Sources: FINRA Cybersecurity Alert · BleepingComputer · Cybersecurity Dive · March 2026
FINRA issued a specific alert warning that ShinyHunters is actively exploiting misconfigured Salesforce Experience Cloud instances to bypass authentication requirements and access sensitive customer data at financial firms, leveraging the stolen data to defraud customers. This week, ShinyHunters also breached the European Commission’s AWS environment, claiming over 350GB of stolen data including databases, internal documents, and employee information. The group conducted voice phishing campaigns in January 2026 targeting Okta and Microsoft SSO environments with custom phishing kits capable of intercepting credentials and bypassing MFA. ShinyHunters has also claimed the TELUS Digital breach (1PB including FBI background checks), the Crunchyroll breach (6.8M users via Okta SSO), and the Infinite Campus breach (11M records via Salesforce). Financial institutions using Salesforce, cloud SSO, or SaaS platforms are directly within ShinyHunters’ operational scope.
Action Required: Audit all Salesforce Experience Cloud configurations immediately — verify authentication requirements are properly enforced and guest user access is restricted. Review all OAuth integrations and third-party app permissions across cloud platforms. Deploy phishing-resistant MFA (FIDO2/WebAuthn) on all critical systems. Train all staff on voice phishing tactics. Review FINRA’s ShinyHunters-specific alert for detailed IOCs and configuration guidance.
Sources: IBM X-Force 2026 · SiliconANGLE · SecurityWeek · Jack Henry · Gartner
Identity is now the dominant attack surface in financial services. Infostealer malware — particularly LummaC2 — surged 72% in underground marketplace listings, harvesting browser-stored passwords, session cookies, and authentication tokens. Machine identities (API keys, service accounts, automation credentials) now dramatically outnumber human identities and are often unmanaged, creating massive unmonitored attack surface. 16% of breaches now involve AI-driven attacks including deepfake impersonation — a specific threat to financial institutions where wire transfers, password resets, and privileged access approvals can be triggered by convincing video or voice impersonation. MFA bypass techniques including MFA fatigue, SIM swapping, session hijacking, and adversary-in-the-middle attacks continue to evolve. The 25-minute average attack timeline for sophisticated intrusions means detection and response must be near-instantaneous.
Action Required: Deploy phishing-resistant MFA (FIDO2/WebAuthn) across all systems — SMS and push-based MFA are no longer sufficient for financial services. Audit and govern all machine identities — API keys, service accounts, automation credentials. Implement session token monitoring and behavioral anomaly detection. Redesign wire transfer and privileged access workflows to resist deepfake impersonation. Rotate secrets automatically and monitor for credential exposure on dark web marketplaces.
Sources: Privacy Guides Breach Roundup · HIPAA Journal · BleepingComputer · March 2026
Marquis, a Texas-based financial services provider, revealed that a ransomware attack stole the data of over 670,000 individuals and disrupted operations at 74 banks across the United States. Exposed data includes names, addresses, Social Security numbers, dates of birth, account numbers, credit/debit card numbers, and taxpayer identification numbers. The attack originated through Marquis’s cybersecurity partner SonicWall — the attacker leveraged configuration data from SonicWall’s cloud backup infrastructure tied to an API code change. Marquis has filed suit against SonicWall, alleging the breach occurred despite up-to-date firewalls and MFA. This incident demonstrates that even organizations with strong internal controls remain vulnerable through their technology partners.
Action Required: If your institution uses Marquis or SonicWall, contact both for specific impact assessment immediately. Audit all cybersecurity vendor access to your infrastructure — vendors managing your firewalls and backup systems have the keys to your environment. Review SonicWall configurations and cloud backup access controls. Implement continuous monitoring of third-party vendor access. Ensure incident response plans account for vendor-originating breaches.
