Community Banks Remain Troublingly Vulnerable to Third-Party Cybersecurity Risk

Community and mid-sized banks are playing catch-up on cybersecurity. But the task is complicated by their simultaneous pursuit of digital transformation -- and by their dependence on third party vendors and partners to get there.

The report: 2024 Community and Mid-Size Banks Cybersecurity Survey

Source: Jones Walker

Why we picked this report: Cybersecurity is likely to be a key component of the new administration’s evolution of banking policy and regulation.

Executive Summary

The Jones Walker 2024 Community and Mid-Size Banks Cybersecurity Survey reveals a complex landscape where banks show some improvement in post-incident regulatory compliance but lag when it comes to crucial prevention and preparedness measures.

While 99% of surveyed banks report feeling prepared for cyberattacks, significant vulnerabilities persist, particularly in third-party vendor management and cybersecurity expertise utilization. Jones Walker’s research, based on responses from 125 bank executives, indicates that while the industry is making progress in some areas, many institutions are not fully leveraging available tools and expertise to protect against evolving threats.

Most concerning: Only 71% of banks hold third-party vendors accountable for contractual, legal, or regulatory liability, despite 99% relying on these vendors for cybersecurity support.

Key Takeaways

  • Banks demonstrate strong awareness of regulatory compliance requirements but show significant gaps in preventive measures and preparedness, with many lacking robust encryption and vendor oversight protocols
  • While 99% of banks use third-party vendors for cybersecurity, due diligence and ongoing oversight of these critical relationships remain inadequate
  • Outside expertise is significantly underutilized, with only 43% using experienced cybersecurity attorneys and 32% engaging external forensic consultants
  • Emerging technologies like AI offer significant advantages for improving security, but many banks have yet to embrace these tools effectively
  • Only 41% of cyber insurance holders have had their policies reviewed to ensure sufficient coverage

What we liked about this report: It highlights the security risks faced by mid-sized and smaller institutions who are forced to pursue digital transformation by relying on third-party partners who sometimes come to the table with their own vulnerabilities.

What we didn’t: Some of the recommendations are general.

Rising Threats Amid Digital Transformation

Community and mid-size banks are experiencing unprecedented cybersecurity challenges as they navigate digital transformation. These institutions, which manage $4.5 trillion in outstanding loans and $6.7 trillion in assets, represent crucial components of the U.S. financial infrastructure, employing nearly 755,000 people.

Several factors are intensifying their risk exposure:

Cost escalation: The average cost of a data breach in the financial industry has reached $6.08 million per event, with U.S. incidents averaging $9.36 million across industries. These figures represent a 10% increase over the prior year.

Resource constraints: According to the 2024 Security Budget Benchmark Summary Report, cybersecurity staffing growth has dramatically slowed from 31% in 2022 to just 12% in 2024, creating significant operational challenges.

Digital dependency: As banks become increasingly technology-driven enterprises, their dependence on third-party cybersecurity and technology solutions creates new vulnerabilities. According to the survey, 90% of respondents rely on third-party vendors for fintech and banking-as-a-service platforms.

Regulatory pressure: Banks face intensifying scrutiny from regulators regarding their cybersecurity measures, including new requirements from agencies like the SEC for disclosure of material cybersecurity incidents and risk management strategies.

Dig deeper:

Critical Vulnerabilities and Response Gaps

The survey also reveals several concerning gaps in banks’ cybersecurity preparedness despite high awareness of threats:

Encryption and Data Protection

  • Only 72% of banks consistently use encrypted communication systems
  • A mere 63% encrypt sensitive information at rest
  • 88% have record retention policies governing data disposal, but implementation varies significantly

Third-Party Vendor Management

  • While 99% rely on third-party vendors for cybersecurity support, only 71% hold these vendors accountable for contractual, legal, or regulatory liability
  • Just 23% require vendors to indemnify them against data breach claims
  • Only 50% require prompt notification from vendors in the event of a data breach
  • Fewer than half (43%) investigate vendors’ breach incident history

Incident Response and Testing

  • Only 61% have established specific incident response teams with clearly assigned roles
  • 76% conduct regular cybersecurity penetration testing exercises
  • Among banks conducting penetration tests, 56% discovered specific vulnerabilities requiring remediation

Insurance and Risk Management

  • Despite 76% relying on cyber insurance for incident cost coverage, comprehensive policy reviews are rare
  • Many banks lack integration between their incident response plans and insurance coverage requirements
  • Only 36% include third-party risk in their incident response plans

These gaps are particularly concerning given that banks identify their top three vulnerabilities as:

1. Insiders (current or former employees, contractors) – 63%
2. Unpatched security vulnerabilities – 57%
3. Third-party service providers – 52%

The data suggests that while banks recognize cyber threats, many lack the comprehensive, layered security approach needed to address modern cyber risks effectively. This disparity between awareness and action creates significant exposure, particularly as threat actors increasingly target smaller financial institutions that may lack the robust defenses of larger banks.

What Are the Next Steps?

The survey suggests several key areas for improvement:

Enhanced prevention: Banks should shift focus from post-incident compliance to preventive measures, including stronger encryption protocols and regular security testing

Vendor management: Implement more rigorous third-party vendor oversight, including regular audits and clear contractual requirements for security standards

External expertise: Increase engagement with cybersecurity experts and legal counsel to strengthen preparedness and response capabilities

Technology adoption: Carefully evaluate and implement emerging technologies like AI for security enhancement while managing associated risks

The research clearly indicates that while community and mid-size banks have made progress in cybersecurity awareness, significant work remains to achieve comprehensive security. Success requires a balanced approach combining strong preventive measures, careful vendor management, expert guidance, and strategic technology adoption.

Editor’s note: This article was prepared with AI language software and edited for clarity and accuracy by The Financial Brand editorial team.

This article was originally published on . All content © 2024 by The Financial Brand and may not be reproduced by any means without permission.