Book A Meeting

Taking A Proactive Approach to Cybersecurity Risk

Print Friendly, PDF & Email

Taking A Proactive Approach to Cybersecurity Risk

APRIL 10, 2025

By: Tyler Brown

Cybersecurity in Banking

Cybersecurity is the most common risk category bankers are concerned about for 2025 (84%), according to the Bank Director 2025 Risk Survey. Reasons to worry about cybersecurity pertain both to cybersecurity itself and other categories of risk that surround it. Cybersecurity risk is interwoven with other categories that particularly concern bankers, according to the survey: Three top categories of risk that cybersecurity touches are regulatory, compliance, and operational risks — which are themselves complex issues.

Taking A Proactive Approach to Cybersecurity Risk

Understanding and addressing those three categories of risk with cybersecurity in mind is fundamental to an institution’s cybersecurity program:

  • Regulation: Information security reviews are baked into examinations, and bankers need to be prepared for IT audits, but as we’ve written, rules about cybersecurity are fragmented. The Gramm-Leach-Bliley Act covers data security most completely — part of the law manifests in the Federal Trade Commission’s Safeguards Rule, which instructs financial institutions to create a “safeguards” program and identify and assess risks to customer information in the company’s operations.

  • Compliance: There’s a leap between awareness of regulation and adherence. It is the bank’s responsibility to create a comprehensive risk management framework that includes cybersecurity and ensures compliance with relevant regulations. The board should set expectations for how management accounts for cybersecurity risk when making decisions and regularly review the execution of programs designed to protect data and technology assets based on the bank’s policies.

  • Operations: The security of an institution’s IT systems and the cybersecurity risks inherent in their day-to-day processes are operational elements that play into the wider picture. Mitigation includes attention to cybersecurity that goes beyond initial vendor risk assessments to practices like real-time security monitoring, threat testing, and cybersecurity incident recovery exercises.

A cybersecurity framework is essential for banks to manage these overlapping risks — it isn’t just a function of IT nor is it limited to certain categories of staff. Institutions need to have a board-level understanding of cybersecurity risk and install senior management that will implement cybersecurity best practices, create clear roles and responsibilities related to cyber risk, and make a detailed cybersecurity framework an integral part of their vendor risk management.

After creating a cybersecurity framework, institutions’ next step is to have proactive, ongoing cybersecurity risk assessment and mitigation. This may include active board involvement in cyber policies, ongoing threat assessments and internal reviews, recurring investment in secure infrastructure and cybersecurity solutions, and regular cyber stress testing to evaluate defenses against evolving threats. A proactive approach ensures that cybersecurity remains a core component of overall risk management.

READ MORE INSIGHTS
SUBSCRIBE TO INSIGHTS
FORWARD TO A FRIEND

Phoenix • New York

Phoenix • New York • London • Singapore

Phone: +1-480-744-2240  • Contact Us

© 2025 CCG CATALYST. Privacy Policy & Terms of Service.
Request a Call Back
Linkedin
Subscribe
to our Insights
Subscribe
BANK
FINTECH
FUSION
Linkedin

Subscribe to our Insights