What do the three recent bank collapses mean for cybersecurity in financial services?

Josh Cigna

Josh Cigna

4 minute read

When it comes to cybersecurity, in an ideal world it’s important to balance planning for how to minimize risk in the event of an attack while ensuring minimal impact to users and the business. That’s the way it works if all goes according to plan (spoiler alert: it usually doesn’t!)

Certainly nothing went according to plan for the banking industry in recent months. The collapse of three major banks – Silicon Valley, Signature and First Republic – took many by surprise. While there are many factors that went into the collapse, including bad management and loose regulatory oversight, there was a secondary effect of the banks’ collapse that should give all cybersecurity professionals pause. When panic ensued, new avenues of attack opened up for bad actors looking for new phishing attack vectors. For example, a simple email sent to a panicked bank customer without multi-factor authentication (MFA) implemented could result in stolen credentials and a breach.

This begs an important question: How can financial institutions be better prepared the next time new phishing attacks appear during a crisis? 

Following the bank run in which SVB customers withdrew $40 billion (one-fifth of SVB’s deposits) in a matter of hours, customers were deluged with phishing attacks in the form of deceptive emails full of fake news – often pointing to hastily registered domains designed to steal credentials. A similar fate befell First Signature (which is even larger than SVB) and Signature when it became clear they were in the same overextended position that SVB was.

The crisis that started with SVB may not be over yet. It has put financial institutions on notice that the strongest form of phishing-resistant MFA should be in place before the next bank run puts the whole industry at risk. Small and regional banks may be even more vulnerable, as upgrades tend to move slower and they may still be using legacy systems for authentication. 

In addition to upgrading IAM systems and investing in FIDO-based phishing-resistant authentication technologies, banks and the entire financial services industry can prepare employees and customers in the following ways: 

  1. Remind both employees and customers of the dangers of phishing attacks and what kind of malicious emails they might receive during periods of increased threat. Additional training on different types of phishing attacks — spear-phishing, vishing, or DNS spoofing, for example — is also important. 
  2. Put manual account/payment change procedures in place ahead of time and have a clear customer communication plan about each step. This is especially important for dealing with vendors who may be running the process — no account changes should happen without an actual call and human interaction, either between vendor and customer or vendor and institution.
  3. Incorporate a Zero Trust security model and tighten security internally across the company for all employees, limiting both physical access to critical systems and data and privileged access. 
  4. Implement phishing-resistant authentication, such as hardware security keys like YubiKeys, to provide higher security, user experience and  reliance for customers. Security keys help financial service organizations protect against fraud by stopping account takeovers and targeted attacks by offering high-assurance MFA for employees, contractors and privileged users, so only authorized users have access to critical business and customer data, and critical systems like payroll and trading.

Most banking infrastructures have a mix of legacy on-premises and private or public cloud-hosted services. Regardless of where applications and data reside, banks need to ensure they are protected against unauthorized access. Following these steps will ensure proper cybersecurity in financial services moving forward, and that you can be prepared in the face of another crisis, and improve customer relations by showing them care and forethought has been given to their financial security.

——

To learn more about how finserv can upgrade to higher-reliance systems, read our whitepaper, “Securing financial services with phishing-resistant MFA.” Read our recent blog about how banks need to act now to avoid non-compliance with new Consumer Financial Protection Bureau (CFPB) guidance here.

Talk to our teamTalk to our team

Share this article:
  • CEO Corner: Entering the second half of 2025 with momentumAs we continue to move further into the second half of 2025, I want to share a look back at our journey so far this year and as well as lay out Yubico’s strategic path ahead.  Resurgence in order growth and key segment wins While net sales declined for Q2, the end of the quarter […]Read moreCEOCEO CornerEarningsMattias Danielsson
  • Survey says: Your dog’s name isn’t a passwordWe all know we should be protecting our digital lives, but what are Americans actually doing? Yubico recently commissioned a survey, conducted by Talker Research, which asked 5,000 Americans in 10 major metro cities across the U.S. about their online security habits. Here’s a closer look at what they found (hint: they’re not as secure as they […]Read moreCompany Newssurvey
  • Passkeys are winning, but security leaders must raise the barPasswords are on their way out. In their place is a new form of login called passkeys that promises stronger security and less frustration. All passkeys offer the rare combination of improved usability and stronger security, especially when compared to passwords alone. But unless we act now, millions could be left more vulnerable than ever. […]Read moreDevice-bound passkeysHardware passkeypasskeyssynced passkeys
  • Your top YubiKey questions, answeredOver the 10+ years I’ve been at Yubico, I’ve had the pleasure of meeting customers, partners and many others talking about digital security. While every conversation is different, I am often asked many of the same questions about YubiKeys. One thing remains consistent: many people know they need better security, but they’re not sure what […]Read moreFAQYubiKey