In This Article
- The blind spot in most financial-institution security programs
- What insider risk actually means: the three kinds of insider
- Why data loss prevention alone does not catch it
- What Microsoft Purview Insider Risk Management actually does
- The examiner's view: insider monitoring is an expectation, not an extra
- From a license you already own to a program that runs
- Frequently Asked Questions
Your team moves customer data all day long, and that is the point. A loan processor pulls a borrower's pay stubs into a shared folder. A branch manager exports a member list to build a campaign. A new hire asks Microsoft 365 Copilot to summarize a folder of account documents, and it does, in seconds. Microsoft 365 is built to make that motion frictionless, and frictionless is what lets a lean credit union, bank, or mortgage company run.
That same frictionless access is the reason the hardest risk to see is the one already inside the building. Most security budgets at financial institutions point outward, at phishing, at ransomware, at the attacker trying to break in. The person who already has a badge, a login, and a legitimate reason to touch member data is a different problem, and it is the one most programs are least equipped to detect.
This guide is about the Microsoft tool built for exactly that problem, Microsoft Purview Insider Risk Management, and why most banks, credit unions, and mortgage companies already own it without ever turning it on. It is written for the people who answer for it: the IT directors, security leads, and compliance officers who get the exam findings and the breach calls. ABT manages Microsoft 365 for more than 750 financial institutions, and Insider Risk Management is one of the controls we configure inside those tenants.
The blind spot in most financial-institution security programs
Ask a financial institution how it defends against the outside attacker and you will get a confident, detailed answer: multifactor authentication, email filtering, endpoint protection, a security awareness program. Ask the same institution how it would know if a departing loan officer copied a pipeline of borrower contacts to a personal drive on their last Friday, and the answer gets quiet. The tools that watch the perimeter were never designed to watch the people who are supposed to be there.
That gap is expensive, and it is growing. The 2026 Cost of Insider Risks Global Report, the seventh annual benchmark study from the Ponemon Institute sponsored by DTEX Systems, put the average annual cost of insider risk at $19.5 million per organization, with an average of $247,587 to contain a single insider incident. The same research makes a point that reshapes the whole conversation: the majority of that cost comes from negligent, non-malicious behavior, not from villains. Most insider damage is done by people who were trying to do their jobs.
Why this matters for financial institutions
Financial institutions concentrate exactly the data insiders are most likely to mishandle: account numbers, Social Security numbers, income documents, and member contact lists. The workforce is also mobile. Loan officers move between lenders and take relationships with them, and a credit union or community bank rarely has a dedicated insider-threat analyst watching for it. The result is a high-value target guarded mostly against the wrong direction.
None of this means treating employees as suspects. It means having a way to see risky activity when it happens, scoped narrowly and reviewed fairly, so that an honest mistake gets coaching and a genuine theft gets caught. That capability has a name in the Microsoft stack, and most institutions are already paying for it.
What insider risk actually means: the three kinds of insider
The phrase "insider threat" tends to summon an image of the disgruntled employee with a grudge. That image is real but rare. To manage the risk you have to see all three of the people it actually covers, because they need different responses.
The reason this distinction matters is that a single signal, say a large download of member files, can come from any of the three, and the right response is different for each. A program that cannot tell coaching-worthy negligence from genuine theft will either over-police its honest employees or miss the real loss. The goal is not surveillance. It is the ability to put a piece of risky activity in context.
The disgruntled employee with a grudge is the rarest insider. The expensive everyday reality is the good employee moving sensitive data to get their job done faster, and the trusted account quietly working for someone else.
Why data loss prevention alone does not catch it
Most institutions that have thought about data leaving the building have a data loss prevention policy. That is the right instinct and the wrong stopping point. Data loss prevention and insider risk management answer two different questions, and an institution needs both.
Data loss prevention is content-aware and rule-based. It inspects a specific action, an email with a Social Security number, an upload to a personal site, and it can block, warn, or allow that action based on the content. It answers "what data is leaving, through which channel, right now." It is essential, and our guide on data loss prevention for financial institutions walks through how to configure it. But a single blocked email tells you almost nothing about the person. Was it a one-time slip or the fourth risky action this week from someone who just gave notice?
Data loss prevention answers: what and where
Inspects individual actions against content rules and blocks or allows them in the moment. A loan file with account numbers is stopped at the door. Powerful at the point of egress, but it sees each action in isolation and says nothing about the user's pattern over time.
Insider Risk Management answers: who and why
Correlates many signals across many days into a per-user risk picture: this person downloaded an unusual volume of files, renamed them, and is in their notice period. It surfaces the pattern a single blocked action would hide, and routes it to a reviewer with context instead of a raw alert.
The two are designed to reinforce each other, not replace each other. Data loss prevention is the gate. Insider Risk Management is the behavior analysis that decides when the gate should get stricter and which person deserves a closer look. Microsoft built an explicit bridge between them, and that bridge is where the Purview platform earns its keep for a regulated institution.
