ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
Home Cybersecurity

Creating a cyber-aware risk culture requires teamwork

Six key elements for a banking industry facing increasingly sophisticated threats from a wide variety of adversaries

February 2, 2026
Reading Time: 5 mins read

By John Carlson and Joshua Hubbard

Connect with colleagues and key leaders from across the banking industry at the ABA Risk and Compliance Conference, May 5-7 in Charlotte. Register here.

As cyber risks continue to evolve, it is critical for banks to create a cyber-aware risk culture. Developing a cyber-aware risk culture means more than just awareness. It is about embedding risk controls and monitoring across every business line and senior executive support.

In June 2025 during the ABA Risk and Compliance Conference, industry experts discussed the following key elements for creating a cyber-aware risk culture [1]:

  • Understanding key cyber threats
  • Defining and developing a cyber aware risk culture and setting the tone at the top
  • Using risk assessment and control frameworks that measure risks and assesses effectiveness of controls while also fostering innovation
  • Focusing on continuous improvement and accountability through exercises
  • Evolving security awareness and training programs
  • Making third-party risk management a top priority

Understanding key cyber threats

The financial sector faces increasingly sophisticated threats from a wide variety of adversaries including organized criminal enterprises, hostile nation states which notably include Russia, China, Iran, and even trusted insiders, thereby increasing the scale and magnitude of impact to business operations. Attacks include breaches leading to the theft of sensitive information and often with a demand to pay a ransom to return the stolen and unencrypted data. There’s also a pernicious and persistent assault of generative AI-enabled deep-fake videos and phone calls and well-crafted phishing emails designed to defraud customers.

Defining and developing a cyber aware risk culture and setting the tone at the top 

“Cyber-aware risk culture” can be defined as an organizational mindset that prioritizes cybersecurity across all levels and functions. It involves embedding cybersecurity principles into daily operations, decision-making processes, and employee behaviors to proactively manage and mitigate cyber risk. Cyber-aware risk culture can be metaphorically described as NASCAR, where every team member, from the driver to the pit crew, to engineers, mechanics and owners, plays a crucial role in the success of the race, every individual in our organizations must contribute to our cyber resilience efforts.

The much harder task is operationalizing a cyber-aware risk culture in a sustainable way. This is where senior leadership and teamwork is essential.  It’s critical to secure CEO and board level support with clear risk appetite, key risk indicators and incident response planning. Building on the metaphor of a race team, you don’t just put any driver in the car and say ‘go.’ Every member plays a crucial role in winning the race, and similarly, collaboration and building frameworks for identifying risks are critical initial steps for developing a robust cyber culture. However, the challenge lies in moving faster and becoming more agile in identifying and mitigating these risks.

To do so, collaboration and building frameworks for identifying risks are critical steps for laying the foundation for a robust cyber culture. One of the most significant challenges is overcoming the misconception that cyber risk is solely an IT issue, and not an organization/business issue. This misguided mindset can lead to a lack of ownership and engagement from other departments, thereby diminishing the organization’s overall resilience. In today’s interconnected world, cyber resilience is not just an IT issue; it’s everyone’s responsibility.

Just as the financial services sector has matured “compliance and risk management culture,”it is time to mature cyber-aware risk cultures. It’s about integrating key risk indicators, defining risk appetite, and implementing effective challenge frameworks appropriated proportionately to the size and scope of an institution’s strategic goals and risks.

Leaders should ask themselves several key questions:

  • What steps have you taken to ensure that every department and employee understands and takes ownership of cyber risks?
  • What role does targeted training play in ensuring that both internal teams and external partners adhere to a bank’s risk culture?
  • How do to embrace innovation and cybersecurity?

Using risk assessment and control frameworks that measure risks and assess effectiveness of controls while also fostering innovation

Last year, the Federal Financial Institutions Examination Council (FFIEC) sunset the Cybersecurity Assessment Tool and pointed banks to several public and private sector developed frameworks, including Cyber Risk Institute’s Profile, NIST’s Cybersecurity Framework 2.0, CISA’s Cybersecurity Performance Goals and Sector-Specific Goals and Center for Internet Security Controls. (See this April 2025 article on sunsetting the FFEIC CAT: https://bankingjournal.aba.com/2025/04/the-nine-lives-of-the-ffiec-cyber-assessment-tool/). Banks have chosen and adopted such public and private sector frameworks that work best for their institutions with features that can create metrics and measure maturity.

Focusing on continuous improvement and accountability through exercises

Cyber exercises are an important tool for educating employees and developing stronger teams. As discussed in other articles (see https://bankingjournal.aba.com/2024/03/gather-around-the-table/  and https://bankingjournal.aba.com/2025/06/key-questions-and-decisions-bankers-face-in-response-to-ransomware-attacks/), tabletop exercises provide forums to discuss roles and responsibilities and to discover gaps that need to be filled. The value of these tabletop exercises include:

  • Raising internal awareness of cybersecurity issues
  • Gaining participation outside of the IT department
  • Achieving continual improvement of the institution’s incident readiness and response.
  • Verifying that the appropriate teams know their roles in case of a real incident
  • Improving communication and coordination among internal and external teams
  • Demonstrating to management and the board that a plan is in place, staff members know how to execute it, and when to escalate
  • Complying with regulatory requirements

Evolving security awareness and training programs

A mainstay of creating a security aware culture is security awareness and training programs.  It is important to refresh, adapt to evolving risks and incentivize positive behavior. The training programs should not be limited to just onboarding new employees or annual refresher courses but should include programs such as training and testing employees (from the CEO to the intern) to avoid clicking on suspicious emails and educating employees on how adversaries (from fraudsters to hostile nation state actors) are targeting banks and their third-party providers.  Cybersecurity awareness programs must be an enterprise-wide initiative.

