What Bank Leaders Should Be Asking About Cybersecurity Risk Governance

By Patrick Morin June 10, 2026

As financial institutions transition away from the FFIEC Cybersecurity Assessment Tool (CAT), many have adopted the NIST Cybersecurity Framework (CSF) 2.0 to guide their cybersecurity programs. While this shift is directionally appropriate, it represents more than a simple framework replacement. It reflects a broader change in regulatory expectations regarding how cybersecurity risk should be governed, communicated, and defended.

The prior CAT provided a structured, maturity-based approach to assessing cybersecurity posture. It enabled institutions to evaluate inherent risk and align controls to defined maturity levels. NIST CSF 2.0, by contrast, is not designed as a scoring tool. It is intended to support continuous, risk-based governance. The distinction is important. Institutions are no longer evaluated primarily on whether they can complete an assessment or demonstrate maturity. Instead, regulators increasingly focus on whether institutions can explain how cybersecurity risk is identified, prioritized, and managed, and how those decisions are supported by leadership.

In practice, many institutions appear aligned to NIST CSF 2.0 on paper but still fall short of its intended purpose. The difference lies in how the framework is used.

At a recent presentation on this transition, I posed a simple question to an audience of bank board members and executives: who has been actively involved in their institution’s cybersecurity risk? Only about ten percent of the audience raised their hands. This result was not surprising, but it was instructive. It highlights a persistent challenge in many organizations. Cybersecurity continues to be viewed as a technical issue rather than an enterprise risk that requires engagement from senior leadership and the board. A central theme of that discussion was helping participants better understand their role in cybersecurity governance, not as passive recipients of reporting, but as active participants in oversight and decision-making.

This gap in perspective is often where the most significant governance issues emerge. Institutions may have strong controls, well-developed policies, and extensive documentation, yet still be unable to clearly articulate how cybersecurity risk is governed across the organization. In these cases, the focus remains on execution rather than oversight.

Several common red flags can signal that an institution has not fully transitioned to the intent of NIST CSF 2.0. One of the most frequent is continued reliance on CAT-based concepts such as maturity scoring or legacy assessment outputs as the primary evidence of cybersecurity posture. While these artifacts may provide useful context, they do not align with the continuous and decision-focused nature of NIST CSF 2.0. Institutions that continue to frame cybersecurity in terms of scores rather than decisions often struggle to demonstrate governance.

A related indicator is when cybersecurity remains siloed within the technology function. NIST CSF 2.0 explicitly elevates governance and emphasizes that cyber risk is an enterprise risk issue. When ownership, reporting, and decision-making remain concentrated within IT, it becomes difficult to demonstrate effective oversight. Strong governance requires coordination across management, enterprise risk management (ERM), compliance, and technology functions, with clear accountability at each level.

Governance challenges also frequently emerge in how information is communicated to leadership. Board reporting that focuses primarily on metrics, vulnerability counts, or incident summaries may provide visibility but does not necessarily support decision-making. Regulators increasingly expect reporting to reflect risk appetite, prioritization, and management actions. If leadership cannot clearly see how cybersecurity risks are evaluated and addressed, oversight becomes limited.

Another common issue is the informal handling of risk acceptance. Cybersecurity risk cannot be fully eliminated, which makes risk acceptance a necessary component of governance. However, when these decisions are implicit, undocumented, or inconsistently applied, institutions lack the ability to demonstrate control over their risk posture. NIST CSF 2.0 introduces the concept of current and target profiles to support this process. The gap between these profiles should drive prioritization and decision-making, including the explicit acceptance of residual risk.

Institutions may also struggle when their risk management processes remain overly static. Annual or periodic assessments are still common, but they may not fully reflect the dynamic nature of cybersecurity risk. New technologies, vendor relationships, and evolving threat landscapes require more responsive evaluation. Organizations that do not incorporate these changes into their risk assessments may appear reactive rather than risk-driven.

Additional red flags often appear in third-party risk management, documentation practices, and the use of metrics. Vendor risk is a significant component of cyber exposure, yet in some cases, it is not fully integrated into the broader governance model. Similarly, institutions may maintain extensive documentation, but if those materials do not clearly support decision-making or reflect accountability, they provide limited value. Metrics present another challenge. When metrics are reported without context or are not tied to management action, they suggest monitoring rather than governance.

Taken together, these issues often point to a broader challenge. The organization may be mapping to NIST CSF 2.0 rather than using it as a governance framework. The distinction is critical. NIST CSF 2.0 is designed to provide a structure for accountability, prioritization, and decision-making. It is not simply a new way to organize existing controls.

For bank executives and board members, the transition presents both a challenge and an opportunity. Strengthening cybersecurity governance does not necessarily require adding new controls or producing more documentation. Instead, it requires improving how decisions are made, documented, and communicated across the organization.

Key Actions for Executive Leadership

To support a more effective transition to NIST CSF 2.0, institutions should consider the following actions:

• Clarify ownership of cybersecurity risk. Define roles and responsibilities across management, ERM, compliance, and technology, and ensure accountability is clearly understood and consistently applied.
• Enhance board reporting to support decision-making. Shift from metric-driven reporting to information that reflects risk appetite, prioritization, and management actions.
• Formalize risk acceptance practices. Ensure that cybersecurity risk acceptance decisions are explicit, documented, and approved at the appropriate levels.
• Integrate cybersecurity into enterprise risk management. Align cyber risk with other enterprise risks to support consistent evaluation, aggregation, and reporting.
• Adopt a more dynamic approach to risk assessment. Update assessments based on material changes in the environment, rather than relying solely on periodic cycles.

Ultimately, the transition from the FFIEC CAT to NIST CSF 2.0 is not about adopting a new framework. It is about adopting a governance mindset. Regulators are not expecting perfection, but they are expecting clarity, consistency, and credibility. Institutions that can clearly explain how cybersecurity risk is identified, prioritized, and managed, and how leadership is involved in those decisions, will be better positioned to meet those expectations.

The question for financial institutions is no longer whether a framework is in place. It is whether that framework is driving decisions.

For more information, please contact Pat Morin or your BNN advisor.