Bank of America spends approximately $1 billion annually on cybersecurity. BofA doesn’t just buy security tools—it builds them, holding nearly 6,600 patents. BofA’s strategy focuses on securing the digital touchpoint. This includes deploying "Erica," an AI-powered virtual assistant that handles routine inquiries, helping to protect call center staff from social engineering attacks.

While community and mid-sized banks don’t have the budget of these global giants, they can still achieve a strong security posture and resilience. 

Learn more about the cybersecurity essentials for banks.

When evaluating which banks are the most secure, several non-negotiables emerge:

Strong governance

The best cybersecurity practices align technical controls with business governance. FFIEC audits frequently cite banks for the effects of weak governance, particularly a misalignment between high-level policies and low-level procedures. Strong governance is driven by the understanding that technical risk is business risk. It’s up to the board of directors and senior management to provide oversight and resources for cybersecurity.

Full asset inventory

You can only protect what you know about. That’s why FFIEC guidance mandates an inventory of all systems, including open-source software, APIs, and container images. The banks with the best security deploy continuous asset attack surface management (CAASM) solutions that integrate with infrastructure platforms (VMware), cloud services (AWS, Azure), directory services (Active Directory), and endpoint management tools (Huntress) to build a live map of the environment. These tools continuously correlate data to reveal insecure shadow IT and serve as the single source of truth for access decisions.

Encryption

Best practice in encryption has evolved to managing the entire lifecycle of the data and keys, anticipating future threats like quantum computing.

• Data at rest: Organizations must use AES-256 encryption for all static data. FIPS 140-3 is now the target standard for cryptographic modules.

• Data in transit: All internal and external traffic must be encrypted using TLS 1.2 or 1.3. 

• Data in use: For payment data (PANs), encryption is insufficient due to the risk of key theft. Best practice is tokenization, where the sensitive data is replaced by a non-sensitive equivalent (token) that has no extrinsic meaning. 

As banks move to the cloud, they must decide on a key management strategy. 

• Bring your own key (BYOK): The bank generates keys in an on-premises hardware security module (HSM) and imports them into the cloud provider's KMS.

• Hold your own key (HYOK): For ultra-sensitive data, banks utilize HYOK, where the data is encrypted before it ever leaves the bank's perimeter. 

Banks must also protect against “harvest now, decrypt later” (HDNL) threats, where adversaries steal encrypted data to decrypt once quantum computers are available. Banks must begin the transition to post-quantum cryptography now.

MFA everywhere

Regulatory pressure from the FFIEC and other bodies has shifted MFA from a "remote access" tool to a universal requirement. This applies whether employees work inside the bank branch or from home. For legacy apps and mainframes that don’t natively support MFA, banks utilize identity orchestration layers. These proxies sit in front of the legacy application, enforcing MFA before passing the user through. Increasingly, banks are moving to phishing-resistant MFA (more on this below).

Segmentation blocks attackers.

The Zero Trust framework assumes that the network is already compromised and implements segmentation to make sure that an intrusion at one point in the network blocks an attacker from moving laterally to another, more critical part of the network. Micro-segmentation takes this a step further. A teller’s workstation should only be able to communicate with the specific Virtual Desktop Infrastructure (VDI) gateway required for their job. It should be firewall-blocked from communicating with other teller workstations (preventing peer-to-peer worm propagation) or directly accessing the mainframe.  

Continuous monitoring protects your network.

A defense-in-depth approach combines endpoint detection and response (EDR), identity threat detection and response (ITDR), and security information and event management (SIEM) for continuous monitoring. These tools correlate signals from across environments to catch behaviors that a single tool might miss—a crucial capability for early threat detection and containing threats that get past defenses.

Educated employees outsmart hackers.

Phishing was the top initial attack vector in 2025. As attackers use AI to make these messages even more convincing, educating employees about how to recognize social engineering attacks becomes even more crucial. Top banks use regular security awareness training (SAT) to build a “human firewall” in their organizations.

Real-time payment rails like FedNow and Real-Time Payments (RTP) have shrunk the window for fraud detection from days to milliseconds. To keep up, the banks with the best fraud protection build a comprehensive behavioral profile for every customer, including device fingerprints, typical geolocation, spending patterns, and time-of-day activity. Machine learning models score every transaction against this baseline in real-time to catch account takeover (ATO).

When a transaction is flagged as risky but not definitively fraudulent, "step-up" authentication serves as a critical friction point. For example, a user initiating a wire transfer above a certain threshold or to a new beneficiary might trigger a step-up challenge, such as a biometric scan (FaceID) or a prompt sent to a registered hardware token.

In the event of a sophisticated attack, banks must have kill switches, the capability to "stop the bleeding" instantly. For example, the FedNow service has specific controls for fraud mitigation, including “negative lists,” which block transactions to suspicious accounts, and dynamic transaction limits during heightened threat activity.

