The foundation of security compliance for financial services businesses

One of the less surprising findings of the 2026 Verizon Data Breach Incident Report (DBIR) is the fact that incidents targeting the Financial and Insurance sector are on the rise. As they put it, “This sector continues to be a favorite among attackers, which isn’t surprising given that its core business is handling money.”

For small-to-medium businesses (SMBs) in the financial services sector, the DBIR paints an even more dire picture. The report notes that SMBs face the same threats and breach patterns of larger organizations, but are also disproportionately impacted by attacks; 96% of ransomware victims were SMBs. 

In short: businesses in the financial services industry who are still building their foundation, or who possess limited security resources, are caught between a rock and a hard place. They operate within one of the most heavily targeted sectors for cyberattack, and are held to enterprise-level security standards by regulators and clients alike, but they’re operating with startup-level security resources. 

For lean security and IT teams to make the most of those limited resources, they need to focus on what they can afford. That means getting the fundamentals right for a strong and impactful security foundation. The highest-leverage fundamental is, of course, credential management.

Top security challenges for financial services organizations

Small IT and security teams in the financial services industry are faced with high expectations when it comes to security. Unfortunately, they also experience significant challenges when it comes to securing credentials.

AI is accelerating SaaS and credential sprawl

JP Morgan Chase’s recent research report, Understanding the use of AI among small businesses, finds that not only are a growing number of small businesses adopting AI, when they do, they also tend to implement a greater number and variety of AI tools.

It’s not hard to understand why this is the case; AI’s ability to automate processes and improve productivity is a natural fit for lean teams, trying to maximize impact with limited resources. However, AI tools and agents are also accelerating the rate of SaaS sprawl, shadow IT, and policy violations. One in four employees has used AI applications that weren’t approved by their company, and over a third of employees admit to having knowingly disregarded their company’s AI policies. 

AI is also increasing the sophistication of attacks. Attackers are able to move faster, and are particularly able to generate more convincing phishing attacks. Unfortunately, phishing-resistant authentication factors are hard to deploy at scale. As RSM reported, “Many middle market and smaller financial services organizations lag their larger counterparts in this area.” 

AI use can also drastically accelerate credential risks, as AI tools and agents interface with credentials and developer secrets at a scale far beyond what traditional identity and access management (IAM) systems were designed to govern.

Complex compliance standards

Cybersecurity compliance represents one of the greatest challenges for businesses of all sizes in the financial services industry. SOC 2, GLBA, and PCI DSS are just a few of the compliance standards with strict guidelines designed to protect financial information. 

These standards exist with good reason; when financial data is compromised, the consequences can be dire for companies and users alike. Still, the complex and varied legal and compliance standards that financial service providers have to meet can be daunting, to say the least, particularly when access is distributed across a growing sprawl of unmanaged apps and credentials.

For instance, to meet standards like GLBA, HIPAA, and PCI DSS, teams have to be able to prove to an auditor that every system or app that interacts with protected data is being guarded by strong credentials and other authentication factors. 

Unfortunately, 1Password’s 2025 annual report found that two-thirds of employees admit to engaging in poor password practices, including:

• Using the same passwords across multiple work accounts

• Never changing IT-default passwords

• Using the same password for both work and personal accounts

• Texting, emailing, or otherwise messaging passwords to yourself or a colleague

Each of these practices fly in the face of compliance guidelines. Unfortunately, scattered security tooling and unmanaged sprawl can make it difficult to enforce policies around password use, leaving access records fragmented at best, or non-existent at worst. 

All of this can make it difficult to prove compliance to the satisfaction of an auditor, and compliance failures can represent significant costs. A survey in 2026 found that 25% of small business owners stated that they had received a compliance-related fine or citation. As they reported, “Most penalties totaled between $2,000 and $10,000…” 

The cost alone is a serious detriment, but the report goes on to point out that these failures represent further disruptions for small teams. “Beyond paying fines, businesses also had to modify internal processes, update documentation practices, or implement new tracking systems to prevent repeat violations.”

Insider threats are a major concern

Smaller IT teams often have limited time to ensure that every new employee is given the right level of access according to their role, and to ensure that every departed employee is properly offboarded from systems. This can leave lingering credentials with over-privileged access to sensitive data.

Over one-third of employees have successfully accessed a prior employer’s account, data, or applications after leaving the company. The insider threats posed by this statistic should be of particular concern to financial services institutions. 

In 2024, more than 70 percent of financial institutions experienced insider threat incidents that year, referring to both deliberate actions and inadvertent errors. In 2026, misconfiguration or human error was the leading cause of breaches for those organizations. 

AI’s difficulties are accelerating these kinds of errors as well, but the more significant issue is that for businesses that are still building their security foundation, access controls are often informal, and employee lifecycle processes are inconsistent or overly manual.

Traditional security tools can’t serve the needs of growing businesses

Unfortunately, traditional security tools are often unsuited to meeting the needs of growing businesses, particularly those with strict compliance requirements. For instance, when teams think of securing access, single sign-on (SSO) is one of the first solutions that come to mind. Unfortunately, SSO also leaves serious gaps in oversight; 1Password’s recent annual report found that the average company has a third of its apps outside SSO. 

For smaller companies, or those with otherwise limited resources, SSO is likely to leave even more oversight gaps. The infamous “SSO Tax” means that for an application to be guarded behind SSO, app providers often force customers to upgrade to an “enterprise tier.” 

Not only does the enterprise tier tend to cost exponentially more per user than the basic tier, it may require a minimum number of users for the plan. Even if an SMB has the budget to put a given app behind SSO, they may not have enough users to.

SSO is just one example of how traditional security tooling falls short of meeting the needs of SMBs, leaving significant gaps in a team’s app and credential oversight. This lack of resources can often result in a scattered approach to credential management, where credentials are stored in spreadsheets, shared over email, or saved within consumer browsers. 

This level of credential sprawl is overwhelming and costly, compromising compliance efforts while drastically increasing a company’s attack surface. But if a business is hit by a breach, the financial losses can quickly reach the millions, leaving teams caught in a dilemma between costly security versus costly risks.

How credential management helps meet financial compliance requirements

An enterprise password manager (EPM) like 1Password’s is one of the most effective and efficient security tools that any business can implement. An EPM centralizes visibility into how and where credentials are used, enabling secure sharing and access that can be granted and revoked as needed. 1Password EPM enables IT and security teams to organize credentials into vaults and provision or revoke vault access according to employee roles and access needs. This benefits both security and productivity; after all, autofilling passwords from a shared vault tends to be easier than searching for them through a spreadsheet.

1Password utilizes zero-knowledge encryption, meaning that not even the company that’s storing credential data can access or decrypt it. This keeps information protected at the highest level, so credentials stay secure even if the server where they’re held ever gets breached. 1Password's breach monitoring also informs users and admins if a managed credential has been compromised in a breach (since re-use of compromised credentials is a major attack vector).

Most significantly, 1Password provides automated and detailed logs of app sign-ins and other events, ensuring that small teams in the financial services industry are set up for success when it comes time for an audit.

In short: the credentials to every workplace app stay secured and centralized where IT can easily oversee employee access and measure the strength and security of their password ecosystem. It’s a tool that works with small teams, empowering them to use the tools they need without putting sensitive data at risk.