Most bank boards struggle with cybersecurity oversight because they don’t know what questions to ask, how to interpret the answers or whether their security measures are working. Directors may approve cybersecurity budgets without understanding if those investments actually reduce risk, or they may review incident reports without grasping whether response times meet industry standards. They can describe their cybersecurity framework but often can’t explain what their institution does with the results. The challenge is compounded further when cybersecurity is presented as a jargon-filled IT issue rather than the business-critical risk it represents, creating a dangerous gap between regulatory expectations and board-level understanding that leaves institutions vulnerable — not just to cyber threats, but also to regulatory scrutiny. Whether you’re a director seeking to understand what your institution’s NIST Cybersecurity Framework (CSF) or ISO framework results really mean for your risk profile, or an executive preparing risk dashboards, security briefings and incident reports for your board, the ultimate risk assessment strategy is to provide practical approaches that close the cybersecurity literacy gap. Board cybersecurity literacy doesn’t mean directors must become technical experts. However, it does require structured questioning, transparent reporting that translates technical risks into business impact and honest assessment of organizational maturity. THE UNCOMFORTABLE TRUTH ABOUT BOARD CYBERSECURITY LITERACY Here’s what I’ve observed after years of working with bank boards: Most of them generally don’t meet expectations when it comes to cybersecurity oversight. That’s not an indictment of their dedication or intelligence; it’s simply recognition that cybersecurity has evolved faster than board education. Many directors can tell you which framework their institution uses — whether it’s the NIST CSF, ISO standards or something else. But when you dig deeper and ask what they’re doing with that framework, you often get blank stares. Completing an assessment means nothing if you can’t articulate what you learned from it and what Your Board’s CYBERSECURITY OVERSIGHT Probably Isn’t Good Enough BY STEVE SANDERS Chief Risk Officer and Chief Information Security Officer, CSI you’re doing to improve. The critical question isn’t “Did we complete our assessment?” Instead, it’s “What have we done with the results?” THE FRAMEWORK TRANSITION CHALLENGE The Aug. 31, 2025, sunset of the FFIEC Cybersecurity Assessment Tool (CAT) has forced smaller institutions to adopt more complex frameworks. The leap isn’t incremental — it’s substantial. But the transition is long overdue; many mature organizations should have already moved beyond the CAT’s simplified approach to adopt more comprehensive frameworks. The CAT provided a simple rating system that scored your cybersecurity maturity from one to five across different domains, including cyber risk management, controls and threat intelligence. The NIST CSF requires significantly more work, including comprehensive risk assessments across five core functions, detailed control documentation and ongoing measurement of outcomes rather than simple numerical ratings. That makes it less user-friendly for small banks, but risk assessment should never be contingent on how easy it is to complete. Community banks also face a severe shortage of qualified cybersecurity professionals. This isn’t just an inconvenience; it’s a fundamental challenge that boards must address strategically. Smaller organizations may need to invest in external expertise to complete assessments. That’s not a sign of weakness. It’s recognition that resource constraints make professional oversight frameworks even more critical. Knowledge gaps among bank boards are prominent. A director once told me their institution scored 18 The Community Banker
RkJQdWJsaXNoZXIy MTg3NDExNQ==