When (and How) to Talk About Cybersecurity “Wins”

Financial institutions stop cyberattacks every day that never make headlines. Firewalls hold, phishing attempts fail, and alert employees prevent what could have been costly breaches. These are genuine wins, but most institutions never talk about them. Usually, that’s for good reason; cybersecurity communication can be a high stakes balancing act.

Handled well, it builds customer confidence and reinforces a culture of vigilance. Handled poorly, it can raise more questions than it answers.

Should community financial institutions communicate these cybersecurity wins? And if, so how do you approach it? The answer isn’t simple. There’s no universal best practice, only a sound framework for making the decision.

It All Starts with Governance

Whether to share a cybersecurity win is fundamentally a governance decision, not a communications one. The choice should begin with the Board and align with the institution’s established risk tolerance levels. Like any other operational risk, the question is: “What benefit does disclosure provide, and what risk does it introduce?”

The NIST Cybersecurity Framework (CSF) 2.0 helps define that balance. Its “Govern” and “Respond” functions emphasize leadership oversight, coordinated communication, and alignment with organizational objectives. Within that framework, external messaging is never an ad hoc decision. It’s a documented process, reviewed and approved like any other control.

Before releasing information about a prevented or mitigated attack, the Board should review a short decision memo outlining:

• The purpose of the communication (customer assurance, education, transparency, etc.)
• A risk analysis covering operational, reputational, and regulatory considerations
• The intended audience and format
• Which internal approvals are required before publication

Without this structure, well-intentioned transparency can quickly turn into unnecessary exposure, potentially revealing patterns that adversaries can exploit or prompting customers to question how often such incidents occur.

Understand What’s Required vs. Optional

A crucial first step is distinguishing mandatory reporting from optional storytelling. Several regulations already dictate when banks and credit unions must report cybersecurity events:

• SEC Rules: Publicly traded companies must disclose material cybersecurity incidents on Form 8-K within four business days after determining materiality and include periodic updates on risk management and governance. These rules do not require disclosure of every attempted or thwarted attack.
• OCC, FDIC, and Federal Reserve Interagency Rule: Banks must notify their primary federal regulator within 36 hours of determining that a significant incident has disrupted or degraded operations.
• NYDFS 23 NYCRR 500: Covered institutions in New York must report defined cybersecurity events to the Department of Financial Services within 72 hours.
• Customer Breach Notifications: Required only when non-public personal information is actually accessed or compromised, as outlined in GLBA-aligned federal and state laws.

These rules form the boundary between required regulatory transparency and discretionary external communication.

If an incident doesn’t meet those thresholds, the decision to share (or stay silent) belongs entirely to the institution and its Board. Critically, optional communication should never contradict or preempt required regulatory notices.

When Transparency Can Add Value

Despite the risks, selective transparency can provide meaningful benefits when done carefully.

Customer Confidence & Market Trust: Thoughtful communication about cybersecurity can help strengthen stakeholder confidence. Research from McKinsey shows that organizations viewed as “digital trust leaders” with mature security, privacy, and risk management practices outperform peers in both revenue and earnings growth. Institutions that manage and communicate risk responsibly are perceived as more trustworthy. Clear, factual messaging about how your institution safeguards data can reassure customers and partners without revealing sensitive information.

Culture and Talent: Transparent, well-framed communication about cybersecurity (both internally and, when appropriate, externally) can strengthen culture and attract skilled professionals. Building a company culture that takes cybersecurity seriously requires visible leadership and positive reinforcement, rather than fear or blame. Sharing select success stories shows employees and potential hires that security is valued across the organization, not siloed in IT. When leadership publicly acknowledges effective defense, even in general terms, it reinforces accountability and pride while signaling that cybersecurity excellence is part of the institution’s identity.

Peer Learning: Industry collaboration and information sharing are essential foundations of cyber resilience, not just for you but for the entire financial ecosystem. As noted by ISACA, “open and transparent communication, inclusive decision-making and collaboration across functions enable more robust risk assessments, stronger incident response capabilities and better informed decisions.”

For example, anonymized contributions to organizations like FS‑ISAC allow your institution to share patterns of attack and defensive success without exposing sensitive detail. That lets you reflect leadership in the community and help raise the baseline for all institutions.

When Discretion Is the Better Part of Valor

There are also times when silence is the smartest move.

Disclosing too much, especially too soon, can undermine security, compliance, or even community trust. Avoid communication if:

• The incident is part of an active investigation or involves law enforcement
• Details could reveal your institution’s detection methods, vendors, or defensive posture
• Disclosure might invite copycat attempts or regulatory scrutiny
• The scale of the event could cause unnecessary customer concern despite successful containment

Smaller community institutions, in particular, should weigh whether publicizing a cyber event could cause more confusion than reassurance. When in doubt, err on the side of caution and stick to internal recognition and required regulatory reporting only.