Making third-party risk management a top priority

Finally, it’s critical that banks evolve their third-party risk management programs. Increasingly, adversaries target third party providers, which means banks need to step up the due diligence process and ongoing oversight of critical third-party providers.

Conclusion

As the financial sector continues to face an increasingly complex and fast-moving cyber threat landscape, a cyber aware risk culture has become a fundamental requirement rather than an aspirational goal. Establishing this culture demands visible leadership, consistent reinforcement and cross-functional participation. When banks align governance frameworks, strengthen third party oversight, and tailor training to their highest risk roles, cybersecurity becomes part of everyday decision making — not an isolated IT function. This shared responsibility is essential for protecting customer trust and maintaining operational resilience.

Entering 2026, the threat environment has evolved even more rapidly than anticipated after the June 2025 session. Artificial intelligence now plays a central role in both attack strategies and defensive measures, enabling adversaries to bypass traditional technical barriers by using legitimate identities instead of exploiting software flaws.

At the same time, AI is fueling more adaptive and hyper personalized fraud attempts, including deepfake based social engineering that closely mimics trusted communications. These developments shift the challenge from simply building a cyber aware culture to continually advancing it — moving beyond annual compliance training toward AI literacy, real time behavioral monitoring, and adaptive training that strengthens the “weakest link,” whether internal staff or external customers who interact with sensitive channels. By embedding adaptive controls into daily workflows and equipping both staff and customers to recognize AI generated fraud, institutions can ensure the cultural foundations built in 2025 remain resilient and responsive to the realities of 2026’s rapidly shifting cyber landscape.

John Carlson is SVP, cybersecurity regulation and resilience at ABA. Joshua Hubbard is program manager, cybersecurity at ABA.

[1] Panel members included Krysti Cunningham (SVP, chief risk officer, Security National Bank of Omaha), Shayna Arrington (chief risk officer, Servbank), Matt Henderson (SVP and chief information security officer, Capital City Bank), Charles Corbezzolo (SVP, business management and governance, TD Bank) and John Carlson (SVP, cybersecurity regulation and resilience, ABA).

Tags: FraudRisk management
ShareTweetPin

Related Posts

New task force to tackle financial fraud, scams

Survey finds most U.S. adults were scammed in 2025

Compliance and Risk
July 8, 2026

More than two in three adults report they were personally scammed last year, with those scams costing an estimated $68 billion, or four times what was reported to federal authorities, according to a new survey by the Stop...

Banking young athletes in a new age

Banking young athletes in a new age

Retail and Marketing
July 8, 2026

For some banks, the value extends beyond new accounts to greater brand recognition and community connections.

ABA, BPI support proposed process to create drone no-fly zones

ABA, BPI support proposed process to create drone no-fly zones

Cybersecurity
July 7, 2026

In a joint letter to the FAA, ABA and BPI said that unauthorized unmanned aircraft activity near financial institution sites can create “obvious and legitimate risk” to physical security as well as cybersecurity, as the technology can be...

How to Talk About Your Bank’s Fintech Collaborations

The trust dividend

Technology
July 7, 2026

How regulatory and consumer expectations are shifting how partner banks compete for fintech deposits.

Banks’ private-credit conundrum

CRM and marketing automation remain core to modern bank marketing

Retail and Marketing
July 7, 2026

The increasing influence of marketing analytics and data platforms highlights the trend of turning customer data into actionable insights.

Survey: Most high school students want to know more about financial management

America at 250: How banks have powered opportunity – and will shape what comes next

Community Banking
July 6, 2026

In the months ahead, the ABA Foundation will work closely with banks to support more Americans on their path to wealth-building.

NEWSBYTES

Survey finds most U.S. adults were scammed in 2025

July 8, 2026

ABA urges lawmakers to restore limited NOL carryback option

July 8, 2026

Consumer credit was unchanged in May

July 8, 2026

SPONSORED CONTENT

Why Your Systems Keep Slowing Down — and What to Do About It

Examiners Are Now Looking at Your Non-Core Systems

June 11, 2026
Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

June 1, 2026
A Modern Blueprint for Serving High-Net-Worth Families

A Modern Blueprint for Serving High-Net-Worth Families

May 28, 2026
Why Your Systems Keep Slowing Down — and What to Do About It

AI Is in Your Bank. Is Your Cloud Contract Governing It?

May 20, 2026

PODCASTS

Podcast: Understanding the 2025 Home Mortgage Disclosure Act data

July 8, 2026

Podcast: Financing America’s independence

June 29, 2026

Podcast: Talent and innovation in community banking

June 18, 2026

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2026 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2026 American Bankers Association. All rights reserved.