The report: 2024 Community and Mid-Size Banks Cybersecurity Survey
Source: Jones Walker
Why we picked this report: Cybersecurity is likely to be a key component of the new administration’s evolution of banking policy and regulation.
Executive Summary
The Jones Walker 2024 Community and Mid-Size Banks Cybersecurity Survey reveals a complex landscape where banks show some improvement in post-incident regulatory compliance but lag when it comes to crucial prevention and preparedness measures.
While 99% of surveyed banks report feeling prepared for cyberattacks, significant vulnerabilities persist, particularly in third-party vendor management and cybersecurity expertise utilization. Jones Walker’s research, based on responses from 125 bank executives, indicates that while the industry is making progress in some areas, many institutions are not fully leveraging available tools and expertise to protect against evolving threats.
Most concerning: Only 71% of banks hold third-party vendors accountable for contractual, legal, or regulatory liability, despite 99% relying on these vendors for cybersecurity support.
Key Takeaways
- Banks demonstrate strong awareness of regulatory compliance requirements but show significant gaps in preventive measures and preparedness, with many lacking robust encryption and vendor oversight protocols
- While 99% of banks use third-party vendors for cybersecurity, due diligence and ongoing oversight of these critical relationships remain inadequate
- Outside expertise is significantly underutilized, with only 43% using experienced cybersecurity attorneys and 32% engaging external forensic consultants
- Emerging technologies like AI offer significant advantages for improving security, but many banks have yet to embrace these tools effectively
- Only 41% of cyber insurance holders have had their policies reviewed to ensure sufficient coverage
What we liked about this report: It highlights the security risks faced by mid-sized and smaller institutions who are forced to pursue digital transformation by relying on third-party partners who sometimes come to the table with their own vulnerabilities.
What we didn’t: Some of the recommendations are general.
The Latest Trends & Groundbreaking Innovations in Banking for 2025
Over 2,000 of the brightest minds in banking will be at The Financial Brand Forum in April exploring the big ideas and best practices that will reshape banking in the year ahead. Will you be there?
Read More about The Latest Trends & Groundbreaking Innovations in Banking for 2025
How to Turn Customer Understanding Into a Competitive Advantage
Join Nymbus CEO Jeffery Kendall and Nick Kennedy, author of The Good Entrepreneur, for the strategies your bank needs to win deposits and drive growth in 2025 and beyond.
Read More about How to Turn Customer Understanding Into a Competitive Advantage
Rising Threats Amid Digital Transformation
Community and mid-size banks are experiencing unprecedented cybersecurity challenges as they navigate digital transformation. These institutions, which manage $4.5 trillion in outstanding loans and $6.7 trillion in assets, represent crucial components of the U.S. financial infrastructure, employing nearly 755,000 people.
Several factors are intensifying their risk exposure:
Cost escalation: The average cost of a data breach in the financial industry has reached $6.08 million per event, with U.S. incidents averaging $9.36 million across industries. These figures represent a 10% increase over the prior year.
Resource constraints: According to the 2024 Security Budget Benchmark Summary Report, cybersecurity staffing growth has dramatically slowed from 31% in 2022 to just 12% in 2024, creating significant operational challenges.
Digital dependency: As banks become increasingly technology-driven enterprises, their dependence on third-party cybersecurity and technology solutions creates new vulnerabilities. According to the survey, 90% of respondents rely on third-party vendors for fintech and banking-as-a-service platforms.
Regulatory pressure: Banks face intensifying scrutiny from regulators regarding their cybersecurity measures, including new requirements from agencies like the SEC for disclosure of material cybersecurity incidents and risk management strategies.
Dig deeper:
- Why Banks Remain So Vulnerable to Cybersecurity Risks — and How to Plug the Leaks
- Can Digital Check Deposit Survive in the Face of Rising Fraud?
Critical Vulnerabilities and Response Gaps
The survey also reveals several concerning gaps in banks’ cybersecurity preparedness despite high awareness of threats:
Encryption and Data Protection
- Only 72% of banks consistently use encrypted communication systems
- A mere 63% encrypt sensitive information at rest
- 88% have record retention policies governing data disposal, but implementation varies significantly
Third-Party Vendor Management
- While 99% rely on third-party vendors for cybersecurity support, only 71% hold these vendors accountable for contractual, legal, or regulatory liability
- Just 23% require vendors to indemnify them against data breach claims
- Only 50% require prompt notification from vendors in the event of a data breach
- Fewer than half (43%) investigate vendors’ breach incident history
Incident Response and Testing
- Only 61% have established specific incident response teams with clearly assigned roles
- 76% conduct regular cybersecurity penetration testing exercises
- Among banks conducting penetration tests, 56% discovered specific vulnerabilities requiring remediation
Insurance and Risk Management
- Despite 76% relying on cyber insurance for incident cost coverage, comprehensive policy reviews are rare
- Many banks lack integration between their incident response plans and insurance coverage requirements
- Only 36% include third-party risk in their incident response plans
These gaps are particularly concerning given that banks identify their top three vulnerabilities as:
1. Insiders (current or former employees, contractors) – 63%
2. Unpatched security vulnerabilities – 57%
3. Third-party service providers – 52%
The data suggests that while banks recognize cyber threats, many lack the comprehensive, layered security approach needed to address modern cyber risks effectively. This disparity between awareness and action creates significant exposure, particularly as threat actors increasingly target smaller financial institutions that may lack the robust defenses of larger banks.
What Are the Next Steps?
The survey suggests several key areas for improvement:
Enhanced prevention: Banks should shift focus from post-incident compliance to preventive measures, including stronger encryption protocols and regular security testing
Vendor management: Implement more rigorous third-party vendor oversight, including regular audits and clear contractual requirements for security standards
External expertise: Increase engagement with cybersecurity experts and legal counsel to strengthen preparedness and response capabilities
Technology adoption: Carefully evaluate and implement emerging technologies like AI for security enhancement while managing associated risks
The research clearly indicates that while community and mid-size banks have made progress in cybersecurity awareness, significant work remains to achieve comprehensive security. Success requires a balanced approach combining strong preventive measures, careful vendor management, expert guidance, and strategic technology adoption.
Editor’s note: This article was prepared with AI language software and edited for clarity and accuracy by The Financial Brand editorial team.