Compromised credentials remain a leading vector for initial access in financial sector breaches, despite the widespread use of multi-factor authentication (MFA). Attacks have evolved, using “MFA fatigue” techniques and "attacker-in-the-middle" (AitM) toolkits to bypass MFA. Best practice—and increasingly a regulatory expectation—is to adopt FIDO2/WebAuthn authenticators such as YubiKeys.

Just-in-time (JIT) access adds another layer of protection against stolen credentials. Rather than granting permanent admin rights, a privileged access management (PAM) tool grants a user the specific permission needed only for a set duration. This generates an audit trail, satisfying strict FFIEC logging requirements.   

Banks must also guard against “zombie accounts” belonging to former employees. Security audits frequently find these active accounts—as do hackers. Identity Governance and Administration (IGA) systems must be tightly integrated with HR platforms to automatically revoke a terminated employee’s accounts and access, like their Active Directory account, VPN certificates, and cloud session tokens. The offboarding procedure must also track physical assets, ensuring laptops and hardware authentication keys are returned.

When prevention fails, the quality of the response determines the magnitude of the impact. The banks with the best cybersecurity develop specific, step-by-step playbooks for high-probability scenarios, including ransomware, business email compromise (BEC), and third-party breach. However, an incident response (IR) plan isn’t complete unless it’s tested and practiced. Quarterly tabletop exercises (TTX) should involve IT, legal, executive leadership, and communications teams to test decision-making under stress. 

IR plans should include pre-approved messaging for media, customers, and regulators. They must also detail chain-of-custody procedures to preserve evidence for forensic investigation, regulators, and insurers. 

The customer's mobile device is often the weakest link in the security chain. Secure mobile apps using RASP (runtime application self-protection) integrate security directly into the mobile banking application, allowing it to defend itself in a hostile environment (e.g., a malware-infected phone). 

To protect against spoofing, never use SMS or email to communicate sensitive information. Transaction confirmations, balance updates, and fraud warnings should be delivered via in-app push notifications, which are encrypted and authenticated. Sensitive documents (statements, tax forms) must only be delivered within the secure online banking portal.

The final piece is educating the customer on scam prevention. The American Bankers Association's #BanksNeverAskThat campaign is a prime example of effective customer education, using humor, quizzes, and engaging videos to inform. Additionally, just-in-time warnings during transactions often provide the most effective education at the moment of risk.

Banks rely on a complex ecosystem of third-party vendors, from core processors to fintech partners. These integrations greatly expand the attack surface.Last year, third-party compromise was the second most common initial attack vector across industries.

The Office of the Comptroller of the Currency (OCC) mandates a rigorous "lifecycle" approach to vendor management. Before partnering with any vendor, review their security posture (SOC 2 Type II reports), business continuity plans, and their own supply chain dependencies (fourth-party risk).

Contracts must address specific security requirements, including the right to audit, breach notification SLAs, and data destruction after the partnership ends. Banks must continuously monitor vendor performance and security posture, utilizing tools like security rating services (e.g., BitSight, SecurityScorecard). For every critical vendor, the bank must maintain a documented and tested exit strategy so no loose ends remain.

Banks must move beyond vanity metrics (e.g., "number of firewall blocks") to performance metrics that reflect true operational resilience. These include:

Operational metrics

• Patch latency: The time between the release of a critical patch and its deployment. FFIEC expectations for critical vulnerabilities often mandate patching within 24–72 hours.

• Unmitigated exploitable vulnerabilities: The total count of active, high-risk flaws lacking a fix. Tracking this helps quantify the current "window of opportunity" for an attacker.

• Mean time to detect (MTTD): The average time between intrusion and discovery. The objective is to reduce this from days to minutes.

• Mean time to contain (MTTC): The time from detection to the isolation of the threat (e.g., cutting off a compromised host). This is the most critical metric for limiting the "blast radius" of a ransomware attack.

• Mean time to respond (MTTR): The average time it takes for a team member to acknowledge an alert and begin working on it.

• Mean time to recover (MTTR): The average time it takes to get a system back up and running after a failure has occurred.

Strategic metrics

• Audit pass rate: The percentage of controls that pass internal or external audit testing.

• Unremediated high-risk findings: The count of critical vulnerabilities that remain open past their remediation Service Level Agreement (SLA)

• Fraud loss reduction: The quantifiable financial value saved by fraud detection systems (e.g., "Prevented $5M in fraudulent wire transfers this quarter").

While the largest banks with the best cybersecurity can deploy billion-dollar budgets, community and mid-sized banks face the same sophisticated threats with a fraction of the resources. Huntress democratizes bank-grade security by providing enterprise-grade tools for endpoint, identity, employee, and system protection, backed by threat experts and a 24/7 SOC. Achieve cutting-edge visibility, identity defense, endpoint protection, and employee training. Explore the Huntress platform.