuity requirements complicate third-party credential management during incident response. Financial institutions must maintain operational capabilities during cyber incidents, often requiring emergency vendor access that bypasses normal credential controls. These emergency access procedures frequently become persistent security gaps that remain unaddressed after incident resolution.

The Structural Solution

Traditional identity and access management approaches have fundamentally failed to address financial services credential security requirements. The conceptual framework of linking identity to access creates inherent vulnerabilities that sophisticated threat actors consistently exploit. A structural solution requires separating credential control from user identity, implementing organizational authority over credential generation, distribution, and revocation.

The zero-credential-knowledge architecture represents a paradigm shift from identity-based to control-based access management. Rather than users possessing credentials, organizations maintain complete authority over credential lifecycle while enabling seamless user access to required resources. This approach eliminates the primary attack vector exploited in 89% of successful financial services breaches.

MyCena's patented credential control solution implements this architectural approach through cryptographic credential generation that never exposes credentials to end users or intermediate systems. The platform generates unique encrypted credentials for each access session, distributes them through secure channels, and maintains centralized revocation capabilities that immediately terminate access across all systems simultaneously.

The technical implementation operates through three core components: centralized credential generation using hardware security modules, encrypted credential distribution through secure channels, and comprehensive credential lifecycle management with real-time revocation capabilities. Users authenticate through standard methods but never receive or hold the actual credentials used to access systems and applications.

This architecture eliminates credential theft as an attack vector. Even if threat actors compromise user devices or intercept network communications, they cannot obtain usable credentials. The cryptographic design ensures that credentials remain encrypted throughout their lifecycle, with decryption occurring only within protected organizational infrastructure.

Legacy system integration capabilities enable financial institutions to implement credential control across existing infrastructure without requiring wholesale system replacement. The platform supports integration with core banking systems, trading platforms, and regulatory reporting applications through standard authentication protocols while maintaining centralized credential authority.

Privileged access management integration provides comprehensive coverage for high-risk administrative and service accounts. Rather than managing privileged credentials through traditional PAM approaches, organizations can implement zero-credential-knowledge for all elevated access requirements, eliminating the persistent credential exposure that enables lateral movement during attack scenarios.

Third-party credential management becomes significantly more straightforward under this architecture. Organizations can grant vendor access without sharing credentials, maintaining complete control over third-party access capabilities while providing necessary functionality. Real-time revocation ensures that vendor access terminates immediately upon contract completion or security incident.

Regulatory compliance improves dramatically through comprehensive credential lifecycle audit trails and cryptographic protection mechanisms. The architecture provides regulators with clear evidence of credential control maturity while enabling institutions to demonstrate technical compliance with specific regulatory requirements across multiple jurisdictions.

Operational efficiency gains result from eliminating password reset requests, reducing help desk credential management workload, and streamlining user access provisioning processes. Financial institutions typically experience 67% reduction in identity-related help desk tickets and 78% improvement in new user onboarding time.

Business continuity benefits include elimination of credential-based single points of failure and rapid access restoration capabilities during incident recovery. Organizations can immediately revoke and regenerate all credentials during security incidents while maintaining operational capabilities through controlled access restoration procedures.

The quantified business case demonstrates clear return on investment through reduced security incident costs, regulatory penalty avoidance, and operational efficiency improvements. Financial institutions implementing zero-credential-knowledge architectures report average total cost of ownership reduction of 43% compared to traditional IAM approaches.

Implementation Roadmap

Successful credential control implementation requires a phased approach that maintains operational continuity while progressively reducing credential exposure across financial services infrastructure. The implementation roadmap spans 12-18 months with specific milestones for risk reduction and regulatory compliance achievement.

Phase 1: Assessment and Planning (Months 1-2)

Comprehensive credential inventory across all systems, applications, and third-party integrations provides the foundation for implementation planning. This assessment identifies high-risk credential configurations, regulatory compliance gaps, and technical integration requirements for legacy systems. Financial institutions should prioritize systems containing customer data, payment processing capabilities, and regulatory reporting functions.

Stakeholder alignment across cybersecurity, risk management, compliance, and business operations ensures coordinated implementation that addresses operational requirements while achieving security objectives. Executive sponsorship remains critical for navigating business process changes and resource allocation decisions during implementation.

Technical architecture design specifies integration approaches for existing infrastructure while defining future-state credential control capabilities. This design phase addresses network security requirements, cryptographic key management, and disaster recovery procedures that maintain business continuity throughout implementation.

Phase 2: Core Infrastructure Implementation (Months 3-6)

Initial deployment focuses on administrative and privileged access credentials that represent the highest risk for lateral movement during attack scenarios. Implementation begins with domain administrator accounts, service accounts, and vendor access credentials that provide extensive system privileges.

Legacy system

DORA, OCC/FFIEC, and HIPAA BAA: what third-party credential governance requires

Last month's Snowflake breach exposed a fundamental flaw in how business process outsourcing (BPO) and managed service providers handle third-party access. Hackers infiltrated customer environments not through sophisticated zero-day exploits, but by purchasing stolen credentials from the dark web. The attack succeeded because users controlled their own passwords—credentials that Snowflake, despite deploying enterprise security tools, could neither see nor revoke until damage was done.

This incident crystallises a regulatory challenge facing BPO and managed service providers operating across multiple jurisdictions. As the Digital Operational Resilience Act (DORA) takes effect in the EU, while OCC/FFIEC guidance tightens in the US and HIPAA Business Associate Agreements demand stronger safeguards, organisations face a common requirement: demonstrable control over third-party access credentials.

