The 2019 Playbook Is Still Winning at Regional Banks

Mid-tier regional banks occupy the most exposed position in financial services, large enough to be worth the attacker’s time, too small to fund the defense the megabanks built. The vectors hitting this segment are not exotic. They are the same five every quarter, dressed in slightly different clothing, and the boards keep being surprised.

1) Vendor and MSP compromise is first. The core processor, the managed service provider, the loan origination platform, each is a jump box into the bank’s environment, and most regional banks have not mapped the trust paths. When the MSP gets ransomwared, the bank gets ransomwared. The SOC 2 report on the desk is not a control, it is a marketing document.

2) Business email compromise is second. The wire fraud is rarely the bank’s email being breached, it is the customer’s, the attorney’s, the title company’s. The bank executes a properly authorized wire to a properly verified account number, and the regulator and the customer both look at the bank when the money is gone. Out-of-band verification is a control most institutions still treat as optional.

3) Ransomware staged through phishing is third. Dwell time in mid-tier environments runs in weeks, not hours. The endpoint detection stack the bank licensed sits at factory defaults because no one has the FTE to tune it. The detonation lands on a Friday before a holiday, and the recovery cost is multiples of what tuning would have cost.

4) Credential attacks against online and mobile banking are fourth. Stuffed credentials from unrelated breaches, paired with SIM swap to defeat SMS MFA, drain accounts before the fraud team sees the alert. SMS as a second factor is a 2014 control. The actors moved on. The banks did not.

5) Insider and termination gaps are fifth. The branch employee who left two months ago still has Active Directory rights. The 1099 contractor’s laptop is unmanaged. The exit checklist exists in HR, it does not exist in IT. The audit finds this every year, the finding is closed every year, and the gap remains every year.

None of this is sophisticated. The attackers are running a playbook from 2019 and winning, because the defenses that would close it require operational discipline the segment has not been willing to fund. Examiners know it. Auditors know it. Insurance carriers are starting to price it. The board can keep being surprised, or it can stop.