Skip to content
Back
  1. Home
  2. Blog
  3. The Secrets Crisis in Finance: Why Regulators (and Attackers) Are Paying Attention

The Secrets Crisis in Finance: Why Regulators (and Attackers) Are Paying Attention

The Secrets Crisis in Finance Why Regulators (and Attackers) Are Paying Attention

Posted by Miryam Brand
May 27, 2025

Credentials have become a top cause of data breaches across financial services. Yet, the risks tied to exposed secrets remain alarmingly underestimated. From fast-moving fintech startups to established global banks, financial institutions are facing a growing and often hidden challenge: secrets sprawl.

Secrets like database passwords, API tokens, cloud access keys, and SSH credentials are critical to every system. But in many organizations, they’re embedded in source code, copied across environments, and informally passed between teams. These secrets often linger for months—or even years—without being rotated, expired, or revoked. That’s a problem. Attackers know it too.

The real issue is visibility. Most teams aren’t sure how many secrets exist in their infrastructure, where they’re stored, or who can access them. As environments become more complex and deployment cycles speed up, secrets are easily overlooked. Unfortunately, they’re also easily exploited.

The Regulatory Landscape Is Shifting

Over the past year, regulatory requirements around secrets management have grown more urgent. 

  • The FFIEC is replacing its Cybersecurity Assessment Tool with stricter frameworks like NIST CSF 2.0. This will be effective August 31, 2025.
  • The NYDFS cybersecurity regulations’ new amendments have officially come into effect as of November 1, 2024.
  • The FTC’s updated GLBA Safeguards Rule (May 2024) requires breach notification within 30 days for incidents involving unencrypted customer data or the breach of an encryption key.
  • The SEC’s amendments to Regulation S-P (May 2024), directed at financial institutions, mandate timely customer notification and policies to prevent unauthorized access.
  • The SEC’s Cybersecurity Disclosure Rule enforces a 4-day disclosure window for material cybersecurity incidents.

These updates go beyond reporting. They reflect new expectations for encryption, access controls, and auditability. Taken together, they reflect a clear shift. Regulators are signaling that secrets must be managed with the same precision and care as financial data. Financial institutions can no longer treat secrets management as a back-office IT task. It is now a central part of governance, risk, and compliance.

Why Legacy Tools Are Falling Behind

Despite these rising expectations, many institutions are still depending on outdated secrets management tools. Traditional vaults require manual oversight. They often don’t integrate easily with modern DevOps pipelines. And they fail to provide a unified view across cloud, hybrid, and on-prem environments.

As a result, long-lived credentials remain active long after they’re needed. This means that former employees and third-party vendors continue to have access. Because of a lack of tracking and visibility, when auditors request logs or proof of revocation, teams often struggle to respond quickly. In many cases, they can’t respond at all.

These aren’t just inefficiencies. They’re security risks. They create exposure points that attackers can exploit and that regulators are beginning to penalize.

Webinar: What to Do Next

If your organization is dealing with these challenges, you’re not alone. And you’re not without solutions.

In our upcoming webinar, Secrets in Finance: Breach Risk, Compliance Gaps, and What to Do Now, we’ll walk through the current regulatory expectations and explore what effective secrets management looks like in 2025.

You’ll learn where secrets risks are most likely to occur, how real breaches unfold, and how effective secrets management can help you comply with the latest regulations and safeguard your organization. You’ll also see how Akeyless helps financial organizations modernize secrets management with a cloud-native, zero-trust platform. Akeyless eliminates standing credentials, enforces least-privilege access, and provides complete auditability—all without requiring infrastructure changes.

🗓️ Date & Time: Thursday, June 5 at 12 pm ET
🔒 Register here

The stakes are high. Credential-related attacks are accelerating, and regulatory expectations are rising in step. Now is the time to close the gaps in your secrets strategy and move forward with confidence.

Let us show you how.

Never Miss an Update

The latest news and insights about Secrets Management,
Akeyless, and the community we serve.

 

Ready to get started?

Discover how Akeyless simplifies secrets management, reduces sprawl, minimizes risk, and saves time.

Book a Demo
Subscribe to Newsletter
  • EncryptionKeyManagement_BestSupport_Enterprise_QualityOfSupport
  • PrivilegedAccessManagement(PAM)_HighPerformer_Enterprise_HighPerformer
  • PrivilegedAccessManagement(PAM)_EasiestAdmin_Enterprise_EaseOfAdmin
  • PrivilegedAccessManagement(PAM)_UsersMostLikelyToRecommend_Enterprise_Nps

© 2025 AKEYLESS. All rights reserved