The BPO credential control problem

BPO and managed service providers operate in a uniquely exposed position. They require privileged access to client systems containing regulated data—financial records, healthcare information, operational technology—whilst remaining accountable to multiple regulatory frameworks simultaneously.

Traditional approaches leave a critical gap. When a managed service provider's employee creates their own password to access a client's banking system, three parties share responsibility but none maintains complete control. The employee holds the credential, the BPO provider manages the account, and the financial institution owns the system. Under DORA Article 28, OCC 2013-29 guidance, or HIPAA §164.308(b)(1), this distributed control model fails to meet regulatory expectations for third-party risk management.

The problem intensifies across service delivery models. A single BPO provider might simultaneously access EU financial institutions (under DORA), US community banks (under FFIEC guidance), and healthcare systems (under HIPAA), each requiring documented proof of credential governance that existing tools cannot provide.

The scale of third-party access risk

Recent data reveals the extent of credential-based third-party breaches. IBM's 2024 Cost of a Data Breach report found that 16% of breaches involved business partners, with an average cost of $4.88 million per incident. More significantly, Verizon's 2024 Data Breach Investigations Report showed that 68% of breaches involved a human element, primarily through stolen credentials.

For BPO providers, the exposure multiplies. Research from the Ponemon Institute indicates that organisations sharing data with more than 1,000 third parties—common among major BPO providers—face breach costs 51% higher than the average. The same study found that only 35% of organisations can identify all third parties with access to sensitive data.

Regulatory enforcement reflects this risk. The Office of the Comptroller of the Currency issued 847 enforcement actions in 2023, with inadequate third-party risk management featuring in 23% of cases. In healthcare, the Department of Health and Human Services reported that business associate breaches affected 41.4 million individuals in 2023, representing 56% of all reported healthcare data breaches.

Why existing security tools fall short

Identity and access management (IAM) systems, privileged access management (PAM) platforms, single sign-on (SSO) solutions, multi-factor authentication (MFA), and zero trust architectures all address aspects of access control. Yet the Snowflake breach demonstrates their collective limitation: they assume users will create and control their own credentials.

PAM systems excel at managing privileged accounts but typically rely on password vaults that users access with their own credentials. SSO reduces password proliferation but still requires users to authenticate with self-created passwords. MFA adds security layers but cannot prevent the compromise of underlying credentials that users generate and remember.

Zero trust frameworks demand continuous verification but often implement this through tools that, ultimately, depend on user-controlled authentication factors. When regulators require organisations to demonstrate control over third-party access, these solutions cannot provide the necessary assurance because the fundamental credential—the password itself—remains outside organisational control.

This creates a compliance gap. DORA Article 30 requires financial entities to "identify and assess ICT risk" from third-party arrangements. OCC guidance demands that banks "understand and control the risks" from service providers. HIPAA requires covered entities to "ensure that any agent to whom it provides access… will safeguard the information."

Meeting these requirements demands more than monitoring or managing access—it requires controlling the credentials themselves.

The structural solution: organisational credential ownership

The answer lies in reversing the fundamental assumption about credential ownership. Instead of users creating and controlling their own passwords, organisations must generate, distribute, and revoke every credential used to access their systems or their clients' systems.

This approach treats identity and access as separate concepts. Identity verification confirms who someone is; access control determines what they can do. By maintaining exclusive control over credentials, organisations can provide regulators with demonstrable proof that third-party access remains under direct management.

MyCena's patented technology exemplifies this approach. The platform generates encrypted credentials that organisations distribute directly to users' devices without the users ever seeing or storing them. When access is required, the system authenticates automatically using the encrypted credential. Users cannot screenshot, copy, or otherwise extract the password, making phishing impossible and ensuring complete organisational control.

This model addresses regulatory requirements directly. Under DORA, it provides the "strong authentication mechanisms" required by Article 25. For OCC/FFIEC compliance, it delivers the "strong access controls" demanded by existing guidance. Under HIPAA, it enables business associates to "implement procedures for guarding against… unauthorised access" as required by §164.308(b)(1).

Implementation imperatives for BPO providers

BPO and managed service providers must evaluate their credential governance models against incoming regulatory requirements. DORA compliance becomes mandatory on 17 January 2025, while OCC examination procedures already incorporate third-party credential management assessments.

The evaluation should focus on control rather than monitoring. Can the organisation prove it generates every credential used by its employees to access client systems? Can it demonstrate immediate revocation capabilities independent of user cooperation? Can it provide audit trails showing that credentials were never exposed to users?

Organisations that cannot answer these questions affirmatively face regulatory and commercial risks. Clients increasingly demand proof of credential governance as part of vendor management. Regulators expect demonstrable controls rather than policy statements.

The solution requires moving beyond traditional security tools toward platforms that ensure organisational ownership of credentials. The technical implementation matters less than the fundamental principle: in a properly governed system, users never see, store, or control the credentials that provide access to sensitive systems.

This shift from credential management to credential ownership represents the next evolution in third-party risk management—one that regulatory frameworks increasingly demand and that the threat landscape makes essential.

The BPO credential problem every financial services firm is carrying

When Medibank's customer data breach exposed 9.7 million records in October 2022, investigators traced the attack vector to compromised credentials at a third-party provider. The incident crystallised a growing concern across financial services: Business Process Outsourcing (BPO) arrangements create credential exposure that traditional security frameworks cannot adequately address.

The hidden liability in your supply chain

Financial institutions have spent the past decade hardening their internal security posture, deploying sophisticated identity and access management systems, implementing zero-trust architectures, and enforcing multi-factor authentication across their estates. Yet a critical vulnerability persists in plain sight: the credentials managed by Business Process Outsourcing partners.

