Securing Financial Institutions: A Case Study on Multi-Layered Defense

Financial institutions sit at the intersection of high-value data, strict regulation and constant attacker attention. ENISA’s finance sector threat landscape report highlights the financial sector as one of the most targeted in Europe between 2023 and mid-2024, with threats ranging from ransomware and DDoS to credential theft and fraud.

This case study is based on typical engagements DACTA Global conducts with regional banks in Europe and Asia. It illustrates how one mid-size bank moved from a fragmented security posture to a multi-layered defence aligned with regulatory expectations such as EBA ICT guidelines, DORA and Basel principles for operational resilience.

Starting Point: Fragmented Controls, Growing Regulatory Pressure

The bank in our scenario operates across several countries, with:

• Core banking systems running in on-premise data centres
• A growing use of SaaS platforms for CRM and productivity
• Mobile and web channels for consumer and SME customers
• Third-party processors for card payments and some back-office functions

Key challenges:

• Security tools had been deployed piecemeal over many years (multiple firewalls, endpoint tools and log sources with inconsistent coverage).
• Vendor risk management focused on contracts rather than technical assurance.
• The board was increasingly concerned about DORA, EBA guidance and local supervisory expectations.

The CISO’s mandate was clear: design a layered security architecture that could stand up to regulator scrutiny and reduce business risk without disrupting ongoing digital transformation projects.

Layer 1: Governance, Risk and Architecture

The bank began by establishing a clear security architecture and governance model:

• Enterprise Security Architecture: Mapped critical business services (payments, online banking, treasury) to supporting systems, data flows and controls. DACTA uses a similar approach in its Enterprise Security Architecture engagements.
• Risk Assessment: Identified top cyber risks by combining threat intelligence, business impact and control maturity. This included stress-testing scenarios like core-banking ransomware, payment system disruption and large-scale credential stuffing.
• Regulatory mapping: Cross-referenced existing controls and planned improvements against EBA ICT guidelines, DORA, FFIEC expectations (for non-EU operations) and Basel’s operational resilience principles.

Outcome: A prioritised roadmap that linked specific control improvements to business services and regulatory requirements, giving the board a clear view of why investments were needed.

Layer 2: Identity and Access Controls

Given the sector’s exposure to account takeover and payment fraud, the bank strengthened identity-centric controls:

• Rolled out phishing-resistant MFA for internal admins and remote access, and step-up authentication for high-risk customer actions.
• Implemented central identity governance to reduce privilege creep, automate leaver processes and recertify access to critical applications.
• Applied strong authentication and network segmentation for third-party operators connecting to core systems.

This aligns with supervisory expectations around access management and supports the principle that identity is the new perimeter for financial services.

Layer 3: Network and Cloud Segmentation

The bank then tackled its network and cloud posture:

• Introduced clear segmentation between internet-facing services, core banking systems, back-office platforms and testing environments.
• Enforced stricter controls on remote administration, using PAM and jump hosts rather than direct server access.
• For cloud workloads, applied the recommendations found in DACTA’s Cloud Security Assessment service: hardened IAM roles, private connectivity to critical SaaS platforms and stronger logging on management plane actions.

ENISA’s finance threat landscape work underlines the importance of segmentation to limit lateral movement, particularly in hybrid environments where cloud and on-prem infrastructure are tightly interconnected.

Layer 4: Endpoint, Application and Data Protection

The next layer focused on what sits closest to customer and staff activity:

• Endpoint Detection and Response (EDR): Deployed across workstations and servers, with enhanced coverage for trading floors and privileged users.
• Managed Detection & Response (MDR): Outsourced 24x7 monitoring to specialists, similar to DACTA’s Managed Detection & Response (MDR), integrated with the bank’s SOC.
• Secure application lifecycle: Strengthened code review, penetration testing and API security for mobile and web banking, supported by services like Penetration Testing.
• Data security: Rolled out data classification, encryption for sensitive datasets and DLP policies focused on customer data, trading information and financial reports.

These measures directly support EBA and local guidance on protecting customer information, transaction integrity and confidential data.

Layer 5: Threat Intelligence, Monitoring and Incident Response

To move from reactive to proactive defence, the bank invested in:

• Centralised logging and analytics: Consolidated logs from network, endpoint, core banking, cloud and SaaS into a central platform. Use cases were designed around fraud, account compromise and infrastructure threats.
• Threat intelligence: Consumed sector-specific intelligence, FS-ISAC feeds and DACTA’s Threat Intelligence updates to tune detections and understand emerging TTPs against financial institutions.
• Incident Response planning: Updated playbooks for ransomware, core banking compromise, DDoS, payment fraud and third-party incidents. Conducted joint exercises with business, IT, legal and communications.

Regulators such as FINMA and the EBA increasingly expect evidence that banks can detect, respond to and recover from significant cyber incidents; this layer is where that capability becomes visible.

Layer 6: Third-Party and Outsourcing Risk

Outsourcing and SaaS are essential for modern banks, but they also introduce systemic risk. To address this:

• The bank established a central inventory of all critical third-party providers, mapped to services and data processed.
• Contracts with key vendors were updated to include more precise security, logging, incident notification and resilience requirements.
• Technical assurance (for example, penetration testing summaries, SOC 2 reports, cloud configuration reviews) became part of ongoing monitoring, not just onboarding.
• Exit strategies and contingency plans were defined for the most critical providers, in line with DORA’s expectations for ICT third-party risk.

The Basel Committee’s emphasis on third-party and operational resilience is clearly reflected in this layer.

Results: Risk Reduction and Regulatory Confidence

Within 18–24 months of this transformation:

• The bank reduced high-risk legacy access paths and privileged accounts by more than half.
• Dwell time for simulated attacks dropped significantly thanks to improved monitoring and MDR integration.
• Cloud and SaaS misconfigurations were discovered and resolved during assessments rather than via incidents.
• Supervisory reviews highlighted the bank’s progress on ICT risk management and DORA readiness, reducing the risk of findings and enforcement.

Perhaps most importantly, business leaders gained a clearer understanding of how cyber risk related to specific services such as online banking and payments, making it easier to prioritise investments.

Conclusion: Multi-Layered Defense as a Strategic Imperative

For financial institutions, “good enough” security is no longer acceptable. Regulators and customers expect resilience: the ability to withstand, detect and recover from severe cyber events without destabilising core services.

This case study illustrates that multi-layered defence is not just a technical architecture diagram, but a practical way to align governance, identity, infrastructure, applications, data, monitoring and third-party risk. DACTA Global supports banks and other financial organisations through this journey, from initial risk assessments and architecture design to ongoing managed detection, incident response and cloud security assessments.

For institutions facing increasing regulatory scrutiny and a fast-evolving threat landscape, now is the right time to reassess how well each layer of your defence is performing—and where targeted improvements can deliver the greatest reduction in risk.