Community Banking Connections

Print Article

August 2025

Cybersecurity Risks and Resources
by Andrew Pasternak, Senior Cybersecurity Policy Analyst, Division of Supervision and Regulation, Federal Reserve Board

Cybersecurity threats continue to be a significant risk faced by financial institutions, including community banks. In a 2024 survey from the Conference of State Bank Supervisors (CSBS), community bankers identified cybersecurity as the greatest internal risk to their operations.¹ Community bankers also identified cybersecurity risks as one of the greatest impediments to implementing new technologies over the next five years. The Federal Reserve’s Vice Chair for Supervision Michelle W. Bowman stated in her opening remarks at the 2024 Midwest Cyber Workshop that “cybersecurity continues to be a key risk area for the banking industry and for regulators” and that “maintaining the necessary resources and technology to support a successful cybersecurity program can feel especially challenging and financially burdensome” for community banks.²

As described in the 2024 Cybersecurity and Financial System Resilience Report to Congress, the Federal Reserve continues to view cybersecurity as a high priority for supervised institutions. In its supervisory program, the Federal Reserve follows a risk-focused supervisory approach to assess the appropriateness of a bank’s cyber risk management capabilities in relation to its asset size and the complexity of its business operations.³ As part of this effort, the Federal Reserve Board’s Operational Risk and Resilience function, in collaboration with Federal Reserve System staff, recently released Cybersecurity Resources for Community Banks (referred to as “resources document” herein).⁴

This article provides a high-level overview of the resources document available to bankers. Although both the resources document and this article describe various existing cyber-related resources, the Federal Reserve does not endorse any specific tool, framework, or other resource. Nevertheless, community bankers may find these resources beneficial, depending on their activities and exposure to cybersecurity risk.

Project Fortress

Project Fortress⁵ is an effort spearheaded by the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) to improve the security and resiliency of the financial services sector. This effort brings together existing capabilities and new offerings at no cost to sector participants. Two offerings of particular interest for community banks are (1) the Automated Threat Information Feed from the Treasury⁶ and (2) the Cyber Hygiene (CyHy) program⁷ from the Cybersecurity and Infrastructure Security Agency (CISA).

The Automated Threat Information Feed provides financial institutions with a tailored stream of cyberthreat-related data, which aggregate key indicators from the Treasury, open source software, government partners, and other sources. Financial institutions can choose to share data through the Automated Threat Information Feed on a voluntary basis, but sharing is not a requirement for enrollment. For more information or to inquire about participation, contact OCCIP at OCCIP-Coord@treasury.gov.

The CISA CyHy program offers free cybersecurity services to organizations to reduce their cybersecurity vulnerabilities and weaknesses. Participating organizations can receive CISA-conducted scans of internet-facing systems to identify vulnerabilities and provide confidential, actionable feedback. CISA also offers a deep-dive web application scanning tool for a bank to uncover vulnerabilities and misconfigurations that attackers could exploit in the bank’s systems. For more information about the CyHy program, email vulnerability@cisa.dhs.gov.

Collectively, these two free tools could potentially upgrade a community bank’s cybersecurity preparedness.

Standardized Approaches to Assessing Cybersecurity Preparedness

The Federal Financial Institutions Examination Council (FFIEC) announced that the Cybersecurity Assessment Tool, or CAT, would be sunset on August 31, 2025.⁸ The FFIEC’s announcement also indicated that supervised institutions may consider the use of several government and industry-developed tools to help develop and manage their cybersecurity programs.

One of these resources mentioned in the FFIEC announcement is the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0⁹ that provides recommendations to industry, government agencies, and other organizations on how to manage cybersecurity risks. The framework provides guidance on desirable outcomes but does not prescribe any specific path or tools to achieve those outcomes. NIST has also developed a quick-start guide¹⁰ for small and medium-sized businesses as a supplement to the Cybersecurity Framework 2.0.