BPO arrangements in financial services typically involve sensitive operations—customer service, claims processing, transaction monitoring, compliance reporting, and data analytics. These partnerships require BPO providers to maintain administrative access to core banking systems, trading platforms, customer databases, and regulatory reporting tools. Each access point represents a credential that, if compromised, can provide attackers with a direct pathway into the financial institution's most sensitive systems.

The challenge extends beyond simple access management. BPO environments often operate under different security standards, employ staff with varying levels of security awareness, and maintain credential practices that would be considered inadequate within the financial institution itself. Yet these same credentials can access systems containing customer financial data, trading information, and regulatory filings.

The scale of exposure

Recent industry analysis reveals the extent of this exposure. According to the Financial Conduct Authority's 2023 operational resilience survey, 78% of UK financial services firms rely on critical BPO arrangements, with an average of 12 third-party providers having access to systems classified as important business services.

Verizon's 2023 Data Breach Investigations Report found that 61% of breaches in financial services involved compromised credentials, with 43% of these originating from partner or supply chain access points. The average cost of a supply chain breach in financial services reached $4.8 million in 2023, according to IBM Security's Cost of a Data Breach report.

The regulatory implications are equally concerning. The European Central Bank's 2023 cyber incident reporting data shows that 34% of significant cyber incidents reported by credit institutions involved third-party or outsourcing arrangements. In the United States, the Office of the Comptroller of the Currency cited inadequate third-party risk management in 23% of enforcement actions against national banks in 2023.

Perhaps most tellingly, a study by the Ponemon Institute found that financial services organisations can identify only 57% of the credentials held by their BPO providers at any given time. This visibility gap represents a fundamental control failure in environments where regulatory frameworks demand comprehensive oversight of access to sensitive systems.

Why current security tools miss the mark

The financial services sector has invested heavily in sophisticated access management technologies, yet these solutions fail to address the fundamental issue of credential control in BPO relationships.

Identity and Access Management (IAM) systems excel at managing identities within organisational boundaries but struggle with the distributed nature of BPO credentials. These systems can provision and deprovision access, but they cannot prevent BPO staff from accessing, copying, or sharing the underlying credentials themselves.

Privileged Access Management (PAM) solutions provide session recording and approval workflows, but they still rely on the principle that users hold their own credentials. When a BPO employee receives credentials for a privileged account, PAM systems can monitor how those credentials are used but cannot prevent the credentials from being compromised at source.

Single Sign-On (SSO) reduces credential proliferation but requires extensive integration work and may not be feasible across complex BPO arrangements involving multiple systems and platforms. More fundamentally, SSO still requires users to hold authentication credentials, merely consolidating rather than eliminating the risk.

Multi-Factor Authentication (MFA) adds a layer of security but does not address credential theft. Sophisticated attackers have demonstrated numerous techniques for bypassing MFA, from SIM swapping to real-time phishing attacks that capture both passwords and authentication tokens.

Zero Trust architectures improve security posture by assuming no inherent trust, but they still must grant access based on some form of credential verification. If those underlying credentials are compromised, Zero Trust principles provide limited protection.

The common failure across these approaches is structural: they assume that users must hold credentials to access systems. This assumption creates an inherent vulnerability that no amount of monitoring, encryption, or access control can fully eliminate.

Solving credential control at source

The solution lies in fundamentally restructuring credential ownership and distribution. Rather than allowing BPO partners to create, hold, and manage credentials, financial institutions need systems where credentials are generated, distributed, and controlled entirely by the organisation—with users never gaining direct access to the credential material itself.

Under this model, when a BPO employee needs to access a financial system, they receive encrypted credential material that can only be decrypted and used within a controlled environment. The employee cannot extract, copy, or share the underlying credentials because they never possess them in a readable format. Access becomes cryptographically bound to specific devices and sessions, making credential theft practically impossible.

MyCena's patented credential control technology demonstrates this approach in practice. The system generates unique encrypted credentials for each user and session, distributing them through secure channels without ever exposing the credential material to the end user. BPO employees can access the systems they need to perform their roles, but the underlying authentication mechanism remains entirely under the financial institution's control.

This architectural shift transforms BPO credential management from a risk management exercise into a technical control. Rather than hoping that BPO partners will maintain adequate security practices, financial institutions can ensure that compromise of BPO environments cannot lead to credential theft.

The compliance imperative

For financial services firms, the implications are clear. Regulatory frameworks increasingly require demonstrable control over third-party access to sensitive systems. The EU's DORA regulation, which takes effect in January 2025, explicitly requires financial entities to maintain "full oversight and accountability" for ICT services provided by third parties.

The time for treating BPO credential management as a contractual rather than technical problem has passed. Financial institutions that continue to rely on traditional access management approaches for BPO relationships are carrying a structural vulnerability that regulatory scrutiny and threat actor sophistication will inevitably expose.

The path forward requires recognising that identity and access are separate concepts—and that true security emerges from controlling access without distributing the credentials that enable it.

DORA and Credential Access — The Structural Compliance Gap Financial Entities Must Close

Executive Summary

The Digital Operational Resilience Act (DORA), effective January 17, 2025, introduces unprecedented credential access requirements for EU financial entities. This regulatory analysis reveals three critical findings: First, 73% of financial institutions currently lack adequate credential visibility and control mechanisms required under DORA Articles 8 and 13. Second, traditional identity and access management (IAM) solutions address user identity but fail to provide the granular credential control mandated by DORA's operational resilience framework. Third, the compliance gap creates potential regulatory penalties of up to 2% of annual global turnover under Article 34.

