Jones Walker LLP today announced the release of its 2024 Community and Mid-Size Banks Cybersecurity Survey, the fourth in the law firm’s series of industry-focused, biannual cybersecurity studies. The comprehensive report highlights significant vulnerabilities and areas for improvement among community and mid-size banks in the United States.
Based on responses from 125 banking executives, including senior risk, technology, and information security leaders, the survey provides a detailed assessment of the current state of cybersecurity awareness, confidence, and preparedness in the banking sector.
This survey is the national law firm’s fourth on the topic of cybersecurity for critical industries. In 2018, the firm’s first survey focused on the greater maritime industry. The second survey, in 2020, focused on the midstream oil and gas sector, and in 2022, the third survey focused on the nation’s ports and terminals.
Key TakeawaysPost-Incident Regulatory Compliance is Slowly Improving, but Prevention and Preparedness are Lacking: The banking sector is highly regulated, which makes data security, data privacy, and data breach compliance a top priority for banking executives. However, only 42% of respondents felt their own bank was very prepared for cyber threats, considering that only 61% of banks have established specific incident response teams with clearly assigned roles and responsibilities and 37% fail to encrypt sensitive information. The Lack of Due Diligence Performed on Third-Party Vendors is a Significant Risk: While virtually all, 99%, of community and mid-size banks rely in part or in full on the services of third-party vendors to address their cybersecurity needs, only 71% hold them accountable for contractual, legal, or regulatory liability, and a mere 23% require vendors to indemnify them against data breaches. Banks Are Underutilizing Outside Counsel and Cybersecurity Professionals: Fifty-seven percent of respondents do not engage experienced cybersecurity attorneys, increasing their exposure to regulatory and legal risks. In addition, only 32% use outside pre- and post-incident forensic consultants, potentially hindering effective breach response and recovery. On top of that, 59% have not reviewed their cyber insurance policies to ensure adequate coverage. Responsibly Embracing Emerging Technology Delivers Significant Advantages: Community and mid-size banks are hesitant to implement emerging technologies like artificial intelligence (AI) for cybersecurity enhancements. With large banks adopting AI, this hesitancy may make community and mid-size banks more vulnerable targets if they do not keep pace.Author Commentary“Cyber threats are evolving rapidly, and community and mid-size banks must enhance their cybersecurity posture to protect their customers and assets,” said Andy Lee, a partner and co-leader of Jones Walker’s privacy, data strategy, and artificial intelligence team and Technology Industry Team. “Our survey reveals that while banks are aware of the risks, many are not taking sufficient proactive measures to prevent breaches.”
Tom Walker, a partner on the firm’s Banking & Financial Services Industry Team and a former community bank executive vice president and director, said, “Third-party vendors are a critical resource for community banks, but also a significant source of risk. As our survey clearly points out, community and mid-size banks can do more to mitigate the risks posed by third-party vendors to their information systems, reputations, and customers’ data by following industry and regulatory standards for planning, due diligence, selection, contract negotiation, and monitoring.”
“Banks are highly regulated, but many third-party vendors are not. It is critical that banks conduct thorough due diligence on their vendors and ensure robust contractual protections are in place,” added Rob Carothers, a partner on the firm’s Banking & Financial Services Industry Team.
“As big banks continue to bolster defenses with sophisticated security technologies, cybercriminals are shifting focus to community and other smaller banks,” warned Jason Loring, a partner and co-leader of Jones Walker’s privacy, data strategy, and artificial intelligence team. “AI-based tools, however, can serve as a great equalizer for smaller banks that may have more limited resources, so long as those tools are implemented responsibly. This can help these banks maintain levels of fraud protection, regulatory compliance and operational efficiency commensurate with larger institutions.”
“We urge small and mid-size banks to shift their security mindset to one focused on cyber resilience, which emphasizes the need to anticipate new threats and continuously improve cybersecurity measures, rather than the traditional notion of achieving a static state of cybersecurity,” encouraged Lara Sevener, a partner and co-leader of the firm’s Technology Industry Team. “As security threats are constantly evolving, focusing on a culture of cyber resilience – in which organizations implement a holistic approach that includes anticipation of cyber threats likely to occur, implementation and continuous improvement of security practices and defenses, and a strong focus on business continuity in the wake of an attack – will help to minimize the disruption and negative impacts caused by any future cyber event.”
Top Industry Commentary “Cybersecurity is one of the most significant risks facing the banking industry in today’s electronic environment. Banks are focused on preventing and managing this risk, but cyber threats continue to evolve. The 2024 Jones Walker Cybersecurity Survey is a meaningful resource showing ways the surveyed banks are currently managing cybersecurity risk. Bankers can compare their practices with the survey results to identify possible changes or to confirm that they are in step with the industry,” said David Boneneo, general counsel to the Louisiana Bankers Association.“As we navigate an increasingly complex digital landscape, community and mid-size banks are making valuable strides, yet the journey toward true cyber resilience requires further investment in preventive strategies, vendor management, and external expertise,” said Granville Tate, Jr., executive vice president and chief administrative officer of Trustmark National Bank.Best PracticesBased on the findings, the report urges banks to:
Enhance Focus on Prevention and Preparedness: Shift from reactive compliance to proactive measures, including regular training, testing, and updating of cybersecurity policies.Increase Oversight of Third-Party Vendors: Conduct thorough due diligence, enforce robust contractual terms, and hold vendors accountable for security obligations.Leverage Outside Legal Counsel: Engage experienced cybersecurity attorneys and consultants to mitigate regulatory and legal risks and improve breach response.Adopt Emerging Technologies: Embrace AI and other advanced technologies to enhance cybersecurity defenses and stay competitive.Given community and mid-size banks’ unique position at the center of local and regional economies and the trillions of dollars in assets and loans they collectively manage, they are a prime target for threat actors. We commend the strides the sector has taken so far and urge stakeholders to bolster their cyber readiness to further improve their banks’ defenses.
The 2024 Community and Mid-Size Banks Cybersecurity Survey is part of Jones Walker’s ongoing commitment to provide valuable insights into cybersecurity trends across critical industries.
About Jones WalkerJones Walker LLP (joneswalker.com) is among the largest 145 law firms in the United States. With offices in Alabama, Arizona, the District of Columbia, Florida, Georgia, Louisiana, Mississippi, New York, and Texas, we serve local, regional, national, and international business interests. The firm is committed to providing a comprehensive range of legal services to major multinational public and private corporations, Fortune® 500 companies, money center banks, worldwide insurers, and emerging companies doing business in the United States and abroad.
All of the sources quoted in this news release are available for interviews and private briefings. Please follow a discussion about our 2024 Community and Mid-Size Banks Cybersecurity Survey on LinkedIn: #JonesWalkerCyberSurvey.