Community and mid-sized banks must be more proactive in combating cyber threats, according to a survey from New Orleans-based law firm Jones Walker LLP.
Released Nov. 12, the survey included responses from 125 senior technology, information security and risk leaders. Forty-two percent said their banks were “very prepared” for cyber threats, according to the report. Sixty-one percent have formed specific incident response teams with clearly assigned roles, while 37 percent don’t encrypt sensitive information.
Sixty-three percent listed current or former employees and contractors as their top security vulnerabilities, followed by 57 percent who cited unpatched security vulnerabilities and 52 percent listing vendor partners or third-party service providers as their top security vulnerability.
Jones Walker called on banks to regularly train employees while testing and updating cybersecurity policies. Banks should also undertake due diligence for third-party vendors, enforce strong contractual terms and hold vendors accountable for meeting security requirements.
Despite nearly every community and mid-size bank relying either partially or fully on third-party vendors to address their cybersecurity needs, only 71 percent had regulatory, contractual or legal liability. Less than 25 percent of banks require vendor compensation for data breaches. The law firm called on banks to undertake due diligence, enforce strong contractual terms and hold vendors accountable for meeting security requirements.
Fifty-seven percent of banks are not engaging experienced cybersecurity attorneys, which Jones Walker says increases their exposure to legal and regulatory risks. Only one-third use outside pre- and post-incident forensic consultants. Fifty-nine percent have reportedly not reviewed their cyber insurance policies to ensure sufficient coverage.
According to Jones Walker, community and mid-size banks remain wary of implementing AI for cybersecurity improvements. Partner Jason Loring said cybercriminals are changing their focus to community banks as larger banks improve their defenses through sophisticated security technology.
“We urge small and mid-size banks to shift their security mindset to one focused on cyber resilience, which emphasizes the need to anticipate new threats and continuously improve cybersecurity measures, rather than the traditional notion of achieving a static state of cybersecurity,” added Lara Sevener, a co-leader and partner of the firm’s technology industry team.