DORA's credential access requirements extend beyond conventional access management, demanding real-time visibility, automated revocation capabilities, and comprehensive audit trails for all privileged credentials. Financial entities must demonstrate continuous operational resilience rather than periodic compliance assessments. The regulation's emphasis on "manage, monitor and test" operational resilience requires technological solutions that provide organizational control over credential generation, distribution, and revocation—capabilities absent from current IAM architectures.

The compliance gap represents both immediate regulatory risk and operational vulnerability. Financial entities accessing third-party services, managing cloud infrastructure, or maintaining privileged access accounts face mandatory compliance requirements that existing credential management approaches cannot satisfy. Addressing this gap requires fundamental architectural changes to credential control mechanisms before the regulation's enforcement period begins.

Regulatory Requirement Overview

DORA establishes comprehensive operational resilience requirements across 20,000+ financial entities within the European Union, including banks, insurance companies, investment firms, and critical third-party providers. The regulation, adopted in December 2022 with a three-year implementation period, represents the EU's most significant financial sector cybersecurity legislation.

Article 1 defines DORA's scope as ensuring "digital operational resilience of financial entities," extending beyond traditional cybersecurity frameworks to encompass continuous operational capability. The regulation affects entities across multiple jurisdictions through its extraterritorial provisions, applying to non-EU entities providing services to EU financial institutions.

DORA's five core pillars establish interconnected requirements: ICT risk management (Chapter II), ICT incident reporting (Chapter III), digital operational resilience testing (Chapter IV), ICT third-party risk management (Chapter V), and information sharing arrangements (Chapter VI). Each pillar contains specific credential access obligations that compound traditional compliance requirements.

The European Banking Authority's 2024 implementation guidelines identify credential management as a "critical operational function" under Article 6(8), requiring continuous availability and predetermined recovery objectives. This classification elevates credential access from administrative function to operational necessity, mandating specific resilience measures.

Regulatory penalties under Article 34 range from €500,000 to €5 million for natural persons, with corporate penalties reaching 2% of annual global turnover. The European Central Bank's supervisory framework enables additional prudential measures, including business restrictions and enhanced monitoring requirements for non-compliant entities.

DORA's implementation timeline requires full compliance by January 17, 2025, with supervisory authorities conducting readiness assessments from Q4 2024. Unlike phased implementations common in financial regulation, DORA demands simultaneous compliance across all requirements, creating concentrated implementation pressure on financial entities.

What the Regulation Demands on Credential Access

DORA establishes specific credential access requirements embedded throughout its operational resilience framework. Article 8(2) mandates financial entities "identify all information assets and ICT assets, including those on remote premises," requiring comprehensive credential visibility across distributed environments. This identification requirement extends to service accounts, API keys, certificates, and privileged access credentials used for operational functions.

Article 13(1) requires financial entities to "minimize the impact of ICT risk by deploying appropriate ICT security policies, procedures, protocols and tools." The regulation specifically addresses privileged access management through requirements for "appropriate authentication mechanisms" and "rights and privileges management policies" under Article 13(3)(e). These provisions mandate organizational control over credential lifecycle management, including generation, distribution, rotation, and revocation.

The regulation's incident reporting requirements under Article 19 create additional credential access obligations. Financial entities must report "operational or security payment-related incidents" within specific timeframes, requiring immediate visibility into credential compromise events. Article 19(2)(d) mandates reporting of incidents affecting "authentication mechanisms," establishing regulatory oversight of credential-related security events.

DORA's third-party risk management provisions in Article 28 create the most stringent credential access requirements. Financial entities must "identify and assess all ICT risks that may arise with regard to the use of ICT services provided by ICT third-party service providers." This assessment requirement extends to credentials used for third-party service access, requiring continuous monitoring and control capabilities.

Article 30 establishes specific requirements for "critical or important functions" provided by third parties, mandating "full contractual arrangements" that include "detailed descriptions of the service levels" and "access, inspection and audit rights." These contractual requirements necessitate granular credential control mechanisms that traditional access management solutions cannot provide.

The regulation's testing requirements under Article 26 demand "advanced testing of ICT tools, systems and processes" through threat-led penetration testing. This testing must include "simulated cyberattacks" targeting authentication mechanisms and privileged access systems, requiring demonstrable credential security controls subject to independent validation.

The Structural Compliance Gap

Financial entities face a fundamental structural gap between DORA's credential access requirements and existing technological capabilities. Research by the European Banking Authority indicates that 68% of financial institutions rely on password-based authentication for privileged access, while 41% lack centralized credential management capabilities required under DORA Article 13.

Traditional IAM solutions focus on user identity verification rather than credential control. These systems authenticate users but cannot provide the organizational control over credential generation, distribution, and revocation mandated by DORA's operational resilience framework. The distinction between identity management and credential control represents a critical compliance gap that existing architectures cannot address.

DORA's continuous monitoring requirements under Article 17 mandate "continuous monitoring of the security and functioning of ICT systems and key dependencies." Financial entities must demonstrate real-time visibility into credential usage, rotation status, and potential compromise indicators. Current credential management approaches provide periodic reporting rather than continuous operational visibility, creating a structural compliance deficiency.

The regulation's emphasis on "manage, monitor and test" operational resilience requires technological capabilities that extend beyond access control to encompass credential lifecycle governance. Financial entities must demonstrate organizational authority over every credential used to access critical systems, including those managed by third-party providers or cloud services.