Sources: NYDFS Advisory March 3 · FINRA Alert March 16 · Fitch Ratings · Baker Botts · CISA CVIE
Three separate regulators and agencies have flagged heightened cyber risk to financial services from the ongoing Iran conflict. NYDFS issued a specific advisory on March 3 reminding regulated entities of increased cyber attack risk. FINRA noted as of March 16 that Iranian threat actors are actively targeting U.S. financial institutions. Fitch Ratings warned that the conflict elevates cyber risk for public finance issuers. Iranian state-affiliated hackers had established footholds inside U.S. financial institution networks weeks before Operation Epic Fury began. CISA’s CVIE identifies 136 CVEs that Iranian actors have targeted. Pro-Russian hacktivist groups have aligned with Iranian actors, creating coordinated campaigns. Banks must report cyber incidents within 36 hours under federal sector-specific obligations — significantly faster than CIRCIA’s eventual 72-hour requirement.
Action Required: Review NYDFS advisory and confirm full compliance with 23 NYCRR Part 500. Audit internet-facing systems against CISA CVIE catalog. Enhance monitoring for suspicious authentication activity. Review and test incident reporting procedures — ensure 36-hour notification capability. Monitor financial transactions for sanctions compliance. Brief senior leadership on geopolitical cyber risk posture.
Sources: Malwarebytes · BleepingComputer · State AG Filings · SafePay Ransomware
The Conduent breach now affects 25 million Americans across more than 30 states. Conduent processes state benefit programs including Medicaid, SNAP, and government payment disbursements, as well as corporate services for major employers. Stolen data includes Social Security numbers, dates of birth, medical information, health insurance details, and claims data. The attack was claimed by the SafePay ransomware gang. Financial institutions processing government benefits, insurance claims, or payroll services through Conduent should assess exposure. Most affected individuals never directly interacted with Conduent — their data flowed through the company as a back-end processor, highlighting the invisible third-party risk in financial services supply chains.
Action Required: Determine whether your organization or any vendors process data through Conduent. If exposure is confirmed, initiate customer notification procedures per applicable regulations. Monitor for identity fraud and account takeover attempts linked to the compromised data. Review all back-end processing vendor relationships for similar invisible data flow risks. Implement continuous third-party monitoring for critical data processors.
Sources: NYDFS 23 NYCRR Part 500 · SEC Regulation S-P · FINRA 2026 Oversight Report
Regulatory enforcement is intensifying across all major financial regulators simultaneously. NYDFS has entered consent orders with 27 entities since 2021, levying over $144 million in fines for Part 500 violations — including $9.75 million against GEICO for inadequate measures across four sections. Most common violation triggers: failure to implement MFA, delayed or failed breach reporting within the 72-hour window, false compliance certification, and poor risk assessment practices. The SEC Regulation S-P amendments, strengthening safeguards for customer information and requiring faster breach notification, have upcoming compliance deadlines that some firms have not yet addressed. FINRA’s 2026 Annual Regulatory Oversight Report flags cybersecurity and third-party risk as top focus areas. Non-compliance during a period of heightened geopolitical threat carries amplified regulatory and reputational risk.
Action Required: Verify full compliance with NYDFS Part 500 — prioritize MFA implementation, breach reporting procedures, and risk assessment documentation. Review SEC Regulation S-P amendments and confirm compliance timeline. Audit annual compliance certification for accuracy — false certification carries severe penalties. Conduct or update penetration testing and vulnerability assessments. Document all cybersecurity improvements as evidence of good faith compliance efforts.
Sources: IBM X-Force 2026 · Vectra · FINRA · Sophos · Jack Henry
97% of financial institutions have experienced a third-party breach in the past year. Supply chain attacks have quadrupled over the past five years. The Marquis breach came through SonicWall. The Conduent breach exposed 25 million Americans through a back-end processor. The Navia breach exposed 2.7 million through a benefits administrator. The Gainsight incident created fourth-party risk for financial firms using Salesforce integrations. FINRA’s 2026 report specifically flags third-party risk as a top oversight area. Financial institutions are uniquely exposed because they operate in dense vendor ecosystems where a single compromise can cascade across dozens of institutions simultaneously — as the Marquis attack demonstrated across 74 banks.
Action Required: Conduct a comprehensive third-party vendor risk assessment with specific attention to vendors with API access, administrative privileges, or data processing roles. Enforce MFA and patch SLA requirements in vendor contracts. Implement continuous monitoring of critical vendor access. Map fourth-party dependencies — know who your vendors trust. Review FINRA’s third-party risk guidance from the 2026 Oversight Report.