Recognize Success Internally

Even when events remain confidential, internal recognition is always appropriate. Acknowledging employees who detect or mitigate threats reinforces a proactive security culture, and also helps staff understand the real impact of their vigilance.

Consider:

• Quarterly recognition programs for cybersecurity excellence
• Sanitized after-action briefings that share lessons learned without exposing sensitive data
• Peer-to-peer recognition programs that encourage employees across departments to report suspicious activity and celebrate preventive success.

Rewarding good cyber hygiene is one of the most effective and lowest risk ways to strengthen organizational resilience.

Practical Decision Framework

To take the guesswork out of the choice to share a cyber win or not, a simple decision tree can be an effective tool:

• Classify the Event
  Was there any customer impact, data exposure, or service disruption? If yes, follow existing incident response and regulatory notification protocols.
• Review the Risk
  Could disclosure reveal sensitive information about your systems, vendors, or security tactics? Could it be misinterpreted? Could it be weaponized by attackers?
• Define the Purpose
  What outcome are you seeking? Customer reassurance, education, or cultural recognition? Clear objectives guide tone and scope.
• Coordinate Approvals
  Engage legal, compliance, risk management, marketing, and PR teams. Notify regulators in advance if public statements could draw attention. This cross-functional collaboration aligns directly with NIST’s “Respond–Communications” outcome, ensuring that any message is accurate, consistent, and risk-appropriate.

Communicating Responsibly

If leadership decides a message is warranted, precision and restraint are key.

• Lead with outcomes, not methods: Use plain, factual language that emphasizes customer protection without exposing sensitive details. For example: “Our cybersecurity team identified and contained an attempted intrusion. No customer data was accessed, and operations were not disrupted.”
• Reinforce governance, not technology: Discuss oversight, monitoring, and layered controls rather than specific tools or vendors. Example: “Our ongoing investments in layered security and employee training helped us prevent the incident.”
• Set expectations: Remind customers that attempted cyberattacks are constant, and that prevention is a sign of normal, effective operations, not an anomaly.
• Prepare for questions: Before publication, provide customer-facing teams with approved Q&As for common inquiries such as “how often does this happen?” or “is my data safe?”
• Time it right: Only communicate after the incident is fully contained, forensic reviews are complete, and legal counsel confirms that disclosure won’t interfere with ongoing investigations or regulatory reporting.

Safe Ways to Share Externally

Not every communication needs to reference a specific event. Many institutions find value in external sharing that educates rather than discloses.

• Industry collaboration: Contribute anonymized findings through FS-ISAC or other trusted information sharing groups to help strengthen sector-wide defenses.
• Customer education: Use marketing channels to promote strong password practices, multi-factor authentication, or fraud prevention tips, tying them to your institution’s broader commitment to cybersecurity.
• Community reassurance: If local or national news reports highlight regional cyberattacks, consider a brief statement reinforcing your institution’s preparedness and ongoing investments in protection, without referencing any internal incidents.

These activities allow institutions to demonstrate leadership and transparency while avoiding operational risk.

Measure What Matters

If your institution does choose to communicate about a cyber win, establish clear success metrics ahead of time. Track:

• Customer sentiment: Fewer fear-driven calls or complaints after the message
• Digital engagement: Opens, clickthroughs, and time spent on educational content
• Risk posture: No observed probing or exploitation of related systems following communication
• Culture metrics: Greater participation in security training or recognition programs

Effective communication should leave customers reassured and employees motivated—without increasing vulnerability.

Good Governance First, Communication Second

There’s no universal rule to dictate when to share a cybersecurity success story. Each situation is unique, and the right approach depends on your institution’s risk tolerance, regulatory environment, and culture.

The key is to treat communication as part of your governance process, not as a spontaneous public relations decision. With proper oversight, cross-functional collaboration, and disciplined messaging, transparency can strengthen customer trust and demonstrate operational maturity.

Even when stories stay behind closed doors, recognizing the people who protect your institution is always worth doing. Celebrating cybersecurity “wins” internally—and handling external communication through a structured, risk-aware lens—keeps the focus where it belongs: protecting customers, reinforcing confidence, and preserving the integrity of your institution.

Need a few cybersecurity wins before you can think about sharing them? Check out our on-demand webinar to learn how your institution can anticipate emerging threats and build lasting cyber resilience.

Watch Webinar

Steve Sanders, Chief Risk Officer and Chief Information Security Officer

In his role, Steve leads enterprise risk management and other key components of CSI’s corporate compliance program, including privacy and business continuity. He also oversees threat and vulnerability management as well as information security strategy and awareness programs. With more than 15 years of experience focused on cybersecurity, information security and privacy, he employs his strong background in audit, information security and IT security to help board members and senior management gain a command of cyber risk oversight.