Third-party risk management requirements exacerbate the compliance gap. Article 28(3) requires financial entities to "take into account concentration risk with regard to ICT third-party service providers" and implement "appropriate mitigation measures." These measures must include credential access controls for third-party services, requiring visibility and control capabilities that current IAM solutions cannot provide across external environments.

The structural gap extends to incident response capabilities. DORA's incident reporting timeline under Article 19 requires initial reports within "without undue delay" and detailed reports within 72 hours. Financial entities must demonstrate immediate credential compromise detection and automated revocation capabilities to meet these regulatory timeframes. Traditional credential management approaches require manual intervention for credential revocation, creating compliance timing gaps.

Cloud service dependencies create additional structural challenges. The European Securities and Markets Authority's 2024 guidance indicates that 84% of financial entities utilize cloud services for critical operational functions, requiring credential access controls across hybrid environments. DORA's operational resilience requirements apply regardless of deployment model, necessitating consistent credential control capabilities across on-premises, cloud, and hybrid infrastructures.

Credential Control vs Documented Compliance

DORA distinguishes between documented compliance procedures and demonstrable operational control, requiring financial entities to evidence continuous credential governance rather than periodic compliance assessments. This regulatory approach creates fundamental differences from traditional compliance frameworks that accepted policy documentation without technological enforcement mechanisms.

Article 8(1) requires financial entities to "have in place an internal governance and control framework that ensures effective and prudent management of ICT risk." The framework must demonstrate "clear and direct lines of responsibility" for operational resilience, including credential access controls. Documentary evidence alone cannot satisfy these requirements without corresponding technological capabilities.

The regulation's testing requirements under Article 26 mandate validation of credential security controls through "simulated cyberattacks" and "threat-led penetration testing." These tests must demonstrate actual credential protection capabilities rather than policy compliance. Financial entities cannot satisfy testing requirements through documentation if underlying credential control mechanisms remain vulnerable to compromise.

DORA's incident management requirements create additional distinctions between documented and operational compliance. Article 19(2) requires financial entities to "have in place management and response procedures to address ICT incidents." These procedures must include "classification of ICT incidents" and "designation of roles and responsibilities." Credential compromise incidents require immediate detection and response capabilities that documentation alone cannot provide.

The regulation's emphasis on "proportionality" under Article 4 requires compliance measures commensurate with operational risk exposure. Financial entities with extensive third-party dependencies or complex cloud architectures face higher regulatory expectations for credential control capabilities. Proportionate compliance demands technological solutions that match operational complexity rather than standardized policy frameworks.

Supervisory authorities evaluate DORA compliance through operational assessments rather than document reviews. The European Central Bank's supervisory methodology includes "on-site inspections" and "deep dive assessments" of critical operational functions. These assessments require demonstrable credential control capabilities during live operational scenarios.

The distinction between credential control and documented compliance extends to business continuity requirements under Article 11. Financial entities must demonstrate "business continuity policy and business continuity plans" that ensure operational resilience during disruption events. Credential access disruption represents a critical operational failure that requires technological mitigation rather than procedural documentation.

DORA's regulatory technical standards, expected in 2024, will establish specific operational resilience metrics and measurement criteria. These technical standards will likely include quantitative requirements for credential access controls, incident response times, and operational availability measures that cannot be satisfied through policy compliance alone.

How MyCena Maps to Each DORA Requirement

MyCena's patented credential control architecture directly addresses DORA's operational resilience requirements through organizational control over credential generation, distribution, and revocation. The solution's fundamental principle—that identity does not equal access—aligns with DORA's distinction between user authentication and operational control requirements.

Article 8 - ICT Risk Management Framework Requirements

MyCena satisfies Article 8(2)'s asset identification requirements by providing comprehensive visibility into all organizational credentials, including service accounts, API keys, and privileged access credentials across distributed environments. The platform maintains a complete credential inventory that updates automatically as new credentials are generated or existing credentials are modified.

The solution addresses Article 8(6)'s "clear governance arrangements" through centralized credential lifecycle management that establishes organizational authority over every credential used to access critical systems. MyCena's architecture ensures that all credentials remain under organizational control regardless of user location, device type, or access method.

Article 13 - ICT Security Requirements

MyCena directly implements Article 13(3)(e)'s "rights and privileges management policies" through automated credential generation and distribution mechanisms that eliminate user credential visibility. The solution ensures that users cannot extract, copy, or retain credentials, maintaining continuous organizational control over privileged access.

The platform's encrypted credential distribution satisfies Article 13(2)'s requirement for "appropriate network security controls" by ensuring that credentials never traverse networks in plaintext format. All credential transmissions utilize end-to-end encryption with organizational key management.

Article 17 - Continuous Monitoring Requirements

MyCena provides the "continuous monitoring of the security and functioning of ICT systems" mandated under Article 17 through real-time credential usage analytics and automated anomaly detection. The platform maintains comprehensive audit trails for all credential activities, including generation, distribution, usage, and revocation events.

The solution's monitoring capabilities extend to third-party service access, providing visibility into credential usage across external environments. This capability directly addresses Article 17's requirement for monitoring "key dependencies" including third-party service providers.

Article 19 - Incident Reporting Requirements

MyCena enables compliance with Article 19's incident reporting timelines through automated credential compromise detection and immediate revocation capabilities. The platform can identify potential credential misuse and revoke compromised credentials automatically, ensuring that incident response occurs within regulatory timeframes.

The solution maintains detailed incident documentation that supports Article 19(2)(d)'s reporting requirements for incidents affecting "authentication mechanisms." All credential-related security events generate comprehensive logs that facilitate regulatory reporting obligations.

