The Conference of State Bank Supervisors (CSBS) recently published its Cyber Hygiene Fundamentals for Financial Institutions Guide. The guide is the culmination of CSBS’ 2025 campaign to raise awareness about the importance of developing and maintaining a strong cyber hygiene program for financial institutions.
The Guide contains a catalog of fact sheets designed to provide a fundamental overview of how certain controls and practices are critical to protecting companies against existing and emerging cyber threats. In addition, it contains accompanying board questions that complement each fact sheet topic to arm board members with relevant and thoughtfully explained questions to ask senior management.
These documents aim to improve communication and harmony between management and the board, thereby strengthening awareness of the importance of basic cyber hygiene throughout all layers of the institution.
The Guide highlights the following critical threats against financial institutions:
- Ransomware
- Geopolitical and hacktivist threats
- Social engineering and phishing
- Third-party risks
- Denial-of-service attacks (DoS/DDoS)
- Corporate account takeover (CATO)
In addition, the following ten fundamental cyber hygiene controls and practices are addressed:
- Vulnerability and Patch Management
- End-of-Life Management
- Multi-Factor Authentication (MFA)
- Logging and Threat Detection
- IT Asset Management (ITAM)
- Cybersecurity Awareness Training
- Data Backup Programs
- Threat Intelligence Programs
- Third-Party Risk Management
- Incident Response Planning
The unavoidable truth is that today’s cyber threats evolve at such speed that constant attention is needed to protect your company and your customers from potentially devastating consequences. Ensuring you have a program of strong, fundamental cyber hygiene practices in place significantly increases security protections against these and other threats and makes you a less attractive target for cyber criminals.
If your company does experience a data breach, remember that you must comply with all reporting requirements for both consumers and the Department. Licensees must report all data breaches to the Department, regardless of the size of the breach, and may be subject to the consumer reporting requirements of RCW 19.255. Data breach reports should be emailed to csenforcecomplaints@dfi.wa.gov
Licensee may also need to report the breach to the Washington State Attorney General’s Office. You can learn more about their requirements on their Attorney General Data Breach Notifications page.