Cybersecurity
Banks have long been considered the gold standard of cybersecurity and information-sharing. The industry abides by more stringent data security privacy protection standards than many other industries and has developed sophisticated systems to detect, prevent and respond to cyber threats. Some of the requirements include:
- The Gramm-Leach-Bliley Act;
- FFIEC IT Examination Handbook;
- The Fair Credit Reporting Act;
- The Right to Financial Privacy Act; and
- State and International Data Security and Privacy Laws.
Despite these safeguards and significant investments from industry, cyberattacks are growing in scale and sophistication, driven by complex criminal networks and hostile nation-states. As a result, cyberthreats are a top concern among bank leadership, regulatory agencies and other sectors of the economy.
Safeguarding America’s financial system demands proactive action to mitigate cyber threats, streamline regulatory reporting requirements and reauthorize important laws that encourage and protect threat-intelligence sharing.
Cybersecurity in Banking
Mitigate threats and improve security practices to better protect sensitive financial data.
Banks are investing in innovative new solutions and best practices to combat emerging threats, but they can’t do it alone. It’s incumbent upon regulators to hold banks and nonbanks to consistent standards and to keep data safe once it leaves the bank, as any weak link in that process creates targets for bad actors.
Streamline and align overlapping and duplicative regulatory reporting requirements.
Banks today face more than 10 distinct incident reporting requirements, many of which impose conflicting timelines and definitions. This patchwork drains resources from frontline cyber defense and forces firms to prioritize compliance paperwork over real-time resilience. Bank CISOs report spending 30–50% of their time on compliance and examiner management, and their teams spend nearly 70% of their hours on compliance tasks rather than on defense. Congress and regulators should work together to harmonize standards and eliminate duplication so institutions can focus on defending against actual threats.
Financial Trades Urge SEC to Rescind Cyber Rule That Endangers Victims and Undermines Investor Protection
BPI Statement Before House Subcommittee on Streamlining Duplicative Cybersecurity Regulations
Preserve the liability & antitrust protections to encourage threat-intelligence sharing.
Ten years ago, Congress enacted the Cybersecurity Information Sharing Act of 2015 to help fortify our collective cyber defenses by removing legal barriers and incentivizing cyber threat information sharing. Because these protections were not renewed before yesterday’s deadline, cyber defenders must now confront sophisticated cyber adversaries without a key resource to better understand the tactics and techniques used to attack critical infrastructure and the sensitive data maintained by those entities.
Although the deadline has passed, there is still time. If Congress acts quickly, it can reauthorize CISA and restore the protections that strengthen our collective defense against cyberattacks. Without swift reauthorization, defenders are left to confront a 520% increase in phishing and ransomware attacks without one of their most effective tools for information sharing.
By the Numbers
$350M+
Estimated true annual ransomware losses in the U.S. (FBI, 2020).
109%
Increase in targeted intrusions to the financial services industry in 2024 (CrowdStrike 2024 Report).
10
The number of distinct cyber incident reporting requirements applicable to financial institutions (Congressional Testimony, 2025).
70%
Share of cybersecurity team time consumed by compliance functions (BPI Survey, 2022).
30-50%
Time that Chief Information Security Officers at banks spend on compliance and examiner management, diverting focus from actual security (BPI Survey, 2022).
100+
Regulator information requests before an exam, plus 75–100 more during the exam (BPI Survey, 2022).
Cyber Incident Reporting Requirements & Notification Timelines for Financial Institutions
Information Sharing & Collaboration Initiatives
Financial Services Information Sharing and Analysis Center (FS-ISAC):
FS-ISAC is a not-for-profit cybersecurity intelligence sharing organization representing approximately 4,600 US financial institutions covering banks, credit unions, insurance companies, asset managers and payment processors, as well as financial market infrastructure such as stock exchanges.
Analysis and Resilience Center for Systemic Risk (ARC):
The Analysis and Resilience Center for Systemic Risk (ARC) is a non-profit, cross-sector organization designed to mitigate systemic risk to the nation’s most critical infrastructure from existing and emerging threats. Its members are owners and operators of federally designated critical infrastructure that underpin economic and national security.
Financial Services Sector Coordinating Council (FSSCC):
The FSSCC coordinates across the financial sector to enhance security and resiliency and to collaborate with government partners such as the U.S. Treasury and the Cybersecurity and Infrastructure Security Agency, as well as financial regulatory agencies.
National Cyber-Forensics and Training Alliance (NCFTA):
The National Cyber-Forensics and Training Alliance (NCFTA) is a nonprofit partnership between industry, government, and academia established for the sole purpose of providing a neutral, trusted environment that enables two-way collaboration and cooperation to identify, mitigate, and disrupt cybercrime. The NCFTA operates in a concerted effort with partners by sharing real-time information and working as an early-warning system to pass information quickly to its members.
Cyber Risk Institute (CRI) Profile:
The Cyber Risk Institute Profile is a standardization tool to improve the security and resiliency of the financial services industry. It is based on the National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity.”