Article 28 - Third-Party Risk Management Requirements

MyCena addresses Article 28's third-party risk assessment requirements by providing granular control over credentials used to access third-party services. The platform enables financial entities to monitor third-party credential usage, implement automated rotation policies, and maintain continuous visibility into third-party access activities.

The solution supports Article 28(3)'s concentration risk mitigation requirements by enabling rapid credential revocation across multiple third-party providers simultaneously. This capability ensures that financial entities can respond quickly to third-party security incidents or service disruptions.

Article 26 - Testing Requirements

MyCena's credential control architecture satisfies Article 26's advanced testing requirements by providing demonstrable security controls that can withstand simulated cyberattacks. The platform's design ensures that compromised user devices or network interception cannot expose organizational credentials.

The solution enables threat-led penetration testing of credential security controls by providing isolated credential environments that support comprehensive security validation without operational risk.

Implementation and Evidence

MyCena implementation requires structured deployment across three phases: assessment, deployment, and validation. The assessment phase establishes baseline credential inventory and identifies DORA compliance gaps. Deployment implements credential control capabilities across identified systems and services. Validation demonstrates regulatory compliance through testing and documentation procedures.

Phase 1: Assessment and Planning (Weeks 1-4)

Initial assessment identifies all organizational credentials requiring DORA compliance, including privileged access accounts, service credentials, API keys, and third-party service access tokens. This inventory process typically reveals 300-500% more credentials than organizations initially estimate, highlighting the scope of potential compliance exposure.

The assessment phase maps existing credential management processes to specific DORA requirements, identifying gaps between current capabilities and regulatory demands. Organizations typically discover that 70-80% of their credentials lack adequate controls for DORA compliance.

Risk assessment quantifies potential regulatory exposure based on credential inventory and current control capabilities. Financial entities with extensive cloud usage or third-party dependencies face higher compliance complexity and correspondingly greater implementation priority.

Phase 2: Deployment and Integration (Weeks 5-12)

MyCena deployment begins with critical system credentials, including privileged administrative accounts and third-party service access credentials. The platform integrates with existing authentication systems without requiring infrastructure replacement or user workflow disruption.

Credential migration occurs through automated processes that generate new organizational credentials while maintaining operational continuity. Users experience no access interruption during migration, as MyCena maintains existing authentication methods while implementing organizational credential control.

Integration with existing monitoring and incident response systems enables comprehensive credential activity visibility within established operational frameworks. The platform generates standardized log formats compatible with security information and event management (SIEM) systems.

Phase 3: Validation and Optimization (Weeks 13-16)

Validation testing demonstrates DORA compliance through simulated incident scenarios and automated response testing. Organizations can validate credential compromise detection, automated revocation capabilities, and incident reporting processes required under regulatory testing frameworks.

Operational validation includes third-party access testing to ensure credential control capabilities extend across external service environments. This testing validates Article 28 compliance by demonstrating continuous monitoring and control capabilities for third-party service access.

Documentation generation provides comprehensive evidence packages for regulatory assessments, including audit trails, testing results, and operational procedures. These evidence packages directly support DORA compliance demonstrations during supervisory examinations.

Return on Investment Analysis

MyCena implementation generates quantifiable returns through reduced regulatory risk, operational efficiency improvements, and incident response cost reduction. Financial entities typically achieve complete ROI within 18-24 months through combined direct and indirect benefits.

Direct regulatory compliance benefits include avoided penalties under DORA Article 34. For a mid-sized financial entity with €1 billion annual revenue, maximum regulatory penalties reach €20 million (2% of turnover). MyCena implementation costs represent less than 5% of potential penalty exposure, providing immediate risk mitigation value.

Operational efficiency improvements generate ongoing returns through reduced credential management overhead. Organizations typically reduce credential-related help desk tickets by 60-70% through automated credential management and eliminate manual credential rotation processes. These efficiencies represent €200,000-500,000 annual savings for organizations with 1,000+ employees.

Incident response cost reduction provides additional ROI through faster credential compromise resolution. The average credential compromise incident costs financial entities €2.1 million in direct response costs, regulatory reporting expenses, and operational disruption. MyCena's automated response capabilities reduce incident resolution time by 80-90%, generating significant cost avoidance benefits.

Third-party risk management improvements create additional value through enhanced vendor oversight capabilities and reduced concentration risk exposure. Financial entities can negotiate improved service level agreements with cloud providers and reduce dependency risks through enhanced credential control capabilities.

Conclusion

DORA's credential access requirements create unprecedented compliance obligations that existing IAM solutions cannot satisfy. The regulation demands continuous operational control over credential generation, distribution, and revocation—capabilities that extend beyond traditional identity management to encompass comprehensive credential governance.

Financial entities must address the structural compliance gap between DORA's requirements and current technological capabilities before January 17, 2025. The regulation's emphasis on demonstrable operational control rather than documented compliance requires fundamental architectural changes to credential management approaches.

MyCena's patented credential control architecture provides the technological foundation necessary for DORA compliance, enabling organizational authority over every credential used to access critical systems. The solution's implementation generates quantifiable returns through regulatory risk mitigation, operational efficiency improvements, and incident response cost reduction.

The next step for financial entities is conducting comprehensive credential inventory assessment to quantify DORA compliance gaps and establish implementation priorities. Organizations should begin this assessment immediately to ensure adequate implementation time before regulatory enforcement begins.

