32% Insider-Linked: The DORA Requirements for Managing Insider Threat in Banking
The Threat That Sits at the Next Desk
The cybersecurity industry spends disproportionate attention on external threats: nation-state APTs, ransomware gangs, hacktivist collectives. But the aggregated data from SOC reports across French, German, and Luxembourg banks tells a different story: 32% of major breaches in European banking are linked to malicious or negligent insiders. Nearly one in three significant security incidents originates not from outside the perimeter, but from within it.
This statistic, drawn from operational security reporting rather than survey data, captures a threat that DORA was designed to address but that many institutions underweight in their compliance programmes. External threats are visible and dramatic — a DDoS attack brings down a website, a ransomware deployment locks critical systems. Insider threats are quiet, persistent, and often discovered only after significant damage has been done.
The breakdown is instructive. Of the 32%, approximately 18 percentage points are attributed to malicious insiders — employees or contractors who deliberately misuse their access for financial gain, espionage, or sabotage. The remaining 14 percentage points reflect negligent insiders — staff who, through carelessness, inadequate training, or social engineering, create security breaches without malicious intent.
| Breach source | Percentage | DORA relevance |
|---|---|---|
| External attack (cyber) | 48% | Art. 7-9 (systems, identification, protection) |
| Malicious insider | 18% | Art. 9(4)(c) (awareness), Art. 5 (governance) |
| Negligent insider | 14% | Art. 9(4)(c) (awareness), Art. 13 (learning) |
| Third-party originated | 12% | Art. 28-30 (third-party risk) |
| Physical/environmental | 5% | Art. 11-12 (continuity, recovery) |
| Unknown/unattributed | 3% | Art. 17 (incident management) |
The Deepfake Escalation
In one of the most striking insider-adjacent incidents of recent years, a Deutsche Bank India executive transferred EUR 120,000 after being deceived by a deepfake video call purporting to be the CEO. The technology used was commercially available, the social engineering was sophisticated, and the financial loss was immediate.
This incident sits at the intersection of external attack and insider vulnerability. The threat actor was external; the vector was an insider's trust in apparent authority. ENISA's threat landscape reports consistently identify social engineering as a top attack vector against the European financial sector — and deepfake technology is making social engineering dramatically more effective.
The regulatory implications are direct. Art. 9(4)(c) mandates "digital operational resilience awareness programmes and training" for staff. The Deutsche Bank deepfake case demonstrates that awareness programmes must evolve beyond traditional phishing simulations to address AI-powered social engineering that exploits trust hierarchies within organizations.
DORA's Human-Centric Security Requirements
DORA is primarily a technology-focused regulation, but its human-centric provisions are substantive and enforceable. Three articles form the core of DORA's insider risk framework:
Article 9: Protection and Prevention
Art. 9(4)(c) requires financial entities to implement "digital operational resilience awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes." This is not a suggestion — it is a mandate. The awareness programme must cover:
- Recognition of social engineering techniques (including emerging AI-powered variants)
- Secure handling of ICT assets and data
- Incident identification and initial reporting procedures
- Role-specific ICT risk responsibilities
- Understanding of the institution's ICT risk management framework
Art. 9(4)(c) further specifies that training must be "proportionate to the functions of the staff" and their "risk exposure." This proportionality requirement means that a board member requires different training than a branch teller, but both require training. The front-office employee with access to customer data and payment systems faces different insider risk vectors than the IT administrator with privileged system access.
Article 5: Governance
Art. 5(2) places responsibility for ICT risk management squarely on the management body. In the context of insider threat, this means the board must approve policies that address human-centric risk — including acceptable use policies, access management frameworks, separation of duties requirements, and the institutional response to insider incidents.
Art. 5(4) mandates that management body members themselves complete ICT risk training "on a regular basis, proportionate to their role." Board-level awareness of insider threat — its prevalence, its mechanisms, and its financial impact — is not optional under DORA.
Article 13: Learning and Evolving
Art. 13 requires financial entities to establish capabilities to learn from ICT-related incidents, including those involving insider actions. Post-incident reviews must feed into updates to the ICT risk management framework, training programmes, and security controls.
For insider incidents specifically, Art. 13 creates an obligation to analyze:
- How the insider obtained or maintained the access used in the breach
- Whether existing controls (access reviews, monitoring, separation of duties) should have detected the activity earlier
- What training or awareness gaps contributed to the incident
- Whether the incident reveals systemic vulnerabilities in the institution's human risk management
An Insider Threat Framework Under DORA
Mapping DORA's requirements to a practical insider threat management programme requires integrating human-centric security across all five pillars:
Prevention Layer
| Control | DORA article | Implementation |
|---|---|---|
| Role-based access control | Art. 9(1) | Minimum-privilege access aligned to job function |
| Separation of duties | Art. 9(2) | No single actor can authorize and execute high-risk operations |
| Background screening | Art. 5 (governance) | Pre-employment and periodic screening for sensitive roles |
| Security awareness training | Art. 9(4)(c) | Mandatory, role-proportionate, updated for emerging threats |
| Acceptable use policies | Art. 5(2) | Board-approved, regularly reviewed, covering personal devices and remote work |
| Privileged access management | Art. 9(1) | Enhanced controls for administrator and developer accounts |
Detection Layer
| Control | DORA article | Implementation |
|---|---|---|
| Anomaly monitoring | Art. 10 | Behavioral analytics on access patterns, data movement, transaction volumes |
| Access logging | Art. 10 | Complete audit trail of system and data access |
| DLP (Data Loss Prevention) | Art. 9 | Detection of unauthorized data exfiltration attempts |
| Peer comparison analytics | Art. 10 | Flagging access patterns that deviate from role-group norms |
| Periodic access reviews | Art. 9 | Regular certification that access rights remain appropriate |
Response Layer
The response to an insider incident must address Art. 17-23 (incident management) obligations while managing the unique challenges that insider cases present: the need for confidential investigation, potential criminal proceedings, employment law constraints, and the risk of tipping off the insider during the investigation phase.
