Federal Reserve Cybersecurity Report 2025: Key Insights on Financial System Resilience

The Federal Reserve’s Cybersecurity Supervisory Framework

The Federal Reserve’s approach to federal reserve cybersecurity 2025 operates across three distinct roles: as a regulator setting policies for supervised institutions, as a supervisor conducting examinations, and as an operator of critical financial infrastructure including Fedwire, FedACH, FedNow, and the National Settlement Service.

The supervisory scope is substantial and tiered by institution size and systemic importance. Eight U.S. global systemically important banks (G-SIBs) — including JPMorgan Chase, Bank of America, Citigroup, Goldman Sachs, Morgan Stanley, Wells Fargo, Bank of New York Mellon, and State Street — receive joint cybersecurity examinations or coordinated cyber reviews conducted with the OCC and FDIC. Large financial institutions with assets of $100 billion or more receive common-scope horizontal cybersecurity examinations across multiple institutions simultaneously, enabling regulators to identify systemic patterns and shared vulnerabilities.

Community banking organizations (under $10 billion in assets) and regional banking organizations ($10 to $100 billion) are evaluated through the Uniform Rating System for Information Technology (URSIT). Notably, the report acknowledges that cyber-attacks “may disproportionately affect small community and regional banking organizations that do not have sufficient resources and capabilities to defend against sophisticated actors” — a finding that has prompted focused outreach programs and a dedicated May 2025 OIG report with five recommendations for enhancing community bank cybersecurity supervision.

Federal Reserve Cybersecurity 2025 Threat Landscape

The threat landscape documented in the federal reserve cybersecurity 2025 report reveals accelerating danger across multiple vectors. The convergence of geopolitical tensions, organized cybercrime, and emerging technologies creates an environment where financial institutions face simultaneous threats from state-sponsored actors, criminal organizations, and insider risks.

Ransomware Escalation

Ransomware attacks associated with Ransomware-as-a-Service (RaaS) increased year-over-year from 2023 to 2024 across all sectors, geographies, and specifically within the financial sector — despite significant law enforcement disruption efforts. The commoditization of cybercrime tools through Malware-as-a-Service (MaaS) and Phishing-as-a-Service (PhaaS) enables lower-tier attackers to conduct moderately sophisticated campaigns at nominal cost, dramatically expanding the attacker population.

AI-Enhanced Social Engineering

Generative AI is enabling more effective social engineering attacks, including advanced phishing, smishing, and voice-cloning services that can circumvent voice verification controls used by many financial institutions. The report notes that threat actors are potentially circumventing large language model guardrails to generate malware, creating a dual-use challenge where the same AI technologies defending systems are simultaneously strengthening attacks.

Evolving Phishing and Credential Theft

New phishing techniques include subverting endpoint security controls, embedding QR codes within malicious messages to bypass email filters, and intercepting one-time passwords — undermining multi-factor authentication implementations that many institutions rely upon. The increasing number of published vulnerabilities year-over-year, combined with threat actors sharing technical information and reverse-engineering patches, shortens the window between patch availability and exploitation.

Zero Trust Implementation in Federal Reserve Cybersecurity 2025

The Federal Reserve’s own adoption of zero trust security principles represents one of the most significant directional signals in the report. The Board has designated zero-trust implementation as an ongoing top priority, requiring continuous credential verification rather than perimeter-based trust. This internal adoption sends a clear message to supervised institutions about regulatory expectations.

The Board’s security posture includes a layered architecture encompassing network segmentation, access controls, encryption, firewalls, intrusion detection and prevention systems, and Security Information and Event Management (SIEM) systems. Regular third-party penetration testing and security assessments complement these controls, along with participation in CISA’s Continuous Diagnostics and Mitigation (CDM) program.

The Board’s 2024 FISMA assessment rated its overall information security program at Level 4 maturity — “managed and measurable” — which is considered an effective level of security on a five-level scale. Reserve Banks have implemented multifactor authentication across all applications, refined insider risk management policies and practices, and adopted automated tools to strengthen vulnerability management. These concrete implementations provide benchmarks that supervised institutions should aspire to match, as outlined in CISA’s Zero Trust Maturity Model.