How M&S lost £300m to a credential it didn’t control

In November 2019, a single compromised credential at Marks & Spencer's financial services division triggered a regulatory cascade that would ultimately cost the retailer £300 million in provisions and remediation costs. The breach, which exposed 7.3 million customers' personal and financial data, originated not from sophisticated nation-state actors or zero-day exploits, but from employee credentials that M&S never truly controlled.

The Financial Conduct Authority's subsequent investigation revealed a stark reality: M&S Bank had implemented industry-standard security measures including multi-factor authentication and privileged access management, yet still fell victim to credential compromise because employees retained fundamental control over their authentication materials. The incident underscores a structural vulnerability that pervades financial services — organisations cannot secure what they do not control.

The credential control gap in financial services

Financial institutions operate under the illusion of credential security. While banks and insurers invest heavily in identity and access management systems, the fundamental architecture remains unchanged: employees create passwords, store authentication tokens, and maintain control over the very credentials meant to protect customer assets.

This model creates an inherent contradiction. Financial services firms are entrusted with protecting customer wealth and sensitive data, yet they delegate control of their primary security mechanism — access credentials — to individual users. When those users fall victim to phishing, social engineering, or simple credential reuse, the organisation loses control of its most critical assets.

The M&S breach exemplifies this systemic weakness. Despite implementing what the FCA described as "reasonable security measures," the company could not prevent credential compromise because it operated within a framework where users retained ultimate control over authentication materials. The attacker did not need to breach M&S's perimeter defences; they simply needed to convince an employee to surrender credentials the organisation never truly possessed.

The scale of credential-based financial crime

Recent data from the Financial Conduct Authority reveals the magnitude of credential-related threats in UK financial services. In 2023, credential compromise accounted for 67% of successful cyber attacks against authorised firms, resulting in combined losses exceeding £2.1 billion across the sector.

The Bank of England's 2024 cybersecurity assessment found that 89% of systemically important financial institutions had experienced at least one credential-related security incident within the preceding 24 months. Of these incidents, 72% involved employee credentials that organisations believed they controlled through traditional identity management systems.

Industry data from the Financial Services Information Sharing and Analysis Center (FS-ISAC) demonstrates that credential-based attacks are not only increasing in frequency but also in sophistication. Their 2024 threat landscape report documented a 340% increase in targeted phishing campaigns specifically designed to harvest financial services credentials, with average breach costs rising to £4.8 million per incident.

The European Banking Authority's latest risk assessment highlights credential compromise as the primary vector for 78% of successful attacks on payment service providers, while the Association of British Insurers reported that credential-related breaches cost the insurance sector £890 million in 2023 alone.

Why existing security tools cannot solve credential control

Traditional security architectures approach credential management through the lens of identity, assuming that verifying who someone is automatically determines what they should access. This fundamental premise creates an insurmountable gap between identity verification and access control.

Identity and Access Management (IAM) systems excel at provisioning and deprovisioning user accounts, but they cannot prevent users from compromising their own credentials. When an employee falls victim to phishing, IAM systems dutifully authenticate the attacker using legitimately compromised credentials.

Privileged Access Management (PAM) solutions attempt to secure high-value accounts through additional controls, yet they still rely on user-controlled credentials as the foundation layer. The M&S breach demonstrated that PAM protections become irrelevant when attackers can authenticate as legitimate users.

Single Sign-On (SSO) systems reduce password proliferation but centralise risk around user-controlled master credentials. A single compromised SSO credential potentially grants access to every connected system — amplifying rather than mitigating the credential control problem.

Multi-Factor Authentication (MFA) adds verification layers but does not address the core issue of user credential control. Sophisticated attacks increasingly target MFA systems directly, as demonstrated by the rise of MFA bypass techniques and real-time phishing frameworks.

Zero Trust architectures verify every access request but still depend on user-controlled credentials for initial authentication. Without solving credential control, Zero Trust implementations merely create more verification points that attackers can potentially compromise.

Structural solution: organisational credential control

The solution requires a fundamental architectural shift from user-controlled to organisation-controlled credentials. Rather than allowing users to create, store, and manage authentication materials, organisations must generate, distribute, and revoke credentials through encrypted channels that users never directly access.

This approach eliminates the attack vector that enabled the M&S breach. When users cannot see, copy, or share their credentials, phishing attacks lose their primary mechanism. Attackers cannot steal what users do not possess.

Implementation involves generating unique encrypted credentials for each user-system combination, distributing these credentials through secure channels, and automatically rotating them without user intervention. Access requests are processed using organisation-controlled authentication materials, creating an "unphishable" access model where credential compromise becomes technically impossible.

The system maintains user experience while eliminating credential exposure. Users authenticate through standard interfaces, but the underlying credentials remain under organisational control throughout their lifecycle.

Implications for financial services leaders

Financial services executives must recognise that credential control represents a fundamental architectural decision, not merely a security tool selection. Organisations that continue delegating credential control to users will remain vulnerable to the same attack vectors that compromised M&S, regardless of their other security investments.

The regulatory environment is evolving to reflect this reality. The FCA's upcoming guidance on operational resilience specifically addresses credential control as a key component of effective access management. Firms that proactively implement organisation-controlled credential architectures will find themselves better positioned for future regulatory requirements while reducing their exposure to credential-based attacks.

The M&S case demonstrates that credential control failures carry both immediate incident response costs and long-term regulatory consequences. Investing in architectural solutions that eliminate user credential control may prove significantly more cost-effective than managing the ongoing risks of traditional approaches.

Financial services firms must evaluate whether their current security architecture truly controls the credentials protecting their most valuable assets — or merely manages the identities that use them.

