"Basic cyber hygiene prevents 98% of cyberattacks." That's a quote from former CISA Director Jen Easterly, and it's the foundation of a guide released by the Conference of State Bank Supervisors (CSBS) in December 2025.

The Fundamentals of Cyber Hygiene for Financial Institutions identifies 10 fundamental controls, grounded in existing FFIEC guidance, that community financial institutions should have in place to defend against common threats.

To help financial institutions put these controls into practice, the guide is structured around three key areas: 

  • The current cyber threat environment facing financial institutions
  • The 10 fundamental controls, with a dedicated fact sheet for each
  • Board-level questions designed to drive meaningful oversight 

So, what does the guide say, and how should your institution use it? Let's take a look. 

In this article we will cover the following: 

The Cyber Threat Environment

The guide starts with a look at the current cyber threat environment. Some of the key threats covered include: 

  • Ransomware. Still a top concern and more sophisticated than ever. Today's threat actors use double (and sometimes triple) extortion tactics, operate with organizational structures that mirror legitimate businesses, and leverage Ransomware-as-a-Service (RaaS) models that make it easier for less skilled criminals to launch attacks. 
  • Geopolitical and Hacktivist Threats. Nation-state actors and hacktivist organizations are increasingly targeting financial institutions, sometimes as part of broader military or political strategy. 
  • Social Engineering and Phishing. Human error is consistently a top attack vector, and AI is making phishing attempts harder to spot. Business email compromise (BEC) is a particularly costly variation for financial institutions. 
  • Third-Party Risks. Core processor outages, corrupted software updates, and compromised vendor access all create real exposure. If a critical vendor has a bad day, your institution feels it. 

Some other threats covered include denial-of-service (DoS) attacks and corporate account takeover (CATO)This list might look familiar, and that's intentional. What makes it special is the source and the context. 

  1. It's written for financial institutions. These aren't generic threats pulled from a headline. They're what you and your peers are actively facing. 
  2. It's coming from your regulators. These threats are what examiners are seeing across the institutions they supervise. 
  3. It sets up the rest of the guide. The guide is upfront that "there is no one impenetrable security device, technique, or practice that can provide total security protection for our institutions," which is exactly why the layered approach matters. 

An information security program that consistently implements and manages the ten fundamental controls is a practical response to this reality. 

The 10 Fundamental Controls 

To defend against these threats, the guide identifies 10 cyber hygiene controls and practices. If you look at this list and think, "Wow. These look familiar." Great! (That's kind of the point.) 

These controls aren't supposed to be new, but they are the ones that make a difference. 

Control 

Description 

Cybersecurity Awareness Training 

Building a culture of security through regular, meaningful employee training 

Data Backup Programs 

Making sure critical data can actually be recovered when something goes wrong 

End-of-Life (EOL) Management 

Tracking and retiring unsupported assets that no longer receive security updates 

Incident Response Programs 

Having a tested, current plan for detecting, containing, and recovering from cyber incidents 

IT Asset Management (ITAM) 

Knowing what technology you have, where it lives, and how it connects to everything else 

Event Logging & Threat Detection 

Maintaining visibility into system events so you can identify and respond to suspicious activity 

Multi-Factor Authentication (MFA)

Requiring more than a password to access systems and data 

Vulnerability & Patch Management

Identifying and remediating software and hardware vulnerabilities before they get exploited 

Threat Intelligence Programs 

Gathering and acting on threat information before it becomes an incident 

Third-Party Risk Management (TPRM)

Managing the security risks that come with your vendor and service provider relationships 

 

None of these are new concepts, and the guide is upfront about that. The guide's goal is to help you strengthen existing cyber hygiene practices, and provide a way to explain these controls to executive leadership. 

How to Use the Fact Sheets 

The heart of the guide is a set of ten fact sheets, one for each fundamental control. Each fact sheet explains why the control matters, what a solid program looks like, and what FFIEC guidance says about it. 

The fact sheets are written to be read by cybersecurity staff and senior management alike, without having to run it through your LLM of choice and say, "but make it conversational." 

If you already have programs in place for these areas (which you probably do), the fact sheets aren't asking you to start over. Instead, they are written to help you improve the controls you already have in place. 

