Community Banking Connections

Home > Third Release 2025 > Cybersecurity Threats and the Risk Posed to Community Banks

Print Article

August 2025

Cybersecurity Threats and the Risk Posed to Community Banks
by Tasnim Ahmad, Examiner, Federal Reserve Bank of Kansas City

In 2023, the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) received 880,418 complaints about cybercrimes, with potential losses exceeding $12.5 billion.¹ In 2024, 859,532 complaints were received; however, “a new record for losses [was] reported to IC3, totaling a staggering $16.6 billion.”² It is no secret that cyberattacks and cyber fraud have been a growing problem. However, cybercrime continues to escalate as the economy moves more to digital.

Developments in the digital economy, such as the rise of e-commerce and digital payment methods, may be convenient for businesses and consumers alike, but these developments have also resulted in cybersecurity becoming a serious concern for community bankers. In a 2024 survey conducted by the Conference of State Bank Supervisors (CSBS), cybersecurity risk was cited as the top internal risk, with nearly 96 percent of community bankers viewing cybersecurity risk as either “extremely important” or “very important.”³ Likewise, in the 2023 CSBS survey, 93 percent of community bankers had reported that cybersecurity was “extremely important” or “very important.”⁴

Why are bankers getting more concerned? Cyberattacks, especially against community banks, are becoming more numerous, sophisticated, and troublesome for banks. This article explores why cybersecurity is among the top risks for community banks and how community banks can mitigate cyberthreats.

Cybersecurity Statistics

During the past decade, the financial services sector has consistently been ranked among the most targeted industries in terms of cybersecurity incidents because of its access to funds and sensitive customer data.⁵ Because banks are among the biggest targets for cybercriminals, the market for information technology security in banking has grown. The market value of these security features reached $38.72 billion in 2021, with projections estimated at a compound growth rate of 22.4 percent and a value of $195.5 billion by 2029.⁶ This increased investment aligns with the increased sophistication of cyberattacks. While early cyberattacks were mainly the traditional hit-and-run variety, a more professionalized type of cyberthreat is growing. These advanced persistent threats differ from traditional web application threats because they are sustained attacks that infiltrate networks and can remain undetected for weeks, months, or even years.⁷

Importance of Cybersecurity in Community Banking

Cybersecurity helps to prevent or manage the risk of damage to, and unauthorized use and exploitation of, electronic information and communications systems and to restore information, if needed, to strengthen the confidentiality, integrity, and availability of these systems.⁸ In other words, the goal of cybersecurity is to let institutions, such as banks, protect themselves from risks associated with cyberattacks, including malware, hacking, data theft, and unauthorized exploitation of systems, networks, devices, programs, and data.⁹

In an age when more people are using less cash and relying more on digital payment methods and other payment systems, community banks should have the appropriate cybersecurity safeguards in place to protect their customers’ privacy, data, and assets.

Cybersecurity Challenges for Community Banks Versus Large Banks

Cyberattacks on banks have been making headlines for years. The leading large banks in the United States have implemented sophisticated cybersecurity systems for round-the-clock defense against cybercriminals. However, hackers and cybersecurity experts realize that the nation’s 4,000-plus community banks most likely do not have the sophisticated defenses against cybercriminals that larger banks have.^10,11 Therefore, hackers know that larger banks have more resources and systems than community banks to defend against a cyberattack. Community banks rarely have the resources to match that level of vigilance. Cost aside, community banks face other unique difficulties in maintaining an adequate cybersecurity infrastructure. These include:

• Staffing Challenges: Community banks may find it more difficult to attract the necessary talent to deal with cybersecurity risks. Larger banks can offer competitive salaries and other benefits to attract skilled personnel to respond to cyberattacks, which may leave community banks lagging.¹²
• Third-Party Access: Community banks often rely on a network of partners, services, and data providers. Cyberattackers frequently exploit third-party providers’ vulnerabilities to access bank data or networks and start moving laterally.¹³
• Static Data Intelligence: Larger banks can often stay ahead of cybercriminals by implementing real-time detection systems that monitor networks round the clock. Larger banks may implement threat intelligence to gather information and flag unusual activity so that they can respond appropriately. Larger banks typically pay or subscribe to access this information and may create a designated team to monitor and respond to threats, while community banks may not be able to tap into real-time data to implement such security defenses. Less complex security defenses make community banks prime targets for fraudsters who can bypass them by hijacking an email, resetting a user’s password, or outmaneuvering two-factor authentication via subscriber identity module swapping.¹⁴

