General
Building an Insider Risk Management Program for PRA Compliance
Daniel Velez
7 min read
A stable banking system is necessary for a nation’s prosperity, and it serves as the backbone of its economic and critical infrastructure health. When investors have access to credit, and capital is available to invest, companies are created and employees earn wages to spend in the consumer economy that repays the investors, fuelling additional investment and growth. It’s the necessary interplay that clearly establishes the importance of regulations like those outlined in the Prudential Regulation Authority (PRA) [1] to ensure firms are stable and resilient in the face of various potential attacks that might cause them to fail. And let’s not forget the firm is itself with a business with a need to earn a profit to reward its own shareholders.
The PRA makes it clear that it is no longer enough to guard only against external cyberattacks. It requires firms to implement robust controls to protect personal and financial data and to have incident detection and response capabilities to securely deliver its financial services.
What makes the PRA Rulebook somewhat unique to other critical infrastructure regulations is that it also very specifically sets out detailed expectations for firms around insider threat management.
What’s an insider threat? The PRA describes it as an employee at the firm or at a third party who may misuse their legitimate access to firm data for unauthorised purposes maliciously or inadvertently.
When an insider attack occurs, the impact can be devastating to the firm and its customers:
- Reputational Damage: Insider breaches can erode customer trust and employee loyalty and bring increased regulatory scrutiny. Private information losses increase risks to customers.
- Financial Ramifications: Regulators increasingly impose heavy fines for failure to protect sensitive data, customers may take their investments elsewhere, and capital is less readily available.
- Operational Disruption: Insider incidents could cripple the very financial transactions and services they are designed to effect and can quickly have adverse impact to the broader economy.
- Employee Wellness: Not all insider attacks are adverse cyber incidents. While the PRA does not call out financial institution employees as critical assets, insider risk management professionals do, and the risk of harm by trusted insiders can be managed when there is a holistic approach in the strategy.
What the PRA Rulebook Says About Insider Risk
The PRA Rulebooksets out detailed expectations for institutions around confidentiality, insider threat management, and resilience testing.
Key sections include:
7.11 [2], Robust Controls to Protect Data
Companies must implement effective policies, procedures, and tools to prevent and detect activities that may impact firms’ information security and to respond to these incidents appropriately. This includes the “ongoing monitoring of insider threats” for malicious or inadvertent misuse of legitimate access.
2.4 and 26.1 [3], Protection of Confidential Information
Organizations must protect sensitive information from misuse or unauthorized access – including risks from employees, contractors and third parties.
10.20 [4], CBEST Testing and Cyber Resilience
Insider Threats are now a component of cyber resilience testing under the CBEST framework. Meaning organizations must demonstrate detection, response and recovery capabilities during regulatory assessments.
The PRA’s message is clear. Managing Insider Risk is no longer optional. It’s a regulatory expectation.
Core Elements of a PRA Aligned Insider Risk Management Program
Building a compliant Insider Risk Management (IRM) Program requires a structured, multi-layered approach:
- Formalized Program, Policy, and Governance: A charter or other declaration that establishes the business need of the program, and that assigns roles, responsibilities and oversight that are well defined and clearly aligned to legitimate business purposes. The foundational documents should require a cross functional team including risk, legal, security, cyber security, human resources, and workers’ councils to manage the framework, oversight, and accountability of program activities. This provides the necessary root of trust of the program, which is vital to its sustainability.
- Security Awareness and Training: Typically, effective programs consider training a process, not an event. Training for employees must promote a culture of security and educate them on risks associated with insider threats and how to spot and report warning signs. More importantly, training must also equip managers and leadership with training on response and mitigation strategies. A lack of response or a poor organizational response increases risk.
- Robust Security Controls: As I mentioned above, the PRA Rules require a variety of technical controls and processes, including not only the ongoing monitoring of user activity, but detection and response capabilities for anomalies and potential breaches hiding in vast activity and logging data. The IRM Program team helps stakeholders and contributors implement and operate the security controls so that they work together to support the firm’s security and risk objectives.
- Proactive Threat Identification, Mitigation, and Reporting: Real-time alerting and investigation processes. Prompt detection and consistent and formal response procedures minimize the impact of incidents. Often overlooked by organizations is the importance of a collaborative event or case management solution for coordination, reporting, sharing, and responding to adverse events. Most of the risk management metrics and data needed to inform the firm’s strategies and to report to senior leadership is found within the optimized case management solution. For example, comprehensive case characterization data in the case management system allows control failures to be more easily identified, aggregated, and reported.
- Continuous Improvement: Despite what some may claim, the purpose of the IRM Program is not to catch insiders. The event doesn’t end when the user is identified and confirmed to have caused it. The purpose of the IRM Program is to actively prevent, detect, and respond to insider events and to deliver fact-based recommendations for changes to the firm’s strategy, including security controls. This enables the firm’s maturing program to deliver improved security and resilience to its core financial mission. That’s the goal.
Regulatory alignment demands more than policies, it demands active, operationalized Insider Risk Management.
The Role of Critical National Infrastructure Banking Supervision and Evaluation (CBEST) and Insider Threat Testing
CBEST [5], the Bank of England’s cyber resilience testing framework, includes threat intelligence-led testing, and insider risk is now a core component.
Organizations must prove they can identify, respond to, and recover from insider-driven incidents, not just external attacks, which means having a mature Insider Risk capability that’s regularly tested, measured and improved. When it comes to evaluating detection and response actions, we have found that user activity monitoring capabilities deployed to security staff and analysts is extremely helpful in evaluating the training and effectiveness of the staff and its procedures.
Insider Risk Management is Business Resilience
In 2025 and beyond, Insider Risk Management isn’t just a cybersecurity concern, it’s a business imperative. Financial services organizations that align with PRA Insider Risk rules will be better protected, better trusted, and better positioned for sustainable success.
The PRA is raising the bar on insider risk oversight, download our Insider Risk PRA Compliance (opens a new window) Guide to:
- Understand core regulatory requirements
- Identify common gaps in financial firms
- Get actionable next steps to align your insider risk program
How to Choose the Right Insider Risk Partner for PRA Compliance
Choosing a partner to support your insider risk program is critical. Organizations should be looking for:
- Proven Expertise in Financial Industries, for a better understanding of regulatory and operational requirements
- Governance-First Solutions, not just tools, full frameworks for identification, investigation and reporting
- Ethical Monitoring Capabilities, privacy by design and compliance with GDPR, PRA and DORA
- Real-Time Visibility, speed is key to managing insider incidents before any damage occurs
- Ongoing Advisory Support, regulations evolve, your Insider Risk Management Program must evolve with them
A strong partner will help you align your Insider Risk Program with PRA mandates, reduce your exposure and build long-term resilience.
About Everfox Insider Risk Management
Everfox EverShield is a User Activity Monitoring (UAM), Behavioural Analytics, and Case Management platform that drives improvements and ROI in your insider risk program. Giving analysts and investigators the right tools and intelligence needed to collect, explore, and gain insight into risky behaviour.
Improve your organization's security posture and readiness models with risk scoring, anomaly detection, and controls.
As the threat landscape continues to evolve, security leaders are turning to Everfox Insider Risk Solutions. (opens a new window)
1 -https://www.prarulebook.co.uk/ (opens a new window)
Daniel Velez
Sr. Manager, Insider Risk Services
Supporting insider risk program development, improving Everfox mission-supporting technologies, and operationalizing those solutions to drive the outcomes organizations demand. He brings over 16 years of experience in the Insider Risk and Insider Threat space at Raytheon, Amazon, Forcepoint, and Everfox.