Cyberattacks Target Directors, Executives

The potential for cyberattacks remains a constant threat to banks, and board members and C-suite executives are especially at risk.

Eighty-four percent of bank directors, CEOs and senior executives responding to Bank Director’s 2025 Risk Survey listed cybersecurity as a top concern for their institution. This fear is well founded. Sixty-four percent of financial institution respondents said they experienced a cyberattack last year where a hacker tried to steal non-public information, according to a survey from cybersecurity firm Contrast Security.

Directors and senior executives, in particular, are likely to face more targeted attacks given their high-level positions and access to sensitive information. Because of this, this group should undergo continuous education and periodic training to make them aware of these threats.

“Cybersecurity is a whole [other] level for directors and executives at banks,” says Brian McGinnis, a partner at the law firm Barnes & Thornburg and co-chair of the firm’s data security and privacy group. “This has become and should be a board-level issue for every single bank.”

In general, banks are battling against cybercriminals looking to steal sensitive information or money. Board members and senior executives are a good target, in part, because there is usually much information about them publicly available, including pictures and biographies, on a company’s website. Because of that, board members and senior executives will generally face more sophisticated and targeted attacks than the average employee. For instance, a mid-level employee is more likely to be hit with a standard phishing scam where the hacker sends out a significant number of emails to workers within an organization with the hopes that at least one person falls for the scam, takes the requested action and the bad actor can breach the bank’s security measures.

“Your normal employees get blasted with a spray-and-pray approach,” says Dylan Sandlin, digital and cybersecurity content program manager at the National Association of Corporate Directors, an association for board members. “But at the board and senior management level, it is much more targeted.”

In contrast, board members and senior executives are likely to face something like a spear phishing scam, where the hacker sends a highly personalized message or email to the intended target in hopes of tricking the person into taking action. For example, a criminal could send a director an email encouraging them to click on a link that’s supposedly to a new portal that the board will be using, says Colin Taggart, a partner at Plante Moran.

A whaling attack is also a possibility. This is where the bad actor pretends to be an executive or vendor to reach out to a high-level target.

Additionally, executives and directors may travel more frequently than other types of employees. That means there is the potential for greater reliance on public Wi-Fi networks or using unfamiliar and less secure networks. This can increase the director or executive’s personal risk exposure, Sandlin says.

Board members may also complete work for the bank on personal devices, such as a tablet or laptop, though that is discouraged. “Are they letting their kids play games on that computer?” Taggart asks. “We had a director once leave a tablet at a casino.”

Artificial intelligence could be used by cyber criminals. Bad actors increasingly can clone someone’s voice, meaning they could leave a voicemail that sounds like the bank’s CEO for an unsuspecting director, for instance. Or AI can be used to generate a video image. Directors and senior management need to be aware of this evolving technology and the ways it could be utilized in a scam.

“There is certainly a bull’s eye on the directors,” Taggart says. “Because of that, they need more training.”

Education and training are essential, even for smaller financial institutions. Senior management and directors at community banks shouldn’t assume that they will be too small to be of interest to bad actors. “Any bank is a ripe target, especially when that data comes with access to money,” McGinnis says.

Banks should provide education to new directors during the onboarding process on the types of cybersecurity threats they will face in their new role and best practices to avoid becoming a victim, Sandlin says. This includes using a password manager, which allows a user to create more complex passwords rather than rely on memorization. Executives and directors also need to be aware of their social media profile to ensure they limit sensitive information that is publicly available, which bad actors could use in a targeted attack. To defend against voice impersonations, the institution should have a secondary method of verification.

The institution’s chief information security officer should work with the board to determine how frequent training should occur for directors, though once or twice a year may make sense for many banks, Sandlin says.

Finally, banks should also be completing tabletop exercises to test procedures and response plans to a security threat two to four times a year. Currently, 83% of respondents to Bank Director’s 2025 Risk Survey said they conducted a cybersecurity tabletop exercise in the prior 12 months.

Each time, the threat should take on a different form, such as a hacker using social engineering to launch a phishing attack on the bank and then dealing with a skimmer being installed on an ATM the next time, McGinnis says. Directors should be included in these exercises to ensure they understand their bank’s preparedness, identify gaps in governance and clarify the board’s role in a crisis. Having a director-specific exercise on at least an annual basis is also a good practice, he adds.

“[Directors] should be eager for these opportunities,” McGinnis says. “It makes the bank stronger.”