To support bankers in their battle against cyberthreats, the U.S. Department of the Treasury has developed Project Fortress, which includes a public–private information-sharing program so that banks can get additional information and threat intelligence. For the latest information, see “Project Fortress — 2025 Offerings.”¹⁵

Impact of a Cybersecurity Incident on a Community Bank

Because large institutions and community banks are interconnected, a cyberattack targeted at small community banks could have ramifications more broadly. A report from the Federal Reserve Bank of New York, “Cyber Risk and the U.S. Financial System: A Pre-Mortem Analysis,” describes how a cyberattack on a set of small community banks could threaten the solvency of one of the five most active large U.S. banks.¹⁶ The report notes that a coordinated attack on several small community banks, each with less than $10 billion in assets, could result in damaging spillover effects to other institutions. This could disrupt wholesale funding, which could place significant pressure on banks’ liquidity positions.

But putting pressure on banks’ liquidity positions is not the only possible outcome. Community banks also need to consider the subsequent impacts of cyberattacks. The University of Leeds and Durham University jointly conducted a study of small community banks that experienced cyberattacks between 2005 and 2017. The resulting paper, “Cyberattacks on Small Banks and the Impact on Local Banking Markets,” noted that customers moved their deposits from victimized banks after a cyberattack occurred.¹⁷ During this migration of deposits, customers reallocated deposits to larger banks that are viewed as being more resilient against future cyberattacks. The study also describes the competitive implications of moving deposits, stating that “as a result of these damages, hacked banks attract riskier applicants in mortgage markets and are forced to lower credit standards.”

How Community Banks Can Protect Themselves Against Cybersecurity Threats

A strong cybersecurity framework can help protect community banks and their customers from cyberthreats. When a community bank is developing a cybersecurity framework, the 2019 Federal Financial Institutions Examination Council (FFIEC) press release can provide information to encourage a standardized approach to assessing cybersecurity preparedness.¹⁸ A bank needs to consider its resources and business activities when adopting a cybersecurity framework. Community banks also might consider the following practices:

• Employee Training: Employees are the first line of defense against cyberthreats. “Even the best-designed security controls cannot fully protect a financial institution from one uninformed employee, contractor, or customer who unwittingly visits a malicious Web site, opens a malicious email attachment, or clicks on a malicious email link.”¹⁹ Regular training exercises that emphasize the identification of and response to phishing scams, as well as password security and safe browsing practices, are critical.
• Vendor Management: Since many community banks often rely on third-party vendors for some services, regular monitoring of third-party vendors can ensure they have strong cybersecurity practices in place. An article from the Federal Reserve Bank of Minneapolis also notes that, “Banks should enforce [Multi-Factor Authentication] MFA with third parties when possible and confirm that critical service providers have appropriate cybersecurity controls in place to maintain essential services, protect critical customer data, and preserve customer confidence during extended outages.”²⁰ Supervision and Regulation (SR) letter 21-14, “Authentication and Access to Financial Institution Services and Systems,” can also provide additional supervisory guidance.²¹ Additionally, community banks can consult “Third-Party Risk Management: A Guide for Community Banks,”²² a guide developed by the federal banking agencies²³ that includes sound risk management principles for community banks to consider when developing and implementing risk management practices for third-party relationships.
• Encrypted Connections/Identity Access Management (IAM): With more employees working remotely, community banks can use encrypted connections to protect sensitive data. To ensure that remote access to networks and systems is secure, strong authentication measures, such as MFA and secure virtual private network, or VPN, connections, should be used. Banks can also enhance secure connections by implementing IAM, “a set of tools used to provide visibility, control and management of identity and access.”²⁴ By focusing on user authentication, authorization, access, and administration, community banks can ensure that the right people have proper access to the right information, thereby improving their security posture.
• Incident Response and Disaster Recovery: In the event of a cyberattack, having an incident response plan in place can help a community bank respond quickly and effectively to any security breaches. This includes having a designated “internal crisis response team to discern and document incidents as they occur and promote an efficient response with other internal and external stakeholders. Bank staff should also participate in annual tabletop exercises to ensure that they understand how to manage major cyber incidents.”²⁵ The response plan can also consider requirements for notifying primary federal regulators about cyber incidents that had or may have a material impact on the bank.^26,27
• Vulnerability/Patch Management: Identifying vulnerabilities and subsequent patching is crucial for community banks to abate potential attacks. “A robust patch management program should identify, prioritize, and deploy available software patches to ensure all network components, such as firewalls, computers, and mobile devices, are updated timely.”²⁸ In addition to closing vulnerabilities, patch management can improve system performance. For help in identifying vulnerabilities and developing a patch management system, the Cybersecurity and Infrastructure Security Agency (CISA), which “works to understand, manage, and mitigate risk to the nation’s cyber and physical infrastructure in the public and private sector,” has a number of guidelines.²⁹