Sources: Flashpoint 2026 GTIR · FBI Counterintelligence · FINRA
Flashpoint documented 91,321 instances of insider recruiting activity in 2025, with financial services among the most targeted sectors due to direct access to funds, customer accounts, and transaction systems. Extortionist groups offer financial incentives to employees with access to banking systems, wire transfer capabilities, and customer account data. AI-driven deepfake impersonation now enables convincing impersonation of executives and IT administrators — video and voice are no longer reliable proof of identity. Business email compromise (BEC) campaigns continue targeting financial institutions with wire transfer fraud, payroll diversion, and vendor payment manipulation. The combination of insider recruitment, deepfake capability, and BEC creates a multi-layered social engineering threat.
Action Required: Brief all employees with access to funds, wire transfers, or customer accounts on insider recruitment and deepfake threats. Implement out-of-band verification for all wire transfers and privileged access changes — do not rely on video or voice alone. Establish a confidential insider threat reporting mechanism. Monitor for unusual transaction patterns and off-hours access. Review BEC controls and ensure dual-authorization requirements are enforced for all high-value transactions.
The most operationally relevant threat actor for financial services this week. FINRA specifically flagged ShinyHunters exploiting misconfigured Salesforce Experience Cloud instances at financial firms to bypass authentication and access customer data for fraud. Breached the European Commission via AWS on March 30. Conducted vishing campaigns targeting Okta and Microsoft SSO with MFA bypass capability. Also responsible for TELUS Digital (1PB), Crunchyroll (6.8M), Infinite Campus (11M), and Match Group breaches. Financial institutions using Salesforce, cloud SSO, or SaaS platforms are primary targets.
Primary TTPs
Salesforce Exploitation, Voice Phishing, SSO/OAuth Abuse
Target Sectors
Financial Services, Government, Technology
Activity Level
Critical · FINRA-Flagged · Active
SafePay ransomware gang claimed responsibility for the Conduent breach that has now expanded to affect 25 million Americans across more than 30 states. Conduent processes Medicaid, SNAP, and government payment disbursements as well as corporate payroll and HR services for major employers. The stolen data includes SSNs, medical information, health insurance details, and claims data. The breach demonstrates that ransomware groups targeting financial back-end processors can achieve massive scale with a single compromise — most victims had no direct relationship with Conduent.
Primary TTPs
Ransomware, Data Theft, Back-End Processor Targeting
Target Sectors
Financial Services, Government Benefits, Healthcare
Activity Level
Active · High Impact
FINRA confirmed as of March 16 that Iranian threat actors are actively targeting U.S. financial institutions. NYDFS issued a separate advisory on March 3. Fitch Ratings flagged elevated cyber risk for public finance from the Iran conflict. Iranian hackers had pre-positioned inside U.S. financial institution networks before Operation Epic Fury began. CISA’s CVIE identifies 136 CVEs these actors have targeted. Handala — the MOIS-operated group — this week breached FBI Director Patel’s email and claimed Lockheed Martin. While Handala has focused on defense and medical technology, the broader Iranian cyber apparatus has historically targeted financial institutions for both disruption and intelligence collection. Pro-Russian hacktivist groups have aligned with Iranian actors, expanding the threat surface.
Primary TTPs
Pre-Positioning, CVE Exploitation, Credential Theft
Target Sectors
Financial Services, Critical Infrastructure, Defense
Activity Level
Active · FINRA/NYDFS-Flagged
While Volt Typhoon primarily targets energy and utility infrastructure, financial institutions dependent on those utilities face indirect exposure. If Volt Typhoon disrupts the power grid or telecommunications infrastructure that financial institutions rely on, the cascading effect on banking operations, transaction processing, and customer access could be severe. Financial institutions should assess their dependency on utility infrastructure and develop contingency plans for prolonged utility disruption scenarios. Volt Typhoon is confirmed inside utility control loops as of February 2026.
Primary TTPs
LOLBins, Infrastructure Pre-Positioning, Utility Disruption
Target Sectors
Energy, Utilities (indirect financial impact)
Activity Level
Active · Embedded · Indirect Risk