Mid-Size Bank Cybersecurity: Underinsured and Overexposed

Cybersecurity is no longer an abstract threat; it’s an immediate and pervasive danger keeping the CEO of mid-sized River City Bank, Steve Fleming, up at night. Hackers relentlessly target both large institutions for big payoffs and small to mid-sized businesses as easy prey, making cyber resilience essential for any organization. With cyberattacks expected to cause $10.5 trillion in damages by 2025—a 300% increase from 2015—every sector faces devastating potential losses, underscoring the need for robust defenses and rapid response plans.

The Jones Walker 2024 Community and Mid-Size Banks Cybersecurity Survey reflects this widespread vulnerability, highlighting key gaps in cybersecurity practices across the banking sector. This report reveals that while community and mid-size banks are beginning to address these threats, inadequate preparedness, over-reliance on third-party vendors, and underutilization of cyber insurance are leaving them at risk for potentially devastating breaches.

“Banks are highly regulated, but many third-party vendors are not. It is critical that banks conduct thorough due diligence on their vendors and ensure robust contractual protections are in place.”

Rob Carothers, Jones Walker

The survey offers a detailed picture of the vulnerabilities facing small and mid-sized banks in the United States. The survey highlights critical gaps in cyber preparedness, particularly concerning third-party vendor risks, cyber insurance, and the adoption of emerging technologies.

Our survey analysis follows; you can find the whole report here.

Inadequate Preparedness and Prevention Efforts

One of the report’s main findings is that, despite high regulatory standards, small and mid-sized banks often prioritize compliance over proactive prevention. Although 61% of respondents felt somewhat prepared for cyber threats, only 42% felt highly prepared. Furthermore, just over a third of banks use encryption for sensitive data, a fundamental cybersecurity measure. The survey highlights the importance of implementing and regularly testing incident response plans (IRPs). Still, it notes that less than two-thirds of banks have specific response teams with clear roles, leaving significant room for improvement in cybersecurity readiness.

Underutilization of Outside Counsel and Cyber Insurance

The survey indicates a troubling trend: only 57% of banks engage cybersecurity attorneys, leaving gaps in their legal protection and preparedness. Banks also underutilize cyber insurance, with less than half having policies reviewed for adequate coverage. With insurance companies becoming more sophisticated in matching policies to potential cyber risks, this gap represents a missed opportunity for many banks to mitigate the financial impacts of a cyberattack. As cyber threats become more complex, expert legal and advisory support can be instrumental in helping banks navigate breaches and minimize reputational damage.

Third-Party Vendor Risks

Another pressing issue is the widespread reliance on third-party vendors, with 99% of banks surveyed outsourcing some or all of their cybersecurity needs. These vendors often handle critical data, yet only 71% of banks enforce contracts that hold vendors accountable for security failures. Even fewer, a mere 23%, require vendors to indemnify the bank in the event of a data breach. Banks remain vulnerable to breaches that originate with these external providers without rigorous oversight and robust contractual protections, making third-party vendor management an area that demands more focus.

Hesitancy Toward Emerging Technology

Community and mid-sized banks are cautious about implementing new technologies, including artificial intelligence (AI), despite the potential cybersecurity benefits. Larger banks have embraced AI, using it to enhance fraud detection and improve resilience against cyber threats, while smaller banks lag. This disparity increases smaller institutions’ risk exposure as attackers shift focus to more vulnerable targets. When deployed responsibly, AI tools can help level the playing field by automating security processes, enabling faster threat detection, and reducing the burden on limited in-house resources.

Emphasis on Cyber Resilience Over Static Security

The report advocates for a shift from traditional security postures to a cyber resilience framework. This approach focuses on continuous improvement and adaptation to new threats rather than striving for a static level of cybersecurity. Building resilience involves anticipating future risks, strengthening incident response strategies, and promoting a culture of security awareness across all levels of an organization. This proactive mindset is particularly vital for smaller banks, which must work harder to maintain trust in an era of rising cybercrime and increasingly complex regulatory environments.

 “As security threats are constantly evolving, focusing on a culture of cyber resilience….will help to minimize the disruption and negative impacts caused by any future cyber event.”

Lara Sevener, Jones Walker

Recommendations and Best Practices

Jones Walker’s report concludes with recommendations for community and mid-sized banks to protect their assets and customer data better. These include:

Enhancing Prevention and Preparedness: Shift focus from reactive compliance to proactive measures, such as regular cybersecurity training, updated encryption protocols, and thorough incident response testing.

Increasing Third-Party Vendor Oversight: Banks should enforce stronger contractual obligations, conduct due diligence, and ensure vendors have solid cybersecurity policies.

Engaging Experienced Cybersecurity Counsel: Utilizing outside advisors can help banks refine their cybersecurity strategies and navigate complex regulations, which can ultimately reduce their exposure to legal risks.

Adopting Emerging Technologies: By cautiously implementing AI and other advanced tools, banks can strengthen their cybersecurity defenses and stay competitive.

The report serves as both a cautionary tale and a call to action, urging community and mid-sized banks to bolster their cybersecurity frameworks. While many have made strides, significant work remains to ensure they can withstand the evolving landscape of cyber threats.

This survey focused on community and mid-size banks across the United States, each with assets under $50 billion. In July 2024, the survey gathered responses from 125 banking executives with cybersecurity responsibilities within their institutions.

Other News: The Nightmare of a Ransomware Attack, Community Bank Version (Opens in a new browser tab)

Other News: City of Sheboygan hit by apparent ransomware attack.