Third-Party and Cloud Security Concentration Risk

One of the most consequential themes in the federal reserve cybersecurity 2025 report is the growing concern over third-party and cloud service provider concentration risk. The concentration of financial services in a small number of cloud providers means that a single provider compromise can have cascading, potentially systemic effects across the entire financial system.

The report references real-world incidents including attacks on trading platforms and mortgage-servicing providers that demonstrated how third-party compromises ripple through interconnected financial ecosystems. Supply chain risk management has become a top priority, with the Board enhancing its own policies for ensuring security when leveraging third parties for cloud systems.

In response, Treasury formed the Cloud Executive Steering Group at FSOC direction to address gaps identified in a February 2023 Treasury report on cloud adoption. Both FBIIC and FSSCC released cloud adoption effective practices resources in 2024. For 2025, the priorities for FBIIC-FSSCC collaboration include strengthening defenses against increasing cyber threats, assessing AI risks, and bolstering cloud resilience — reflecting the consensus view that cloud concentration represents a systemic vulnerability requiring coordinated industry response.

Financial institutions should maintain robust third-party risk management programs that include regular vendor security assessments, contractual security commitments, incident notification requirements in vendor agreements, and contingency plans for critical provider failures. The NIST Cybersecurity Framework provides guidance for structuring these programs effectively.

Quantum Computing Threats and Post-Quantum Cryptography

The federal reserve cybersecurity 2025 report highlights quantum computing as an emerging threat that could fundamentally undermine the cryptographic foundations of financial system security. Sufficiently powerful quantum computers could render current encryption standards obsolete, threatening the confidentiality and integrity of financial transactions, customer data, and inter-institutional communications.

Significant milestones have already been reached in quantum preparedness. NIST finalized its initial quantum-resistant encryption algorithms in August 2024, providing the first standardized post-quantum cryptographic tools for organizations to begin migration planning. The G7 Cyber Expert Group released a formal statement, “Planning for the Opportunities and Risks of Quantum Computing,” in September 2024, underscoring the urgency at the highest levels of global financial governance.

Financial institutions should begin developing a Quantum-Readiness Roadmap that includes inventorying all current cryptographic systems and dependencies, identifying encryption implementations most vulnerable to quantum attack (particularly public-key cryptography), establishing timelines for migrating to NIST-approved post-quantum algorithms, and engaging with vendors to understand their quantum-readiness plans. The window for preparation is now — organizations that wait for mandatory requirements may find themselves unable to migrate at the pace required when quantum capability reaches critical thresholds.

Incident Notification and Regulatory Compliance Requirements

The regulatory framework for incident notification has become increasingly prescriptive. The Computer-Security Incident Notification Rule, effective since April 1, 2022, requires banking organizations to notify their primary federal regulator of significant computer-security incidents as soon as possible and no later than 36 hours after determining a notification incident has occurred. Bank service providers must notify affected banking organization customers as soon as possible regarding certain incidents.

Under Regulation HH, designated financial market utilities (FMUs) must immediately notify the Board of material operational incidents, reflecting the higher urgency associated with systemic infrastructure. The international dimension adds complexity: the Financial Stability Board published the Format for Incident Reporting Exchange (FIRE) as a final report in April 2025, establishing a common format for financial firms to report incidents across jurisdictions.

Organizations must ensure their incident response processes can meet these timelines, which requires pre-established detection capabilities, classification protocols, notification templates, and communication chains. The 36-hour clock starts from the moment of determination — not discovery — creating an imperative for rapid triage and escalation processes.

FFIEC Cybersecurity Assessment Tool Sunset and Alternatives

A significant development in the federal reserve cybersecurity 2025 landscape is the FFIEC’s announcement that the Cybersecurity Assessment Tool (CAT) will be sunset on August 31, 2025. The CAT has been the primary cybersecurity self-assessment tool used by financial institutions since June 2015, and its retirement creates an immediate need for institutions to adopt alternative frameworks.

The FFIEC’s rationale is that while the CAT’s fundamental controls remain sound, newer government and industry resources provide more comprehensive and current assessment capabilities. Financial institutions should evaluate and adopt replacements well before the sunset date. The most widely recommended alternatives include the NIST Cybersecurity Framework (CSF) 2.0, the Cyber Risk Institute (CRI) Profile, and other industry-specific frameworks that align with current threat landscapes and regulatory expectations.