Community banks are encouraged to reach out to their Federal Reserve Bank central point of contact to ask questions or request more information on cybersecurity risk management practices.

Conclusion

Cyberthreats and cyberattacks have continued to increase and become more sophisticated over the past few years. Community banks are especially vulnerable to cyberattacks because they have fewer resources to provide the same robust protocols employed by larger banks. Since the financial environment is interconnected, shared vulnerabilities also heighten the consequences of a major cyber incident for community banks. Therefore, community banks need to stay informed about the many evolving forms of cyberthreats and develop an appropriate cybersecurity framework that maximizes available resources to reduce the risk and subsequent costs of cyberattacks.

• ¹ See IC3, Federal Bureau of Investigation Internet Crime Report, 2023, available at www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf.
• ² See IC3, Federal Bureau of Investigation Internet Crime Report, 2024, available at www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf.
• ³ See CSBS, 2024 CSBS Annual Survey of Community Banks, October 2–3, 2024, available at www.csbs.org/sites/default/files/other-files/FINAL2024CSBSSurvey.pdf.
• ⁴ See CSBS, 2023 CSBS Annual Survey of Community Banks, October 4–5, 2023, available at www.csbs.org/sites/default/files/2023-09/CSBS%202023%20Community%20Bank%20Survey%2010.04.2023.pdf.
• ⁵ See Michael B. Benardo and Kathryn M. Weatherby, “A Framework for Cybersecurity,” Supervisory Insights, Winter 2015, available at www.fdic.gov/regulations/examinations/supervisory/insights/siwin15/siwinter15-article1.pdf.
• ⁶ See Maximize Market Research, “Cyber Security in BFSI Market Global Industry Overview, Growth Opportunities, Investment Pocket Analysis, Competitive Landscape, MMR Competition Matrix, and Industry Forecast to 2029,” January 3, 2023, available at www.globenewswire.com/en/news-release/2023/01/03/2581878/0/en/Cyber-Security-in-BFSI-Market-Global-Industry-Overview-Growth-Opportunities-Investment-Pocket-Analysis-Competitive-Landscape-MMR-Competition-Matrix-and-Industry-Forecast-to-2029.html.
• ⁷ See Imperva, a Thales Company, “Advanced Persistent Threat (APT),” available at www.imperva.com/learn/application-security/apt-advanced-persistent-threat/.
• ⁸ See National Institute of Standards and Technology, “Small Business Cybersecurity Corner—Glossary,” available at www.nist.gov/itl/smallbusinesscyber/training/glossary.
• ⁹ See IT Governance, “What Is Cyber Security? Definition and Best Practices,” available at www.itgovernance.co.uk/what-is-cybersecurity#:~:text=Cyber%20security%20is%20the%20application,systems%2C%20networks%2C%20and%20technologies.
• ¹⁰ See Alan Schwarz, “America’s Most Cybersecure Banks,” Forbes, March 19, 2024, available at www.forbes.com/lists/cybersecure-banks/?vyhhsh=3a4b24defb25&sh=2f4a321f5947.
• ¹¹ See USAFacts, “How Strong Are Regional and Community Banks in the US?” May 19, 2023, available at https://usafacts.org/articles/how-strong-are-regional-and-community-banks-in-the-us/#:~:text=How%20many%20regional%20and%20community,institutions%2C%20with%2030%2C570%20branches%20nationwide.
• ¹² See S&P Global, “Smaller Banks Face Human Resource Crunch to Counter Cyberattacks—S&P,” September 13, 2023, available at www.spglobal.com/marketintelligence/en/news-insights/latest-news-headlines/smaller-banks-face-human-resource-crunch-to-counter-cyberattacks-8211-s-p-77464134.
