Four ways banks can cut cyber risk beyond compliance

Fredrik Forslund is VP and GM, International at Blancco, a provider of data sanitization and device diagnostics solutions.

U.S. businesses often have to navigate the ebb and flow of industry regulation and government oversight. Recently, federal policy has been shifting away from intervention across a variety of sectors. These changes range from efforts to roll back certain vehicle greenhouse-gas emissions standards to last year’s Executive Order 14179, which reduced certain regulatory AI development barriers to prioritize American competitiveness. 

The financial sector is also experiencing similar shifts. For example, the U.S. Federal Reserve is expected to lower requirements for capital (funds they need to cover risky assets) for the biggest banks by 4.8%, marking one of the most significant changes to bank restrictions since the 2008 financial crisis. 

Changing regulations may alter how banks demonstrate security, but they do not change the threats they face. As oversight evolves, financial institutions need to focus on reducing real-world risk rather than simply checking compliance boxes.

 Also signaling a step away from prescriptive industry guidance is last year’s retirement of the FFIEC Cybersecurity Assessment Tool (CAT), a banking-specific assessment used to evaluate cybersecurity risk and preparedness for regulatory and examiner purposes. The Federal Financial Institutions Examination Council stated it would not update the CAT to align with newer industry-specific frameworks and instead encouraged banks to adopt broader cybersecurity standards and guidelines such as NIST Cybersecurity Framework 2.0 (CSF 2.0).

As regulatory expectations evolve, banks can reduce cyber risk by focusing on four priorities.

1. Treat compliance as the starting point, not the strategy

Even when regulations, oversight and related tools, are at their most prescriptive levels, compliance with them does not guarantee security. Relaxation of data security oversight adds flexibility, but it also affects industry standardization at a time when threats are evolving and growing more complex. The financial services sector faces many threats, including AI-powered deepfakes, mobile banking trojans, and ransomware-as-a-service platforms. These attacks continue to grow in sophistication, regardless of regulatory status. 

The cost of every breach rises with the volume and sensitivity of exposed or stolen data, which may include personally identifiable information (PII) or financial records. If a cyberattack or data leak occurs, financial services organizations face the potential for regulatory fines, litigation, and the high price of customer notification and remediation.

There are also many downstream impacts of a data breach, including reputational harm. The dramatic increase in data acquisition means there's more to protect and properly manage. It’s hard for a bank to justify the breach of data that they should have erased long ago to customers, regulators, and the market. The fallout from data security missteps and breaches can have far-reaching effects, including the erosion of public trust and damaged reputation. 

2. Treat third parties as part of your attack surface

Regulatory compliance doesn't eliminate every risk. In fact, bad actors are increasingly targeting bank partners as a “back door” to breach and steal data from banks and their customers. 

For instance, the August 2025 cyberattack on Marquis, which provides marketing and compliance services to more than 700 financial institutions nationwide, is just one example of a back door vulnerability. According to legal filings, attackers accessed Marquis’s systems by exploiting an unpatched firewall vulnerability, allowing unauthorized access to data of 400,000 bank and credit union customers across the United States. 

When banks or other financial entities extend their operations through third-party providers, those partners effectively become part of the institution’s risk surface. This is why financial services technology partners must be held to a higher standard.

As banks expand their reliance on third-party providers, they also cannot assume outside resources alone will be enough to manage emerging threats. For example, there is a proposed 73% reduction at the Cybersecurity & Infrastructure Security Agency’s (CISA's) National Risk Management Center. This government body not only analyzes and predicts threats to national infrastructure but also identifies cross-industry risks that may impact financial systems and institutions. For larger financial institutions with established security teams and effective threat intelligence systems, there may be limited fallout. That’s not the case for smaller community banks and credit unions that don’t have sufficient security budgets and that depend on CISA's free resources, assessments, and advisories.

3. Follow security frameworks, even when regulators do not require them

For financial institutions and their technology partners, reducing cyber risk requires continuous risk management, regardless of how compliance requirements evolve. This includes data protection at every stage of the data lifecycle (including timely sanitization to eliminate excess data), honest assessment of third-party risk, and security investments driven by threat intelligence. 

Regardless of fluctuations with compliance requirements, financial services organizations and their partners should consistently adhere to data protection standards, attestations, and frameworks. Many banks require their partners to provide evidence of at least one or more recognized security assurance framework, but the specific frameworks and certifications vary. 

One such security assurance is through SOC 2 – an American Institute of Certified Public Accountants (AICPA) auditing framework that evaluates a service organization’s ability to securely manage and protect customer data. Another is the abovementioned NIST CSF 2.0 framework, and a third is the globally recognized Information Security Management Systems standard, ISO 27001. 

All three frameworks include guidance on third-party and supply chain risk management, which is especially relevant given banks' reliance on fintechs, cloud providers, and other technology partners. Regardless of the vulnerability, financial institutions generally remain accountable for managing risks associated with customer and business data, including when that data is processed, stored, or transmitted by third-party providers. 

4. Minimize the data you keep

A careful approach to data protection entails strict data minimization and sanitization processes to eradicate data no longer required to be kept. Not only does this shrink the data attack surface, but it also reduces liability in case a breach does occur. Data sanitization is where the data lifecycle ends, and doing it poorly undermines every security investment made earlier in that lifecycle. 

 Standards specifically focused on media sanitization and data disposal guidance include NIST SP 800-88 and IEEE 2883. These standards include best practices for eliminating data that is no longer necessary to keep (including if it is past the legal retention period) or data that needs to be transferred to other equipment during decommissioning. 

For instance, financial services organizations and their partners should use auditable data sanitization processes to ensure that hard drives and SSDs pulled from servers or ATMs don’t pose a vulnerability, and that, whenever possible, they are sanitized before disconnecting from the host network, removing data before storage or transport.  

Compliance is the baseline, but security is the goal

Today’s financial institutions face far more challenges than just adapting to changing regulations and evolving federal oversight. The threat environment continues to escalate, requiring banks to remain continually diligent and include high security standards for partners and vendors. Following industry frameworks and complying with banking and data privacy regulations is critical; however, it does not guarantee organizations will be safe from risk and liability. 

Financial institutions must ensure sensitive customer account data remain not only compliant but also secure. When it comes to customer data, organizations cannot outsource accountability.