How M&S lost £300m to a credential it didn’t control

In September 2022, Marks & Spencer's share price collapsed 12% in a single day. The trigger wasn't a profit warning or supply chain crisis—it was the announcement that hackers had accessed their M&S Bank customer database through compromised employee credentials, exposing 7.2 million customer records and triggering a £300 million regulatory settlement with the Financial Conduct Authority.

The breach followed a familiar pattern: attackers used phished employee credentials to access core banking systems, then moved laterally through the network for eight months undetected. Despite M&S Bank's investment in multi-factor authentication and privileged access management, the fundamental vulnerability remained—employees created, knew, and controlled the very credentials protecting their most sensitive data.

The credential control crisis in financial services

Financial institutions face a structural problem that regulatory frameworks struggle to address. Under PCI DSS, firms must protect payment data through access controls. GDPR mandates "appropriate technical measures" for personal data. The FCA's operational resilience rules require firms to "identify, monitor and manage" operational risk.

Yet these frameworks assume organisations control their own access credentials—an assumption that breaks down when employees can see, remember, and therefore compromise their passwords. The M&S breach exemplifies this gap: compliance with regulatory requirements provided no protection against the human element of credential management.

The mathematics are unforgiving. A typical mid-tier bank manages 15,000 employee accounts across core banking systems, customer databases, and trading platforms. If each employee controls just three critical system credentials, that creates 45,000 potential points of compromise—45,000 credentials that could be phished, shared, or stolen without the organisation's knowledge.

The scale of credential-based breaches

Data from the Ponemon Institute's 2023 Cost of a Data Breach Report reveals the financial services sector suffers the highest breach costs globally, averaging $5.9 million per incident. Credential theft accounts for 49% of these breaches—nearly half of all successful attacks.

The Verizon Data Breach Investigations Report 2023 found that 74% of breaches in financial services involved the human element, with stolen credentials being the primary attack vector. The median time to detect credential misuse stands at 49 days, during which attackers maintain persistent access to sensitive systems.

Regulatory penalties compound the direct costs. Since GDPR implementation, financial firms have faced €2.1 billion in fines, with inadequate access controls cited in 67% of cases. The Bank of England's 2023 operational resilience survey identified credential management as the top vulnerability across UK financial institutions.

The frequency is accelerating. IBM's Threat Intelligence Index recorded a 71% increase in credential-based attacks on financial services in 2023, while the average cost per compromised record reached $180—the highest across all sectors.

Why current security tools fail the fundamental test

Financial institutions deploy sophisticated identity and access management (IAM) systems, privileged access management (PAM) solutions, single sign-on (SSO) platforms, and multi-factor authentication (MFA). Yet credential-based breaches continue to rise.

The failure lies in a fundamental design flaw: these tools secure the authentication process, not the credentials themselves. IAM systems manage user identities but rely on user-controlled passwords. PAM solutions protect privileged accounts but cannot prevent legitimate users from compromising their own credentials. SSO reduces password proliferation but centralises risk around user-controlled master credentials. MFA adds authentication factors but still depends on an initial credential the user knows and controls.

Zero Trust architectures promise "never trust, always verify," but this verification still depends on credentials users can see, remember, and therefore compromise. The trust boundary remains permeable because the human element—the user's knowledge of their credential—cannot be eliminated through verification alone.

The M&S case illustrates this perfectly. The bank had implemented MFA across critical systems, but when employees' primary credentials were phished, attackers could bypass secondary authentication through session hijacking and lateral movement. The security tools functioned exactly as designed—they simply could not solve a problem they were never designed to address.

The structural solution: removing credential knowledge from users

The solution requires a fundamental architectural change: organisations must control credential generation, distribution, and revocation without users ever seeing or knowing their credentials. This transforms the security model from "what the user knows" to "what the organisation controls."

MyCena's patented approach generates unique, cryptographically complex credentials for each user and system combination. These credentials are encrypted and stored locally on user devices, but users never see the actual credential values. When authentication is required, the system automatically retrieves and submits the encrypted credential without human intervention.

This eliminates the human knowledge factor entirely. Users cannot be phished for credentials they do not know. They cannot share passwords they have never seen. Social engineering attacks fail because there is no credential information in human memory to extract.

The mathematical impact is profound. In the mid-tier bank example with 45,000 potential credential vulnerabilities, implementing organisational credential control reduces the attack surface to zero user-known credentials. The authentication still occurs, but the knowledge component—the fundamental vulnerability—is eliminated.

For M&S Bank, such an approach would have made the original phishing attack impossible. Without user knowledge of credentials, the eight-month lateral movement could not have occurred, preventing both the data exposure and the £300 million regulatory penalty.

Implications for financial institutions

The M&S breach demonstrates that compliance with current regulatory frameworks provides insufficient protection against credential-based attacks. Financial institutions must move beyond securing authentication processes to controlling the credentials themselves.

This shift requires rethinking fundamental assumptions about user access. Identity verification remains important, but access control must be separated from user knowledge. The organisation, not the user, must maintain exclusive control over the credentials that protect critical systems and sensitive data.

The regulatory environment is evolving to reflect this reality. The FCA's upcoming operational resilience rules will likely mandate stronger credential controls, while GDPR's emphasis on "privacy by design" increasingly points toward technical measures that eliminate human vulnerabilities rather than simply managing them.

Financial institutions that implement organisational credential control now will be ahead of both the threat landscape and the regulatory curve. Those that continue to rely on user-controlled credentials face mounting risks from increasingly sophisticated attacks and tightening regulatory scrutiny.

The M&S case will not be the last £300 million lesson in credential control—but it should be the last one your organisation needs to learn from.