For community banks that may have relied heavily on the CAT due to its simplicity and familiarity, the transition requires particular attention. The Federal Reserve has released updated “Cybersecurity Resources for Community Banks” (May 2025) to support this transition, and community bank-focused tabletop exercises have been expanded through the Hamilton Series program. Understanding how cybersecurity trends are evolving is critical for selecting the right replacement assessment framework.

AI in Financial Cybersecurity: Defensive and Offensive Applications

The federal reserve cybersecurity 2025 report addresses AI as a dual-use technology with significant implications for both defensive and offensive cybersecurity operations. On the defensive side, AI offers substantial benefits for intrusion detection, anomaly identification, data loss prevention, and automated threat response. On the offensive side, generative AI enhances social engineering attacks, enables voice cloning that can bypass verification controls, and may enable threat actors to generate malware by circumventing LLM guardrails.

The FFIEC’s October 2024 IT conference — attended by more than 300 examiners from federal and state regulatory agencies — included dedicated sessions on AI use by financial institutions, reflecting the supervisory community’s focus on understanding how institutions are adopting these technologies. The FBIIC-FSSCC 2025 priorities explicitly include assessing AI risks, signaling that regulatory scrutiny of financial institutions’ AI implementations will intensify.

Financial institutions should develop comprehensive AI governance frameworks that address both the deployment of AI in defensive cybersecurity operations and the risks of AI-enhanced attacks against their systems. This includes establishing policies for AI tool evaluation, monitoring AI system outputs for bias or manipulation, and training security teams to recognize AI-augmented social engineering tactics.

Public-Private Partnerships and Sector Coordination

The report emphasizes the critical role of public-private partnerships in maintaining financial system cybersecurity resilience. The Federal Reserve participates in and supports numerous coordination mechanisms that collectively strengthen the sector’s defensive posture.

The Hamilton Series cyber exercises, led by Treasury, bring together public and private sector participants for scenario-based testing of cyber-incident response capabilities. In 2025, the Board facilitated additional in-person tabletop exercises specifically targeting smaller banking organizations — a recognition that community banks face unique challenges in cybersecurity preparedness.

The Financial Services Information Sharing and Analysis Center (FS-ISAC) serves as the sector’s primary threat intelligence sharing platform, and the Board encourages all supervised institutions to participate. Federal Reserve Financial Services has become a member of the Analysis and Resilience Center (ARC) and actively participates in the Systemic Payments Infrastructure Initiative launched in 2023.

CISA is developing financial sector-specific Cyber Performance Goals (CPGs) planned for release later in 2025, which will provide tailored cybersecurity baselines for the financial sector. These goals will complement the NIST CSF and other frameworks by providing sector-specific performance targets. Organizations exploring comprehensive cybersecurity approaches should also understand the relationship between cloud infrastructure security and overall resilience posture.

Practical Recommendations for Financial Institutions

Based on the federal reserve cybersecurity 2025 report’s findings, financial institutions should prioritize the following actions:

Immediate Actions (2025)

• Adopt a replacement cybersecurity assessment framework before the CAT sunset on August 31, 2025
• Implement multifactor authentication across all applications, following the Reserve Banks’ example
• Ensure compliance with the 36-hour incident notification requirement with tested escalation procedures
• Review and strengthen third-party risk management programs, particularly for cloud service providers
• Participate in FS-ISAC and sector-specific information sharing programs

Near-Term Strategic Actions

• Begin developing a Quantum-Readiness Roadmap using NIST post-quantum algorithm standards
• Implement or advance zero-trust architecture principles across all systems
• Deploy AI-powered defensive tools for intrusion detection and threat response while establishing AI governance frameworks
• Conduct regular tabletop exercises and red team assessments, including AI-specific threat scenarios
• Implement defense-in-depth security posture where no single control failure leads to widespread compromise

Community Bank-Specific Actions

• Leverage the Federal Reserve’s updated “Cybersecurity Resources for Community Banks” (May 2025)
• Participate in Hamilton Series tabletop exercises designed for smaller institutions
• Evaluate managed security service providers to supplement internal capabilities
• Ensure IT examination staff receive formal cybersecurity training aligned with OIG recommendations