By John Carlson and Joshua Hubbard
Connect with colleagues and key leaders from across the banking industry at the ABA Risk and Compliance Conference, May 5-7 in Charlotte. Register here.
In June 2025 during the ABA Risk and Compliance Conference, industry experts discussed the following key elements for creating a cyber-aware risk culture [1]:
- Understanding key cyber threats
- Defining and developing a cyber aware risk culture and setting the tone at the top
- Using risk assessment and control frameworks that measure risks and assesses effectiveness of controls while also fostering innovation
- Focusing on continuous improvement and accountability through exercises
- Evolving security awareness and training programs
- Making third-party risk management a top priority
Understanding key cyber threats
The financial sector faces increasingly sophisticated threats from a wide variety of adversaries including organized criminal enterprises, hostile nation states which notably include Russia, China, Iran, and even trusted insiders, thereby increasing the scale and magnitude of impact to business operations. Attacks include breaches leading to the theft of sensitive information and often with a demand to pay a ransom to return the stolen and unencrypted data. There’s also a pernicious and persistent assault of generative AI-enabled deep-fake videos and phone calls and well-crafted phishing emails designed to defraud customers.
Defining and developing a cyber aware risk culture and setting the tone at the top
“Cyber-aware risk culture” can be defined as an organizational mindset that prioritizes cybersecurity across all levels and functions. It involves embedding cybersecurity principles into daily operations, decision-making processes, and employee behaviors to proactively manage and mitigate cyber risk. Cyber-aware risk culture can be metaphorically described as NASCAR, where every team member, from the driver to the pit crew, to engineers, mechanics and owners, plays a crucial role in the success of the race, every individual in our organizations must contribute to our cyber resilience efforts.
The much harder task is operationalizing a cyber-aware risk culture in a sustainable way. This is where senior leadership and teamwork is essential. It’s critical to secure CEO and board level support with clear risk appetite, key risk indicators and incident response planning. Building on the metaphor of a race team, you don’t just put any driver in the car and say ‘go.’ Every member plays a crucial role in winning the race, and similarly, collaboration and building frameworks for identifying risks are critical initial steps for developing a robust cyber culture. However, the challenge lies in moving faster and becoming more agile in identifying and mitigating these risks.
To do so, collaboration and building frameworks for identifying risks are critical steps for laying the foundation for a robust cyber culture. One of the most significant challenges is overcoming the misconception that cyber risk is solely an IT issue, and not an organization/business issue. This misguided mindset can lead to a lack of ownership and engagement from other departments, thereby diminishing the organization’s overall resilience. In today’s interconnected world, cyber resilience is not just an IT issue; it’s everyone’s responsibility.
Just as the financial services sector has matured “compliance and risk management culture,”it is time to mature cyber-aware risk cultures. It’s about integrating key risk indicators, defining risk appetite, and implementing effective challenge frameworks appropriated proportionately to the size and scope of an institution’s strategic goals and risks.
Leaders should ask themselves several key questions:
- What steps have you taken to ensure that every department and employee understands and takes ownership of cyber risks?
- What role does targeted training play in ensuring that both internal teams and external partners adhere to a bank’s risk culture?
- How do to embrace innovation and cybersecurity?
Using risk assessment and control frameworks that measure risks and assess effectiveness of controls while also fostering innovation
Last year, the Federal Financial Institutions Examination Council (FFIEC) sunset the Cybersecurity Assessment Tool and pointed banks to several public and private sector developed frameworks, including Cyber Risk Institute’s Profile, NIST’s Cybersecurity Framework 2.0, CISA’s Cybersecurity Performance Goals and Sector-Specific Goals and Center for Internet Security Controls. (See this April 2025 article on sunsetting the FFEIC CAT: https://bankingjournal.aba.com/2025/04/the-nine-lives-of-the-ffiec-cyber-assessment-tool/). Banks have chosen and adopted such public and private sector frameworks that work best for their institutions with features that can create metrics and measure maturity.
Focusing on continuous improvement and accountability through exercises
Cyber exercises are an important tool for educating employees and developing stronger teams. As discussed in other articles (see https://bankingjournal.aba.com/2024/03/gather-around-the-table/ and https://bankingjournal.aba.com/2025/06/key-questions-and-decisions-bankers-face-in-response-to-ransomware-attacks/), tabletop exercises provide forums to discuss roles and responsibilities and to discover gaps that need to be filled. The value of these tabletop exercises include:
- Raising internal awareness of cybersecurity issues
- Gaining participation outside of the IT department
- Achieving continual improvement of the institution’s incident readiness and response.
- Verifying that the appropriate teams know their roles in case of a real incident
- Improving communication and coordination among internal and external teams
- Demonstrating to management and the board that a plan is in place, staff members know how to execute it, and when to escalate
- Complying with regulatory requirements
Evolving security awareness and training programs
A mainstay of creating a security aware culture is security awareness and training programs. It is important to refresh, adapt to evolving risks and incentivize positive behavior. The training programs should not be limited to just onboarding new employees or annual refresher courses but should include programs such as training and testing employees (from the CEO to the intern) to avoid clicking on suspicious emails and educating employees on how adversaries (from fraudsters to hostile nation state actors) are targeting banks and their third-party providers. Cybersecurity awareness programs must be an enterprise-wide initiative.
Making third-party risk management a top priority
Finally, it’s critical that banks evolve their third-party risk management programs. Increasingly, adversaries target third party providers, which means banks need to step up the due diligence process and ongoing oversight of critical third-party providers.
Conclusion
As the financial sector continues to face an increasingly complex and fast-moving cyber threat landscape, a cyber aware risk culture has become a fundamental requirement rather than an aspirational goal. Establishing this culture demands visible leadership, consistent reinforcement and cross-functional participation. When banks align governance frameworks, strengthen third party oversight, and tailor training to their highest risk roles, cybersecurity becomes part of everyday decision making — not an isolated IT function. This shared responsibility is essential for protecting customer trust and maintaining operational resilience.
Entering 2026, the threat environment has evolved even more rapidly than anticipated after the June 2025 session. Artificial intelligence now plays a central role in both attack strategies and defensive measures, enabling adversaries to bypass traditional technical barriers by using legitimate identities instead of exploiting software flaws.
At the same time, AI is fueling more adaptive and hyper personalized fraud attempts, including deepfake based social engineering that closely mimics trusted communications. These developments shift the challenge from simply building a cyber aware culture to continually advancing it — moving beyond annual compliance training toward AI literacy, real time behavioral monitoring, and adaptive training that strengthens the “weakest link,” whether internal staff or external customers who interact with sensitive channels. By embedding adaptive controls into daily workflows and equipping both staff and customers to recognize AI generated fraud, institutions can ensure the cultural foundations built in 2025 remain resilient and responsive to the realities of 2026’s rapidly shifting cyber landscape.
John Carlson is SVP, cybersecurity regulation and resilience at ABA. Joshua Hubbard is program manager, cybersecurity at ABA.
[1] Panel members included Krysti Cunningham (SVP, chief risk officer, Security National Bank of Omaha), Shayna Arrington (chief risk officer, Servbank), Matt Henderson (SVP and chief information security officer, Capital City Bank), Charles Corbezzolo (SVP, business management and governance, TD Bank) and John Carlson (SVP, cybersecurity regulation and resilience, ABA).