Other resources noted in the FFIEC announcement, such as CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs)¹¹ and the Cyber Risk Institute (CRI) Cyber Profile,¹² provide tailored approaches to assist organizations when they are adopting cybersecurity practices within the NIST framework. The CISA CPGs, which were chosen through consultation with subject matter experts in industry, government, and the broader cybersecurity community, are a subset of cybersecurity practices aligned with the NIST Cybersecurity Framework 2.0. The work of these experts resulted in CPGs that should help small and medium-sized organizations prioritize their cybersecurity investments. CISA and partners in the financial services sector continue to develop sector-specific CPGs to address the unique requirements of industry stakeholders.

Financial institutions and trade associations collaborated to develop the CRI Cyber Profile to promote a global standard for banks’ cyber risk assessments. The CRI Cyber Profile provides financial institutions with an approach for identifying technology and cybersecurity risks that will serve their business needs and promote compliance with applicable regulations. In 2024, CRI also released an updated cloud profile to reflect the NIST Cybersecurity Framework 2.0.¹³

The Center for Internet Security (CIS) Critical Security Controls (“CIS Controls”) ¹⁴ also provides a simplified set of best practices to mature and strengthen an organization’s cybersecurity posture. The CIS Controls consist of 18 overarching measures prioritizing enterprise activities. An organization can also use the CIS Controls to map its internal controls to other cybersecurity policy, regulatory, and legal frameworks, including the International Organization for Standardization¹⁵ and NIST frameworks.

Conclusion

The Federal Reserve recognizes the challenges faced by banks in managing and controlling cybersecurity risks and is dedicated to supporting community banks by providing resources to manage these risks. While these resources can assist community banks in their self-assessment of their cybersecurity risk management activities, they do not reflect the Federal Reserve’s examination program for evaluating a bank’s cybersecurity risk exposure and risk management practices.

If you have questions about the resources provided in this article or want to see a particular subset of cybersecurity resources detailed in a future article, reach out to us at administrator@communitybankingconnections.org.

• ¹ See CSBS, 2024 CSBS Annual Survey of Community Banks, October 2–3, 2024, available at www.csbs.org/sites/default/files/other-files/FINAL2024CSBSSurvey.pdf.
• ² See Vice Chair for Supervision Bowman’s June 25, 2024, speech, available at www.federalreserve.gov/newsevents/speech/bowman20240625b.htm.
• ³ See the Board’s July 2024 Cybersecurity and Financial System Resilience Report to Congress, available at www.federalreserve.gov/publications/files/cybersecurity-report-202407.pdf.
• ⁴ The resources document is available at www.supervisionoutreach.org/-/media/files/supervisionoutreach/resources/community-bank-cybersecurity-resources_may-2025.pdf?sc_lang=en&hash=352B1D2328D274AF4914FE26DD96A101.
• ⁵ See U.S. Department of the Treasury, “Project Fortress — 2025 Offerings,” 2025, available at https://home.treasury.gov/system/files/216/Project-Fortress-Brochure.pdf.
• ⁶ See “Project Fortress — 2025 Offerings.”
• ⁷ See CISA, “Cyber Hygiene Services,” available at www.cisa.gov/cyber-hygiene-services.
• ⁸ See the FFIEC’s press release about the sunset of the tool, available at www.ffiec.gov/news/press-releases/2024/an-09-29.
• ⁹ More information about the framework is available at www.nist.gov/cyberframework.
• ¹⁰ See NIST, NIST Cybersecurity Framework 2.0: Small Business Quick-Start Guide, available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1300.pdf.
• ¹¹ See CISA, “Cross-Sector Cybersecurity Performance Goals,” available at www.cisa.gov/cross-sector-cybersecurity-performance-goals.
• ¹² More information about CRI’s Cyber Profile is available at https://cyberriskinstitute.org/the-profile/.
• ¹³ For more information, see https://cyberriskinstitute.org/the-profile/.
• ¹⁴ See CIS, “CIS Critical Security Controls,” available at www.cisecurity.org/controls.
• ¹⁵ See www.iso.org/home.html.