A few areas worth paying special attention to: 

  • Cybersecurity Awareness Training. Annual compliance-level training has long been treated as the standard, but the guide cites ISACA's recommendation to train every four to six months for better retention. The fact sheet emphasizes that training needs to cover emerging threats (like AI-enhanced phishing), not just the familiar faces. 
  • Multi-Factor Authentication (MFA). Not all MFA is equal. SMS is considered the weakest available option and is meant to be a temporary measure while you move toward something stronger. The fact sheet walks through the spectrum of MFA options and the tradeoffs of each, which can be useful when making the case for an upgrade. 
  • Vulnerability and Patch Management. According to the guide (page 42), approximately 28% of known exploitable vulnerabilities disclosed in 2024 were exploited within less than one day of their disclosure. If your patching timelines are measured in weeks or months for critical vulnerabilities, that number is worth a second look.

The goal is to put controls in the context of modern, relevant threats. These are real actions you can take which have a real impact. 

Pro Tip: The fact sheets also work well as communication tools. If you need to explain a cybersecurity investment to someone without a technical background, these resources are a great place to start. 

How to Use the Board Questions 

Getting Board Members meaningfully engaged in cybersecurity can be a challenge. For this, each fact sheet is paired with a set of questions written specifically for Board members to ask. Each question comes with an explanation of why the control matters. 

A few examples of where the questions get specific: 

  • The Data Backup Programs questions ask whether the institution can restore backups in a separate, off-network environment if primary systems are unavailable. They also ask if backups are tested at least annually and verified to be malware-free before restoration. 
  • The Incident Response Programs questions ask whether there's a designated coordinator who can manage all aspects of an incident response, and whether testing actually involves senior management. 
  • The Event Logging and Threat Detection questions ask about user and entity behavioral analytics, which is more advanced than many community institutions currently have in place, but increasingly relevant given the rise of "living off the land" (LOTL) attack techniques that evade basic endpoint detection. 

The goal of these questions is to create the kind of ongoing, top-down attention to cybersecurity that makes a real difference in the institution's cybersecurity posture. 

Pro Tip: Consider sharing relevant Board questions from the guide with the Board before your next cybersecurity report. Better yet, use them to shape your own reporting. If you're already answering these questions proactively in your reports to the Board, you're demonstrating exactly the kind of oversight the regulators expect to see. 

What's Next? 

The purpose of the CSBS Cyber Hygiene Fundamentals for Financial Institutions is to help you determine if your key controls are doing what they're supposed to do. That's a harder question than it sounds, so if you're not sure where to focus, pick one fact sheet. Look honestly at your program against it, work through the Board questions, and find one place to improve this quarter. Then do it again and again. 

If you're looking for a way to manage all of this in one place, Tandem is an information security GRC application built specifically for community financial institutions. From risk assessments and IT asset inventories to vendor managementphishing simulationsincident managementand beyond, Tandem is designed to help you stay on top of your key controls without reinventing the wheel every year. 

Subscribe to the Tandem Blog to get monthly educational content on cybersecurity and compliance delivered straight to your inbox. And if you'd like to see Tandem in action, watch a demo at Tandem.App/Demos. 

Frequently Asked Questions (FAQs) 

Q: Am I required to implement the controls in the CSBS Cyber Hygiene Guide? 

A: This guide does not contain new regulatory requirements. However, the ten controls it covers are grounded in existing FFIEC guidance and regulatory standards, like GLBA.  

Q: Will my examiners be looking for the CSBS Cyber Hygiene Guide to be implemented within my organization? 

A: Examiners want to see evidence that key controls are implemented in a thoughtful, risk-based manner, and the Board is genuinely engaged in oversight. That means having things like documented policies and procedures, evidence of security testing, and Board reporting that reflects real understanding rather than checkbox compliance. The Board questions in the guide are a useful preview of the kinds of questions examiners may ask you. 

Q: How does the CSBS Cyber Hygiene Guide relate to existing cybersecurity frameworks? 

A: The guide complements existing cybersecurity frameworks. If you're already performing cybersecurity control self-assessments using the NIST Cybersecurity Framework (CSF), the CSBS Ransomware Self-Assessment Tool (R-SAT), or another framework, you don't need to start over. The fact sheets can be used alongside those tools to make sure the specific controls and threats covered here are addressed in your program. 

Q: What if we already have programs for all ten controls in the CSBS Cyber Hygiene Guide? Do we still need to review this? 

A: Yes. The guide's focus on consistent implementation and ongoing management emphasizes the importance of regular review. The Board questions are also worth reviewing even if your programs are mature, since they can highlight gaps in how cybersecurity is being communicated and overseen at the Board level. 

Q: We're a small institution with limited staff and resources. How do we prioritize which controls matter most? 

A: Start with the controls most likely to be exploited at your institution. For most community institutions, that means MFA, patching, and incident response. If you're not sure where your biggest gaps are, working through the fact sheets as a gap assessment is a reasonable starting point. Tandem's GRC software products are also designed to help you identify and prioritize risks in a structured way.