What Microsoft Purview Insider Risk Management actually does
Microsoft Purview Insider Risk Management correlates signals from across the Microsoft 365 environment, file activity, email, devices, Teams, and more, into a risk level for each user, and it does it with privacy built into the design. It ships with pre-built policy templates so an institution is not starting from a blank page.
Put those pieces together and the departing-employee scenario that most programs cannot see becomes one they can.
A loan officer gives two weeks' notice. Over the next several days they download an unusually large set of borrower files, rename them, and copy several to a personal cloud drive the night before their last day.
The data-theft-by-departing-users template recognizes the pattern, raises the user's risk level, and surfaces a single contextualized case to a reviewer. Adaptive Protection can automatically apply a stricter data loss prevention policy to that user while the review happens, all without the analyst seeing the person's name until policy allows it.
The same risk signals are increasingly relevant to how your team uses artificial intelligence. Microsoft 365 Copilot surfaces, in seconds, anything a user already has permission to reach, which means a risky insider with broad access is now a faster risky insider. The risky AI usage template and the wider governance picture in our guide on Microsoft Purview data loss prevention for AI and Copilot are part of the same control story: productivity goes up, and the protections have to keep pace. When ABT deploys Microsoft 365 Copilot for a financial institution, configuring Insider Risk Management and the risky AI usage template is part of turning Copilot on safely, not a separate project bolted on later.
Wondering whether your tenant already includes Insider Risk Management?
As a Tier-1 Microsoft Cloud Solution Provider, ABT checks whether your licensing already includes it, configures the policies to your roles and regulator, and runs the review workflow for you.
The examiner's view: insider monitoring is an expectation, not an extra
Watching authorized users is not just good practice. For financial institutions it is written into the rules that examiners enforce. The FTC Safeguards Rule, which governs non-bank financial institutions such as independent mortgage lenders and brokers, names the requirement directly.
Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.
Read that requirement again with the phrase "authorized users" in mind. The rule is not only about keeping outsiders out. It explicitly requires a covered institution to monitor and log what its own authorized people do, and to be able to detect when one of them misuses customer information. That is the insider problem, named in the regulation.
Banks and federally insured credit unions sit under a parallel regime, the information security standards that implement Section 501(b) of the Gramm-Leach-Bliley Act, including the NCUA's Guidelines for Safeguarding Member Information at 12 CFR Part 748, Appendix A. Those guidelines are risk-based, and they expect access controls, monitoring, and the ability to respond to unauthorized access to member information. The FFIEC IT Examination Handbook reinforces the same expectations through its Information Security booklet, which treats least privilege, user activity monitoring, and detection of anomalous behavior as core controls.
A note on terminology that auditors notice
ABT manages your Microsoft 365 tenant. Microsoft owns and runs the underlying infrastructure; as a Tier-1 Microsoft Cloud Solution Provider, ABT configures and operates Insider Risk Management inside that tenant through delegated administration. The distinction is not pedantry. A vendor that says it will host your Microsoft 365, rather than manage it, signals to an examiner that it may not understand its own delegated-admin role, and that makes the examiner wonder what else is imprecise.
The practical upshot is the same through every regulatory door. Whether your institution answers to the FTC, the NCUA, the OCC, or the FDIC, an examiner can reasonably ask how you monitor the activity of your authorized users and how you would detect misuse of customer or member information. "We trust our staff" is not an answer that closes a finding. A configured, documented Insider Risk Management program is. If you want the broader compliance map, our guide on the FTC Safeguards Rule and Microsoft 365 walks the rule element by element.
From a license you already own to a program that runs
Here is the part that surprises most institutions: you may already own this. Microsoft Purview Insider Risk Management is included with Microsoft 365 E5, and with the A5 and G5 plans and the Microsoft Purview suite. Organizations on a lower tier can add it through the standalone Microsoft 365 E5 Insider Risk Management add-on. The related Insider Risk Management Forensic Evidence capability is separate: it requires a qualifying base license plus its own capacity add-on, so it is worth scoping on its own rather than assuming it comes bundled.
So for a large share of banks, credit unions, and mortgage companies, the entitlement is already on the invoice. What is missing is not the license. It is the configuration, the rollout, and the review discipline that turn an unused feature into a control an examiner will credit.
The license is the easy part
Turning on Insider Risk Management is a checkbox. Running it is a program. Someone has to choose and tune the policy templates so the alerts are meaningful rather than noisy, define which user groups are in scope, set the privacy and pseudonymization settings, build the review and escalation workflow, connect Adaptive Protection to your data loss prevention policies, and document all of it as evidence for the exam. That ongoing work, not the license, is what separates a feature from a control.