A structured insider incident response protocol includes:
- Containment without alert — restrict access without visible changes that might alert the insider
- Forensic preservation — secure logs and evidence before any access changes could compromise the investigation
- Legal coordination — engage employment law, criminal law, and data protection counsel simultaneously
- Incident classification — determine whether the incident crosses Art. 18 major incident thresholds and triggers NCA reporting under Art. 19
- Root cause analysis — identify the control failure that enabled the incident (Art. 13)
- Framework update — update ICT risk management framework to prevent recurrence
The Social Engineering Arms Race
The insider threat landscape is evolving rapidly, driven by three technological shifts:
AI-powered social engineering. Deepfake audio and video — as demonstrated in the Deutsche Bank India case — make impersonation attacks dramatically more convincing. Traditional training that teaches employees to "verify the caller's identity" becomes less effective when the caller's voice and face are computationally indistinguishable from the genuine person.
Remote work perimeter dissolution. The shift to hybrid and remote work has dissolved the physical perimeter that historically constrained insider threat. An employee working from home may be under less observation, may use personal devices alongside corporate ones, and may be more susceptible to social engineering in an isolated environment.
Data proliferation. The volume of sensitive data accessible to individual employees has expanded with cloud adoption, data analytics platforms, and cross-functional collaboration tools. The blast radius of a single insider incident is larger than it was a decade ago.
DORA's awareness programme requirements (Art. 9(4)(c)) must be interpreted in light of these shifts. An awareness programme designed for 2020 threats is inadequate for 2025 realities. Specifically:
- Deepfake awareness training should be mandatory for any role that handles financial transactions based on verbal or video instructions
- Out-of-band verification procedures must be established for high-value transactions, regardless of how convincing the authorization appears
- Remote work security protocols must address the unique insider risk vectors that home-based work creates
- Data access monitoring must scale with data proliferation to maintain visibility into insider activity
The Culture Dimension
DORA's requirements address process and technology, but effective insider threat management also requires a security culture that balances vigilance with trust. Institutions that create a surveillance-heavy environment risk undermining the organizational trust that enables effective teamwork. Institutions that prioritize trust over verification create the conditions for insider incidents.
The evidence suggests that the most effective approach combines:
Transparency about monitoring. Employees should know that access logging, behavioral analytics, and DLP are in place — not as a threat, but as a standard operating practice that protects both the institution and its staff (since monitoring also detects unauthorized access by external actors using compromised credentials).
Accessible reporting channels. Staff who observe suspicious behavior by colleagues need clear, confidential reporting channels. The 14% negligent insider statistic includes cases where colleagues observed risky behavior but had no clear mechanism to report it.
Non-punitive error reporting. For negligent insider incidents — clicking a phishing link, misconfiguring a security setting, sending data to the wrong recipient — a non-punitive first-response approach encourages rapid reporting. An employee who reports their own mistake within minutes enables a faster response than one discovered through monitoring days later.
Regular reinforcement. Art. 9(4)(c)'s training mandate should not be interpreted as an annual checkbox exercise. Effective insider risk awareness requires continuous reinforcement: regular communications, simulated scenarios, lessons-learned briefings from actual incidents (anonymized), and integration into operational routines.
Measuring Insider Risk Management Effectiveness
Art. 6's ICT risk management framework and Art. 14's board reporting requirements create an obligation to measure and report on insider risk management effectiveness. Key metrics include:
- Mean time to detect insider incidents (target: days, not months)
- Percentage of staff completing awareness training (target: 100% within mandated timeframes)
- Phishing simulation click rates (trend analysis, not absolute targets)
- Access review completion rates (target: 100% for privileged accounts quarterly)
- Insider incident root cause categories (to identify systemic gaps)
- Time from insider incident to framework update (measuring Art. 13 learning effectiveness)
These metrics should be reported to the management body as part of the Art. 14 ICT risk communication, providing the board with visibility into the institution's human-centric security posture.
The 32% Imperative
The 32% statistic is not a historical curiosity — it is a current operational reality. One in three major breaches in European banking involves an insider. DORA provides the regulatory framework to address this: mandatory training (Art. 9(4)(c)), governance obligations (Art. 5), continuous learning (Art. 13), and integrated incident management (Art. 17-23).
But the framework is only as effective as its implementation. Institutions that treat Art. 9(4)(c) as an annual e-learning module and Art. 13 as a post-incident report filing exercise will continue to experience the consequences of the 32%. Those that build comprehensive insider threat management programmes — integrating prevention, detection, response, and continuous improvement — will reduce their exposure to the threat that sits at the next desk.
This analysis reflects aggregated SOC reporting data from European banking institutions and DORA Regulation (EU) 2022/2554 Articles 5, 9, 13, and 17-23 as applicable to insider threat management.