Kyanite Blue
Threat Intelligence

Insider Threat in Financial Services: Data Theft, Rogue Access and SMCR Accountability

Financial services consistently ranks as the sector with the highest insider threat density globally. The combination of privileged access to client money and data, high staff turnover in sales and advisory roles, and intense competitive pressure creates conditions where insider incidents — from opportunistic data theft to deliberate fraud — are a routine operational risk. Under the FCA's Senior Managers and Certification Regime (SMCR), Senior Managers are personally accountable for their firms' control environments. When an insider incident occurs, the question the FCA asks first is: who was responsible for the controls that should have prevented it?

Financial services has the highest insider threat density of any industry globally — Verizon Data Breach Investigations Report.

The Three Insider Threat Scenarios That Hit Financial Firms

Insider incidents in financial services cluster around three patterns:

  • Data theft on exit: Departing advisers and relationship managers downloading client lists, financial plans, and contact data before leaving to join a competitor. Often detected weeks or months after departure
  • Privilege abuse for fraud: Staff with access to client accounts or payment systems processing unauthorised transactions — most common in operations, settlements, and fund administration roles
  • Inadvertent data exposure: Well-intentioned staff using personal email, personal cloud storage, or WhatsApp to share client documents — creating data leakage without malicious intent

How SMCR Creates Personal Accountability for Insider Risk

The FCA's SMCR framework requires firms to allocate specific responsibilities to named Senior Managers — including responsibility for the firm's information security and data protection controls. When an insider incident results in regulatory investigation, the FCA will identify which Senior Manager held the relevant responsibility and assess whether they took reasonable steps to manage the risk. Firms that have documented policies, access controls, monitoring, and training can demonstrate reasonable steps were taken. Firms that relied on trust and good faith cannot.

The Controls That Detect and Deter Insider Threats

Effective insider threat management combines deterrence, detection, and response:

  • Principle of least privilege: Staff should only have access to the data they need — not the entire client database
  • User behaviour analytics (UEBA): Monitors for anomalous access patterns — bulk downloads, access outside working hours, access to files unrelated to the user's role
  • Data loss prevention (DLP): Prevents sensitive data from being emailed to personal accounts, uploaded to personal cloud storage, or copied to USB devices
  • Leaver process: Automated deprovisioning on notice — do not wait for leaving date to remove access
  • Audit logging: All access to client data and financial systems logged and retained — essential for investigation and regulatory response
  • Regular access reviews: Quarterly review of who has access to what — removes accumulated privileges that are no longer needed

Responding to a Suspected Insider Incident

When an insider incident is suspected, the response must be careful and legally grounded. Preserve evidence before confronting the individual — deleting email or restricting access without forensic preservation destroys evidence. Involve legal counsel before interviewing the employee. Consider whether the incident triggers GDPR reporting obligations to the ICO, FCA notification requirements, or NCA reporting. Document the response chronology meticulously — both for regulatory purposes and any subsequent employment or civil proceedings.

Frequently Asked Questions

Can we monitor employee emails and systems activity?

UK firms can monitor employee communications and system activity for legitimate business purposes — including security monitoring — provided they have a clear, communicated policy in place and comply with GDPR data minimisation principles. Employees should be informed through their employment contract and an acceptable use policy that monitoring takes place. Legal advice on the boundaries is recommended before implementing intensive monitoring programmes.

What should we do when a key adviser or relationship manager resigns?

Act immediately on receipt of notice: conduct a forensic review of recent file access and downloads; restrict access to client databases and sensitive systems to what is needed for the handover period; document the access history; and ensure the leaver process includes certified deletion of firm data from personal devices. If evidence of data theft is found, preserve it before taking any action that might alert the departing employee.

Assess your insider threat controls

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Coro

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides