Risk-Based Resilience:
Three Cybersecurity Controls to Prioritize in 2026
By Ryan Wellman, Cybersecurity Control Analys, CRISC
Threats are becoming more targeted, regulatory expectations are shifting, and resilience, not just compliance, is the new benchmark. As community banks across Michigan and Wisconsin prepare for the year ahead, the focus must shift toward cybersecurity controls that are not only effective but also aligned with the institution’s unique risk profile.
The transition from the FFIEC Cybersecurity Assessment Tool (CAT) to the Cyber Risk Institute (CRI) Profile underscores this shift. The CRI Profile encourages a more dynamic, risk-aware approach to cybersecurity, emphasizing maturity, adaptability, and business continuity. With that in mind, here are three controls that should be top priorities in 2026.
- Risk-Based Configuration Management
Configuration management is foundational to cybersecurity hygiene. Industry frameworks such as the Center for Internet Security (CIS) Controls consistently rank secure configuration management among the most effective ways to reduce cyber risk. Regularly updating and validating system baselines, especially for servers, workstations, and network devices, helps prevent unauthorized access and reduces the attack surface. These baselines should be tailored to your institution’s risk profile and operational environment.
Recommendations:
- Establish and maintain baseline configurations for all asset classes.
- Use automated tools to scan for deviations and generate remediation reports.
- Review baselines quarterly to ensure alignment with evolving threats and technologies.
- Control Alignment with the CRI Profile
The CRI Profile is designed to help financial institutions of all sizes map their controls to real-world risks and regulatory expectations. For many community banks, this represents a significant shift from the familiar FFIEC CAT process. In the past, banks would complete their FFIEC CAT spreadsheets, aiming for 100% Baseline and tracking exceptions for any missing controls in the current or next tier. The focus was often on closing gaps and achieving a higher maturity tier year over year.
With the CRI Profile, the approach is different. The Profile is an assessment that should be completed on a scheduled basis, at least annually. Each statement is evaluated against the current environment, and the emphasis moves away from simply closing gaps. Instead, the CRI Profile encourages institutions to assess their actual risk posture, document their rationale for each response, and focus on continuous improvement and resilience rather than just compliance.
Recommendations:
- Schedule a formal CRI Profile assessment at least once per year.
- Evaluate each statement in the Profile based on your current environment, not just on previous gap lists.
- Use the Profile to guide board-level reporting and strategic cybersecurity investments, focusing on maturity and resilience rather than just “checking the box.”
- Incident Response and Recovery Testing
Regular incident response and disaster recovery testing is a best practice endorsed by the FFIEC, NIST, and the American Bankers Association. Tabletop exercises and cross-functional drills help ensure that both technical and operational teams are prepared to respond quickly and minimize business disruption. Banks that conduct realistic, scenario-based response tests are more likely to identify gaps in communication and escalation, leading to faster recovery and reduced impact from cyber incidents.
Â
Recommendations:
- Conduct tabletop exercises at least twice per year.
- Include both technical and operational staff in simulations.
- Document lessons learned and integrate them into control improvement cycles.
Final Thought
Risk-based resilience is not just a regulatory expectation, it’s a proven strategy for reducing the likelihood and impact of cyber incidents. Community banks that invest in proactive controls, regular testing, and continuous improvement are better equipped to protect their customers and maintain trust in an evolving threat landscape.
By focusing on configuration management, control alignment, and incident response readiness, community banks can strengthen their cybersecurity posture and prepare confidently for the challenges ahead.
Would you like more information? Call our Cybersecurity Team at (906) 228-1047 or email cysec@lascoinc.com.Â