Skip to Main Content

Spotting Cyber Risk before It Strikes

By Dimuthu Ratnadiwakara and Steven Baker
cyber alert stock image

Cyber incidents — once seen as a bank's IT problem — are now a threat to financial stability. A major cyber incident can knock out payment systems, disrupt lending, and shake confidence in the broader financial system. Yet bank supervisors and the industry still lack a standard measure of how vulnerable a bank is to a future incident.

Our research aims to fill this gap to help both bank regulators and the industry. In our working paper, Cyber Risk in Banking: Measuring and Predicting Vulnerability, we develop the first cyber-risk forecasting framework that covers nearly all U.S. banks. The model combines cybersecurity signals, actual cyber incidents, and regulatory data to predict whether a bank will suffer a cyber incident in the next year. It works well for small, mid-sized, and large banks alike. The results can be used to improve supervisory oversight and internal risk management.

Three data sources, one bank-level picture

We analyze quarterly data from 2015 through 2024 that links three sources:

  • BitSight derives cybersecurity ratings from the internet — from a wide range of technical data related to network security, configuration practices, and evidence of compromise;
  • Zywave records realized cyber incidents, including malicious data breaches, phishing, fraudulent account access, and network disruptions; and
  • FFIEC Call Reports have quarterly balance-sheet, income, and structural data for every regulated U.S. bank.

Our model addresses the question: Given a bank's size, balance sheet, and cybersecurity hygiene (its "security posture"), how likely is it to suffer a cyber incident in the next year?

Cyber incidents are concentrated at the largest banks

How likely a bank is to experience a cyber incident depends on its size. Typically, 10-15% of large banks (with over $10 billion in assets) report at least one incident. In contrast, only around 2% of small banks (under $1 billion) report incidents. Mid-sized banks ($1–10 billion) report incidents at rates between those levels, but that fluctuate substantially across quarters. We can see these trends in Figure 1.

Figure 1: Percent of Small, Mid-Sized, and Large Banks with Cyber Incidents

pct_banks_with_incidents_web_add

We know of a few reasons why larger banks are more likely to experience a cyber incident. First, they are more digitally complex so have more areas that can go wrong. Second, a larger, more well-known bank is more visible to attackers. Finally, attackers target larger banks for the greater chance to get a higher payoff.

While we saw in Figure 1 that large banks report many more incidents on average than small banks, Figure 2 breaks down the number of incidents by the riskiness of the bank. We see that banks predicted by our model to have a lower probability of a cyber incident report fewer incidents (left side of graph). Similarly, small, medium, and large banks that our model predicts to have a greater probability of an incident actually do report more incidents (right side of graph). This shows that our model is a good predictor, validating that those banks that the model considers riskier have more cyber incidents – across all bank sizes.

Figure 2: Model Predictions vs. Actual Cyber Incidents

incident_rate_by_decile_web_add

A predictive model that combines financial and technical signals

Our analysis shows that current cybersecurity and balance-sheet structure — rather than past incident history — drive most of the model's predictive power. We also identify a small set of risk factors that predict cyber incidents:

  • On the financial side, total assets, deposits-to-assets, and loans-to-assets are the best predictors.
  • On the cybersecurity side, patching cadence, TLS/SSL encryption configuration, TLS/SSL certificates, DKIM records, and web application security are the most reliable signals. Several commonly tracked indicators — including botnet infections and spam propagation — recently have become less effective at helping to predict cyber incidents.

Risk is greater when a bank has a combination of weaknesses. Our model finds the strongest link between unpatched software and weak communication protocols: the probability of a cyber incident rises sharply when a bank has both. Supervisors and risk managers can see the highest payoff by addressing vulnerabilities that appear together and not by chasing a single metric alone.

Implications for bank supervision and risk management

For those banks that our model ranks as highest-risk, roughly 90% of large banks experience a cyber incident within a year. The highest-risk smaller banks also show large relative increases.

The results highlight the value of integrating commercial cyber-risk indicators with traditional supervisory data. Together, the data generate timely, institution-specific measures of digital vulnerability. This can help risk managers identify areas where better risk management can have an impact. For supervisors, it can support oversight at the individual bank level and assessments of systemic exposure as the banking system becomes ever more digital.

Importantly, because the framework relies on data already collected — regulatory filings and commercially available cybersecurity ratings — it can be implemented across the sector without imposing new reporting burdens.


Steven Baker and Dimuthu Ratnadiwakara are senior financial economists in the Quantitative Supervision and Research team in the Supervision, Regulation and Credit Department at the Federal Reserve Bank of Richmond.


For the complete paper, see: Baker, Steven D., and Dimuthu Ratnadiwakara, “Cyber Risk in Banking: Measuring and Predicting Vulnerability,” September 2025.

This article may be photocopied or reprinted in its entirety. Please credit the authors, source, and the Federal Reserve Bank of Richmond and include the italicized statement below.

Views expressed in this article are those of the authors and not necessarily those of the Federal Reserve Bank of Richmond or the Federal Reserve System.

Contact Icon Contact Us