With a new administration coming in, 2025 promises to be a year of change. But will it significantly impact banking regulation and your bank’s cybersecurity? No one has a crystal ball, of course, but recent global outlooks for the banking industry seem to point to two conclusions:
- Banking regulation will likely loosen overall as our new president seeks to fulfill his campaign promise to lower government oversight of businesses.
- Banking cybersecurity regulation, however, is likely to tighten as the government seeks ways to strengthen national security in the money system.
Given this, banks will spend more money in 2025 to harden their cybersecurity defenses and mature their overall operations. Our recent report reveals this sentiment: 86% of the 1,000 bank executives we interviewed said they were increasing their IT budget by more than 10% next year.
Our director of security, Jeremy Pogue, has an excellent new blog on how banks are upping their cybersecurity game in 2025. For this article, however, I’d like to talk about how banks need to rethink their operations in advance of any new cybersecurity requirements. These subtle but essential shifts will help your institution reach a higher level of operational maturity.
Six Ways to Stay ahead of Banking Regulation for Cybersecurity in 2025
#1—Tighten up your third-party vendor management
If the CrowdStrike outage taught us anything, it’s that third-party vendors have the power to upend your business without warning. A simple failed update to CrowdStrike’s cybersecurity platform managed to snarl business operations for hours or even days at some of America’s largest banks, including Chase, Bank of America, US Bank, and more, costing millions in lost transactions.
Many banks have agreements with vendors about what data they’ll have access to and the overall rules of engagement. But have you thought about:
- Written agreements in your procurement process that discuss access to data, your physical locations, and physical documents?
- Written protocols and statement of work that outline your vendor relationship for your employees and your vendor?
- Automated tools that track compliance metrics for your vendors and monitor their performance?
- Incident response and disaster recovery plans that kick into action if your vendor suddenly goes offline? How would your system backup in the event your vendor went dark?
Backing up operations around your third-party vendors could be an added expense that pays dividends over time.
#2— Rethink your data classification
As more banks experiment with AI platforms like Copilot for M365, or data analysis tools, the need for classifying levels of access to documents and data sets has become too important to ignore. Many countries worldwide are calling for businesses to tighten up classifications around their documents as a foil to nation-state hackers or undue influence from foreign governments. As cybersecurity rules tighten around data classification, and you’re looking to reclassify, ask yourself these questions:
- How vulnerable would we be if this document fell victim to malicious hacker activity?
- Would anyone who now has access to this document be able to exert undue influence over us or others with this information?
- Would foreign governments gain an advantage from having this information?
Let this be an additional consideration for your classification levels. Examine your protocols and get them in writing for your employees. Make document safety training a new and expanded part of your security awareness training.
#3—Tighten up your physical security
When did you last review the physical security protocols for your branches, office spaces, and physical file storage? Ask yourself:
- Who has access to these spaces? How do we vet them? Is it time to upgrade the way we monitor passwords and access?
- Can we eliminate the need for physical files? Can we improve the isolation and disposal of sensitive printed documents?
- Have we fully considered what climate risks might affect our branches and offices? Has the risk increased in your area, and how will that impact your protections? Is it time to expand our insurance to include flood coverage? Do we have emergency operations plans to cover a sudden hurricane, earthquake, tornado, or mudslide? Is our cyber risk insurance well positioned to cover our IT operations in these emergencies, or do we need to increase the size and scope of our policy?
Once you’ve answered these questions and upgraded your protocols and written procedures, arrange for a technical inspection of all your facilities each year to ensure adherence.
#4—Update Your Backup, Disaster Recovery, and Business Continuity Plan
If it’s been a year or two since you’ve reviewed your Disaster Recovery Procedures within your Business Continuity Plan (BCP), you might be overdue for an upgrade. Ask yourself:
- Have we had any growth or additional traffic that our BCP does not fully cover?
- Do we have secondary, offsite backups?
- How well do our current backup strategies cover our cloud services? Do we need an additional cloud backup service to protect our cloud platforms? If your cloud services go down, we highly recommend this.
- Is your BCP plan tuned to your current RTO-recovery time objective (the amount of time you can go before you must have a backup) and your RPO-recovery point objective (the amount of data you can afford to lose before you must have a backup)?
Answer these questions, and you’ll be well on your way to your bank’s freshly upgraded BCP plan. According to our survey, banks aren’t skimping on this. Most respondents listed cloud backup as a key investment area for them this year.
#5—Get Your AI Fair Usage Policies in Writing
If you don’t have an AI policy, you need one—even if you’re not currently adding AI tools to your software kits. You can’t afford to wait. New AI-driven tools and features are being added to familiar platforms like M365, and employees and customers are bringing AI-enabled phones and personal devices into your bank daily.
Banks have a lot to think about regarding AI, which we’ve discussed in this recent blog. But first and foremost, you need a clear, comprehensive written policy around the safe usage of AI. Once you’ve got it, make sure to work with your HR and communications departments to get those documents signed and understood by employees.
Need help writing it? Our free downloadable AI Policy is a great place to start.
#6—Upgrade Your Risk Management
Every year, regulators will look closer at your risk management platforms. Now is a good time to make sure you’ve left no detail unexamined. The new year is a great time to think about what you could improve and refine, such as:
- Vulnerability scans—Are you truly covering your endpoints well? We recommend upgrading from a simple SIEM (Security Incident and Event Monitoring) system to a fully AI-powered XDR (Extended Detection and Response) system, which can capture, isolate, and remediate threats in a much more holistic and immediate way.
- Controls testing—When was the last time you conducted a full penetration test? It’s time to create a schedule and protocol for this in writing and a process for any needed remediations.
- Better documentation—If your risk management tools and vulnerability scanners aren’t kicking out good monitoring and remediation reports, it’s time to get ones that do. Regulators will be looking hard at the documentation you generate here. Find tools that make the job easy for you.
Ready to Build Your IT for the Future to Meet the Future of Banking Regulation? Integris Can Help.
If you’re looking for an IT-managed service provider that truly understands the banking industry, call Integris. Our Financial Institutions Division is 200 employees strong and is explicitly dedicated to the IT needs of community banks and credit unions. We’d love to help you fill your IT infrastructure and information technology gaps. Contact us now for a free consultation.