In June 2023, a zero-day vulnerability in a widely used file transfer tool triggered one of the biggest data breaches in recent memory. Within days, the MOVEit exploit compromised more than 2,700 organizations, including a number of major financial institutions. Sensitive data like financial records, insurance claims, and customer identities were being exfiltrated and published left and right. Not surprisingly, firms like TD Ameritrade and Charles Schwab were soon facing lawsuits over the exposure of regulated data.
The real problem wasn’t just the vulnerability. It was that the industry could not respond quickly enough.
Even after the exploit was discovered, most financial organizations had to wait for a patch, test it against production workloads, schedule downtime, coordinate changes across multiple environments, and then deploy. That process took days — in some cases, weeks. Meanwhile, attackers moved in minutes.
This is the real lesson of MOVEit. Our current security architecture is built for control, not speed. It assumes we can patch faster than attackers can act and predates AI being part of the attackers toolbox.
Strong security used to mean locking down environments so tightly that change was the enemy. Policy updates were rare, rule sets were hardened, and any deviation was treated as a failure of process. That rigidity, once a virtue, has become one of the greatest vulnerabilities in the modern financial stack.
Rigidity Breaks in Finance
We’ve spent decades designing controls that assume stability. Firewalls, policies, scanning tools — all optimized for systems that change slowly and predictably. But modern financial platforms are highly dynamic and fast-paced. Today, your environment might push new code several times a day. Markets change rapidly, fraud attempts spike moment to moment, and regulatory requirements constantly get updated in various jurisdictions.
Meanwhile, your attack surface isn’t even yours anymore. It’s every third-party API you connect to, every legacy service you still support, and every partner that handles your data. The introduction of embedded finance and open banking APIs has completely eroded the concept of a fixed perimeter. These days, more than 80% of web traffic comes from APIs, and attackers love exploiting them because they fall outside traditional detection models.
All these changes are good for functionality but can challenge security to keep pace. Defenders cannot afford to ignore the fact that the most critical threats now happen inside applications, within the runtime environment.
The Compliance Element
Financial services firms operate under perhaps more regulatory scrutiny than any other industry. And to make matters worse, the regulations are a moving target. The SEC has cyber incident disclosure mandates, the EU has the Digital Operational Resilience Act (DORA), PCI DSS gets ongoing updates, and many countries have their own data protection laws. Just staying up-to-date on what’s required of you can be a chore, let alone implementing it.
Static security policies are completely outmatched by the pace of regulatory change. Most were designed for a world where requirements changed slowly, giving teams time to assess, plan, and respond. That’s no longer the case. Meanwhile, failing to comply is just not an option. In addition to fines, it can result in reputational damage, loss of licenses, customer churn, and legal exposure.
When regulators demand near-immediate breach disclosure, evidence of real-time protections, or auditable policy controls, security teams can’t rely on a quarterly review cycle. They need defenses that adapt to their changing needs.
What We Need
Zero-days like MOVEit don’t knock on the front door, they bypass it entirely. For these vulnerabilities, it doesn’t matter how well-documented your controls are if they rely on scheduled patch cycles, change windows, and static rule sets. They’ve become a bottleneck.
This is more of a mindset problem than a technology problem. Security can’t afford to move slower than the pace of innovation. The pursuit of visibility and prevention just aren’t enough anymore. Defenders need policy agility. This requires the ability to:
- Deploy a new security rule as fast as the business deploys a new product feature
- Isolate risky behavior in production without tearing the whole system down
- Make moves without waiting for a patch or a redeploy or a clean maintenance window
Until security becomes as dynamic as the threats it defends against, it will always be a step behind.
Security That Moves With You
If constant change is now the norm, then security has to be part of that rhythm. You can’t mod on agility after the fact like you put snow tires on your car. It has to be baked-in from day one. Policies must be created, deployed, and updated right alongside the systems they’re designed to protect.
Forward-thinking financial organizations are already treating security less as a static control and more as a living system. Policies aren’t just documentation or firewall configs anymore. They’re becoming dynamic, testable, and responsive just like code. And like code, they need to run where the action is.
When a new threat emerges, whether it’s a novel exploit or an API being abused in unexpected ways, teams need to be able to react in hours, not weeks. Rules must be enforced in production, without waiting for a full patch cycle or redeployment. Runtime enforcement gives you that. It lets security teams apply precise protections — at the level of a SQL query or file operation — without interrupting operations or rewriting any code.
This is great for compliance as well. Keeping compliant with a long list of regulatory frameworks that are constantly being updated can be a real bottleneck. But runtime controls are inherently measurable. Every action is logged and every block is documented. You’re not just saying a policy exists; you’re showing that it’s active and effective, in real time.
Security teams have done the work to build visibility. We know where risks are coming from. Now the next step is to turn that insight into action as fast as the business moves.
Ready to see Waratek Secure in action? Explore our platform today to learn how you can transform your organization’s approach to Java security.