By Raj Patel
As board directors, your role in fostering a secure and resilient culture within your bank should consider the rise of AI technologies, the shifting regulatory landscape with the retirement of the FFIEC’s Cybersecurity Assessment Tool (CAT), and the increasingly sophisticated cyber threats expected in 2025. However, your biggest threat might be believing your institution is immune to a cyber-attack and not having the right qualified cybersecurity leader at your institution.
Lessons from 2024: Key Takeaways
Cyber-attacks on financial institutions continued to rise in 2024, leading many community banks to bolster their cybersecurity programs. The most highly publicized breach was the Ransomware attack at Evolve Bank & Trust in Arkansas, compromising data for 7.6 million users, including some of their partners. When the bank refused to pay the ransom, hackers began leaking the data on the dark web. In addition to the costs of breach containment, the bank now faces class action lawsuits that could potentially cost them millions. Unfortunately, many institutions still operate under the belief that such incidents will not happen to them. It is imperative for bank directors to push management to assess how well-prepared the institution is against real threats.
The following 2024 trends will continue into 2025:
AI Adoption: The growing use of AI tools in banking has brought innovation but also risk. Many tools lack proper vetting, raising concerns about compliance, ethics, and transparency.
Leadership Gaps: Many community banks still operate without a certified cybersecurity officer, leaving critical vulnerabilities in managing complex threats.
Regulatory Shifts: The FFIEC’s CAT program is retiring, making the adoption of the NIST CSF 2.0 compliance framework a top priority for banks in 2025.
Kick-Starting 2025: Cybersecurity Governance Starts with the Board
As a board member, your role in cybersecurity governance is indispensable. While you’re not expected to tackle technical challenges directly, your oversight ensures that senior management is accountable for implementing a robust information security program.
Here’s how you can take an active role in shaping your bank’s cybersecurity posture and culture:
Stay Engaged: Make cybersecurity a standing priority in board discussions. Regularly ask critical questions about emerging threats, mitigation strategies, and the bank’s overall preparedness. Ensure your Cybersecurity Officer has the necessary qualifications and experience, and consider bringing in outside experts to bridge any knowledge gaps.
Focus on AI: With AI tools becoming more prevalent, ensure management addresses key issues:
Compliance with the Gramm-Leach-Bliley Act.
Ethical use and fairness in AI-driven financial decisions.
Transparency with customers and regulators.
Oversight to maintain human judgment in decision-making processes.
Employee training on responsible AI use.
Adopt NIST CSF 2.0 Early: The transition to the NIST Cybersecurity Framework (NIST CSF) 2.0 represents a significant shift in how community banks approach cybersecurity. With the FFIEC’s Cybersecurity Assessment Tool (CAT) being retired, the updated NIST CSF 2.0 will become the standard framework for managing cyber risks, compliance, and governance in 2025 and beyond. Early adoption of this framework is not just a regulatory requirement; it’s a strategic opportunity to strengthen your bank’s cybersecurity posture and build trust with regulators, customers, and stakeholders.
Cybersecurity is not a one-time initiative; it’s a continuous journey of adaptation and improvement. As board directors, your leadership in this area sends a powerful message of commitment to your bank’s employees, customers, and stakeholders.
Let’s lead the way to a safer tomorrow.
About the Author
Raj Patel is a Partner with FinCyberTech. Raj has 27 years of experience in cybersecurity and has worked with over 100 financial institutions.