This is also where a poorly run program does real harm. Templates left at their defaults generate noise, the reviewer stops trusting the alerts, and a genuine theft slips through the fatigue. Or the scope is set too wide and honest employees feel surveilled. Tuning the system so it flags the right behavior, reviews it fairly, and produces clean evidence is judgment work that benefits from having done it before.
Most financial institutions we onboard already own Insider Risk Management inside the Microsoft 365 E5 or Purview licensing they hold, and almost none have it running. As part of the M365 Guardian operating model, ABT configures the policy templates to match the institution's roles and regulator, sets the pseudonymization and privacy controls, builds the review and escalation workflow, wires Adaptive Protection to the data loss prevention policies, and produces the evidence package an examiner asks for. A reseller can put the E5 license on your invoice; turning that entitlement into a control an examiner credits is the work, and it is the work ABT does. ABT manages the tenant; the institution keeps the judgment calls. The license you already pay for becomes a control you can prove.
Insider Risk Management is one layer of a defensible Microsoft 365 program. It pairs naturally with the controls that keep an attacker from becoming a compromised insider in the first place: see our guides on phishing-resistant multifactor authentication for financial institutions and Conditional Access policies for financial institutions. Together they take the productivity your team already has, keep the data protected as people move it, and produce the governance evidence the exam wants to see.
See what an examiner-ready insider-risk program looks like in your tenant
ABT configures Microsoft Purview Insider Risk Management in your managed tenant, tunes the policies to your roles and regulator, runs the review workflow, and documents it for the exam.
Frequently Asked Questions
Microsoft Purview Insider Risk Management is a Microsoft 365 capability that correlates activity signals from across the environment, including file activity, email, devices, and Teams, into a per-user risk level so that risky behavior by authorized users can be detected and reviewed. It ships with pre-built policy templates such as data theft by departing users, data leaks, security policy violations, and risky AI usage, and by default it pseudonymizes user identities in the investigation experience so analysts see risk without names until policy allows an identity to be revealed. For financial institutions it provides the behavioral layer that watches trusted insiders, which perimeter tools do not cover.
Data loss prevention and Insider Risk Management answer two different questions. Data loss prevention is content-aware and rule-based: it inspects an individual action, such as an email containing account numbers, and blocks, warns, or allows it in the moment, answering what data is leaving and through which channel. Insider Risk Management correlates many signals across many days into a per-user risk picture, answering who is behaving riskily and why, and surfacing patterns that a single blocked action would hide. The two reinforce each other, and Microsoft's Adaptive Protection lets a rising insider risk level automatically apply stricter data loss prevention policies to that specific user. A complete program uses both.
Yes. Monitoring authorized-user activity is a documented regulatory expectation, not an optional extra. The FTC Safeguards Rule at 16 CFR 314.4(c)(8) requires covered non-bank financial institutions to monitor and log the activity of authorized users and detect unauthorized access or use of customer information by those users. Banks and federally insured credit unions face parallel expectations under the Gramm-Leach-Bliley Act information security standards, including the NCUA guidelines at 12 CFR Part 748 Appendix A, and the FFIEC IT Examination Handbook treats least privilege, user activity monitoring, and detection of anomalous behavior as core controls. An examiner can reasonably ask how you monitor your authorized users and detect misuse, and a configured, documented program is the answer that closes the finding.
Microsoft Purview Insider Risk Management is included with Microsoft 365 E5, as well as the A5 and G5 plans and the Microsoft Purview suite. Organizations on a lower tier can add it through the standalone Microsoft 365 E5 Insider Risk Management add-on. The related Insider Risk Management Forensic Evidence capability is separate: it requires a qualifying base license plus its own capacity add-on, so it is not simply included. Because many financial institutions already hold Microsoft 365 E5 or equivalent compliance licensing, the entitlement for Insider Risk Management itself is frequently already paid for and simply not yet configured.
No, and Microsoft designed it to avoid that. By default, Insider Risk Management pseudonymizes user identities in the investigation experience, so analysts evaluate risky activity without seeing who the person is, and only authorized role groups can reveal an identity when an investigation justifies it. That design supports separation of duties and the privacy expectations a workforce reasonably has. The intent is not blanket surveillance; it is the ability to put a single piece of risky activity in context so an honest mistake gets coaching while a genuine theft gets caught. Scoping, privacy settings, and review discipline, configured correctly, are what keep the program fair as well as effective.
The negligent insider, by a wide margin. Most insider exposure comes from employees trying to do their jobs, such as emailing member data to a personal account to work from home, pasting account details into a consumer AI tool, or saving loan files to an unmanaged drive, rather than from malicious actors. The 2026 Cost of Insider Risks Global Report from the Ponemon Institute and DTEX Systems found that negligent, non-malicious behavior drives the largest share of the average $19.5 million annual cost of insider risk. Malicious insiders are rarer but costlier per incident, and compromised accounts taken over by outside attackers are a third category, which is why an effective program distinguishes among them rather than treating every signal the same way.