• ¹³ See Guardicore, Cybersecurity for Community Banks and Credit Unions, available at www.akamai.com/site/en/documents/white-paper/akamai-cybersecurity-for-community-banks-and-credit-unions-white-paper.pdf.
• ¹⁴ See Ari Jacoby, “A Big Concern for Small Banks: Fraud Risk Rising,” Forbes, April 21, 2023, available at www.forbes.com/councils/forbestechcouncil/2023/04/21/a-big-concern-for-small-banks-fraud-risk-rising/.
• ¹⁵ See U.S. Department of the Treasury, “Project Fortress — 2025 Offerings,” 2025, available at https://home.treasury.gov/system/files/216/Project-Fortress-Brochure.pdf.
• ¹⁶ See Thomas M. Eisenbach, Anna Kovner, and Michael Junho Lee, “Cyber Risk and the U.S. Financial System: A Pre-Mortem Analysis,” Federal Reserve Bank of New York Staff Reports No. 909, revised 2021, available at www.newyorkfed.org/medialibrary/media/research/staff_reports/sr909.pdf?sc_lang=en.
• ¹⁷ See Fabian Gogolin, Ivan Lim, and Francesco Vallascas, “Cyberattacks on Small Banks and the Impact on Local Banking Markets,” S&P Global Market Intelligence, 2021, available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3823296.
• ¹⁸ For more information, see “FFIEC Encourages Standardized Approach to Assessing Cybersecurity Preparedness,” August 28, 2019, available at www.ffiec.gov/news/press-releases/2019/pr-08-28. See also the “Information Technology Guidance” topic page on the Board’s public website, available at www.federalreserve.gov/supervisionreg/topics/information-technology-guidance.htm#Cybersecurity.
• ¹⁹ See Benardo and Weatherby, “A Framework for Cybersecurity.”
• ²⁰ See Dane Scofield, “Cybersecurity Trends and Best Practices for Community Banks,” Federal Reserve Bank of Minneapolis, October 2022, available at www.minneapolisfed.org/article/2022/cybersecurity-trends-and-best-practices-for-community-banks.
• ²¹ For more information, see SR letter 21-14, “Authentication and Access to Financial Institution Services and Systems,” available at www.federalreserve.gov/supervisionreg/srletters/sr2114.htm.
• ²² For more information, see “Third-Party Risk Management A Guide for Community Banks,” May 2024, available at www.federalreserve.gov/publications/files/third-party-risk-management-guide-20240503.pdf.
• ²³ The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency are collectively referred to as the federal banking agencies.
• ²⁴ See Jessica Weisman-Pitts, “The Importance of Identity and Access Management in the Banking Sector,” Global Banking and Finance Review, October 25, 2022, available at www.globalbankingandfinance.com/the-importance-of-identity-and-access-management-in-the-banking-sector.
• ²⁵ See Scofield, “Cybersecurity Trends and Best Practices for Community Banks.”
• ²⁶ See 12 C.F.R. 225, subpart N. For more information, see Kalyn Yzaguirre, “Requirements for Notifying Primary Federal Regulators About Computer-Security Incidents,” Community Banking Connections, Third Issue 2022, available at www.cbcfrs.org/articles/2022/i3/reporting-computer-security-incidents.
• ²⁷ For more information, see SR letter 22-04/Consumer Affairs letter 22-03, “Contact Information in Relation to Computer-Security Incident Notification Requirements,” available at www.federalreserve.gov/supervisionreg/srletters/SR2204.htm.
• ²⁸ See Scofield, “Cybersecurity Trends and Best Practices for Community Banks.”
• ²⁹ See CISA, “Reduce the Risk of a Successful Cyber Attack,” available at www.cisa.gov/cyber-hygiene-services.