Cyber criminals will never stop trying, so community banks need to ensure that their cybersecurity practices are up to date. But who in the bank is responsible for this task? The Cyber Security Toolkit offers clarity.

ICBA and other organizations partnered with the Carnegie Endowment for International Peace to update the Cyber Resilience and Financial Organizations: A Capacity-building Tool Box, resulting in the comprehensive Cyber Security Toolkit.

“[The toolkit] offers guides to help in various aspects of the cybersecurity program, ranging from leadership to workforce development and everything in between,” says Lance Noggle, ICBA’s senior vice president, operations and senior regulatory counsel.

“It’s not designed to help you redo your entire cybersecurity program,” he adds. “It can help you manage the program that you have in place, analyze what you’re doing and maybe spot some holes that you think that might be there.”

The toolkit includes advice especially pertinent to small- and mid-sized banks, or banks looking to improve their cyber hygiene in general.

“No matter how robust the program is, you need to have some sort of way to review and process and implement ways to keep your system up to date,” Noggle says.

Different roles, different responsibilities

The responsibilities for protecting a bank and its customers from cyber threats will differ among board members, CEOs and CISOs. The toolkit offers different checklists and guides for each of these groups.

Board members: This group takes top responsibility when it comes to cybersecurity preparedness and response. To keep board members abreast of best new practices, the guide offers guidance on:

  • Fundamentals of cyber risk governance: A series of questions to ensure your bank is meeting cybersecurity requirements and is prepared in case of a breach

  • Oversight: Information on what cybersecurity aspects fall under the responsibility of the board

  • Staying informed: Advice on how to keep current on cyber risk

  • Setting the tone: How to create a culture where your staff members know how to best protect the bank

CEOs: As organizational leaders, this group helps set rules and provides leadership for the rest of the bank. The toolkit details protocol for the following topics:

  • Governance

  • Risk assessment and management

  • Organizational culture

CISOs: As staff members who handle technology and cybersecurity day to day, this group has a number of tasks they’re responsible for, including:

  • Preventing malware damage

  • Training employees

  • Developing a risk-based information security system

  • Protecting data

  • Keeping devices safe

  • Using passwords

  • Controlling permissions

  • Securing wifi networks and devices

  • Avoiding phishing attacks

The toolkit also includes checklists on how CISOs can best protect their bank’s customers as well as its third-party connections.

Further protection

In addition to the position-specific checklists, the toolkit includes three one-page guides.

Incident Response Guide: Having a guide in case of a cyber breach is vital for any financial institution. Learn about best practices when responding to an incident with the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond and Recover.

Ransomware: Prevention and Protection: Cyber criminals have continuously created new ways to use ransomware and malware, including phishing, false websites and corrupted downloads. This guide covers planning, helpful technology and information on regulations.

Workforce Development: As many banks can attest to, it can be difficult to attract and retain top cyber talent. By following the advice in this worksheet, banks can learn how to improve recruitment and talent cultivation practices.

Peace of mind

By utilizing the toolkit, community banks can keep up with current cybersecurity practices and protect both its customers and the bank itself.

Even though your regulators come and check and examine the financial institution, you’re always worried that there’s something you’re not doing,” Noggle says. “And I think that’s what’s good about a checklist. You can match it up to what you’re doing, and it can give you some peace of mind that you’re not missing some major requirements.”

Scanning for vulnerabilities

To strengthen your community bank’s cybersecurity practices even further, Lance Noggle, ICBA’s senior vice president, operations and senior regulatory counsel, recommends Cybersecurity and Infrastructure Security Agency’s (CISA) Vulnerability Scanning.

“It’ll scan your system on a weekly basis for vulnerabilities,” he says, “so it’s really good for smaller institutions that might not do testing as much as a large institution.”

The program is free and will identify all parts of your organization’s technology that need to be scanned, search for vulnerabilities and make recommendations to improve cybersecurity.

For more information, go to