We’ve assembled this compilation of cyber risks of 2025, as we have for the past several years, as we gear up to refresh our board of directors’ routine awareness training materials, including presentations and movies.  This is designed primarily for community banks, but could apply to small businesses as well.  Most of these items are not new, especially since we try to provide a high-level overview of the risks in general categories. An example of this is the second risk this year, Cyber Threats.  While there have been new and novel cyber-attacks which we could discuss, the overall category of cyber-attacks is not new.  This compilation serves as a starting point for dialogues within your board and management circles, helping pinpoint specific risks and threats your entity faces.

Cybersecurity Assessment Tool Replacement

One of the notable “new” cyber risks in 2025 revolves around the fact that the FFIEC stated they are sunsetting the Cybersecurity Assessment Tool (CAT) at the end of August this year as they have determined not to update it. The tool was originally released in 2015 to help financial institutions identify their risks, determine their cybersecurity preparedness, and identify controls to improve their posture. While not perfect, his tool has been used by financial institutions, examiners, and auditors for almost a decade, and we must decide how we are going to replace it. In the sunsetting statement, the FFIEC mentioned several possible replacements, but did not prescribe any one in particular. Therefore, it is up to us to decide, which means while this may be a lot of work, we get to choose the framework that works best for us. And it is best to start reviewing the options early, giving the time needed to understand the choices and which one would be best one for your institution.

Social Engineering

This is most definitely not a new risk, but if we are talking about top risks to IT, social engineering will always be a top risk. If you have public facing employees, and being a financial institution you must, you are exposed to social engineering risks. Social engineering attacks, such as phishing and pretexting, pose as significant a risk to financial institutions as ever. These attacks are also starting to leverage AI more and more, leading to even more sophisticated attacks as well as the possibilities of fake audio and video being used against us.

Internet of Things

In 2025, Internet of Things (IoT) devices used in financial institutions, such as smart ATMs, networked security cameras, biometric authentication systems, and even employee-owned devices, have become prime targets due to vulnerabilities in firmware and weak security configurations. Attackers can exploit unpatched IoT devices to gain footholds in financial networks, bypass traditional security controls, and launch ransomware or data exfiltration attacks. Compromised IoT devices can also be weaponized into botnets to launch distributed denial-of-service (DDoS) attacks, potentially disrupting banking operations and online financial services. To combat these threats, financial institutions should already have controls in place to block or manage the risk they pose.

Ransomware

Another risk that is by no means new, but always a top risk and always an evolving risk. In 2025, ransomware attacks against financial institutions have evolved to include AI-driven malware that can adapt to security defenses. Cybercriminals are increasingly using double and triple extortion tactics, not only encrypting data but also threatening to leak sensitive financial records and disrupt services unless payments are made. The rise of ransomware-as-a-service (RaaS) has also made it easier for less sophisticated attackers to launch devastating attacks on banks, without advanced technical skills. Attackers are also exploiting software supply chain vulnerabilities, compromising third-party vendors and software providers to inject ransomware into networks undetected. Again, while this threat isn’t new, the tactics, techniques, and procedures of these attackers are always changing and this will be a top risk to financial institutions.

Cloud Services Vulnerabilities

As we stated in our R7 article last year, we are increasingly moving information from our systems into the cloud. Therefore this makes the list of cyber risks for 2025 as well. Cybercriminals are increasingly targeting cloud-based platforms with software supply chain attacks, injecting malicious code into third-party cloud applications to compromise entire networks. We are also seeing AI-driven cyberattacks exploit weaknesses in cloud APIs, allowing attackers to manipulate transactions, steal customer data, or disrupt banking operations. Multi-cloud environments also introduce complexity in security management, increasing the risk of data breaches due to inconsistent access controls and insufficient monitoring across different providers. To counter these threats, financial institutions must enforce strict cloud security policies, conduct continuous threat monitoring, and adopt solutions to ensure that when cloud services are used, they are used securely.

Third-Party Risk Expansion

While cloud services vulnerabilities are a particular type of risk with third parties, we’re also seeing the use of third parties (and cloud services of course) increase in general. Financial institutions therefore face growing threats from third-party risk expansion as cybercriminals increasingly target vendors, payment processors, and security and technology providers to infiltrate banking networks. And of course, there are also the business continuity and vendor management risks introduced by the increased use of third parties as well. In 2025, it’s now more important than ever to make sure we are managing third parties correctly, as they face very similar, if not the same, challenges in cybersecurity as we do and may not have same culture of security as us.

Supply Chain Disruptions

Supply chain disruptions, specifically, tariffs on imported technology, cybersecurity, and financial infrastructure components, pose significant risk to financial institutions. Banks rely heavily on third-party vendors for essential hardware, software, and cloud-based services, many of which source equipment and technology from global markets. Increased tariffs could drive up costs for critical security appliances, data storage solutions, and networking hardware which vendors will most certainly pass on. Additionally, higher costs could impact planned infrastructure upgrades, scheduled device retirements, or create issues when replacing existing devices in an emergency. This risk is very unpredictable at the moment, but may have a significant impact in 2025.

So, to summarize, the top seven cyber risks in 2025 that community-based banks face are:
• Cybersecurity Assessment Tool Replacement
• Social Engineering
• Internet of Things
• Ransomware
• Cloud Services Vulnerabilities
• Third-Party Risk Expansion
• Supply Chain Disruptions