BlackSheep Security Research

The State of
Banking Cybersecurity

2026 Report

We scanned the public infrastructure of 3,701 FDIC-insured community bankswith $100M+ in assets. 95% have no email authentication. 99% have at least one high-severity security gap. FFIEC examiners are checking these controls. Most banks aren't ready.

Scan your bank free Read the report

By the numbers

What we found

3,701banks scanned

95%no DMARC

60average score out of 100

1.1%earned an A grade

Key findings

Banks are failing on email security

FFIEC IT Examination Handbooks and GLBA Safeguards Rule require these controls. Examiners check them. The majority of community banks haven't implemented them.

95%no DMARC

The email authentication crisis

95.3% of community banks have no DMARC record.Anyone on the internet can send emails that appear to come from the bank's domain. For institutions that send wire confirmations, account alerts, and statements via email, this is the attack vector behind business email compromise — the #1 cause of financial loss from cybercrime.

Combined with the 79.5% that have no SPF record, the vast majority of community banks have zero email authentication. An attacker can email a commercial client from "treasury@yourbank.com" with fraudulent wire instructions — and nothing will flag it.

Note: DMARC and SPF are measured on each bank's primary website domain. Banks running email on a parent company or subsidiary domain may have records configured elsewhere.

Only 1.2% of banks have DMARC with any policy at all

Online banking portals are exposed

We identified online banking login pages on 1,685 bank websites (45.5%). Nearly every bank offers online banking — these are the ones where the login page was detectable on the public website. Of the banks we scanned:

28.3% have no HSTS — browsers can be tricked into loading login over HTTP
61.8% have no Content-Security-Policy — vulnerable to cross-site scripting
8.5% don't redirect HTTP to HTTPS — credentials can be intercepted in transit

62%no CSP header

The data

Security gaps across 3,701 banks

Finding	Affected	%
No DMARC record	3,526	95.3%
No SPF record	2,942	79.5%
No Content-Security-Policy header	2,288	61.8%
No X-Frame-Options (clickjacking risk)	1,206	32.6%
No HSTS enforcement	1,049	28.3%
No privacy policy visible	809	21.9%
Robots.txt exposes admin paths	702	19%
No HTTP-to-HTTPS redirect	313	8.5%
Weak SPF (softfail only)	258	7%
Server version exposed	184	5%
Open CORS policy (data theft risk)	56	1.5%
DMARC set to “none” (monitoring only)	46	1.2%
SSL certificate expired	18	0.5%

Overall grades

97% of banks score B or below

The average score is 60 — the bottom of a B. Most banks are one finding away from a C.

1.1%

42 banks

80-100 pts

52.9%

1,956 banks

60-79 pts

43.0%

1,592 banks

40-59 pts

1.4%

50 banks

20-39 pts

1.6%

61 banks

0-19 pts

By asset size

Bigger banks aren't much safer

You'd expect $10B+ banks to have better security. They score slightly higher on average, but their DMARC adoption is actually worsethan smaller banks — 99.2% have no DMARC at all.

Asset Tier	Avg Score	No DMARC	Critical
$10B+	61.6	99.2%	1.5%
$1B–$10B	62	94.4%	3.0%
$500M–$1B	60	96.3%	2.1%
$100M–$500M	59.5	95.0%	7.0%

$10B+ banksDMARC adoption0.8%have any DMARCpolicy at all

Email infrastructure

88.6% use Microsoft 365 — and still don't configure DMARC

MX records only show the first hop — often a security gateway or CDN. We used autodiscover CNAME records, Microsoft TXT verification, SPF includes, SIP federation SRV records, and SMTP EHLO banner grabbing to identify the actual platform behind each bank.

88.6%

Microsoft 365

3,279 banks confirmed

0.6%

Google Workspace

24 banks confirmed

2.4%

Security Gateways

Proofpoint, Mimecast, etc.

0.3%

Self-Hosted

Postfix, Exim, Sendmail

8.1%

Unknown

CDN/proxy blocked detection

The paradox

Microsoft 365 supports DMARC, SPF, and DKIM natively — configuration takes minutes. Yet 95.3% of banks on confirmed email domains still have no DMARC. The platform makes it easy. Banks just aren't doing it.

How we determined this

MX records only show the first hop. We used five additional signals: autodiscover CNAME records, ms= TXT verification records, SPF includes, SIP federation SRV records, and SMTP EHLO banner grabbing on port 25. Behind Proofpoint: 94.1% Microsoft. Behind Barracuda: 93.0% Microsoft. Behind Akamai CDN: 89.1% Microsoft.

Community banks are a Microsoft monoculture

88.6% is the highest Microsoft adoption of any industry we've assessed — higher than RIAs (75.8%) and healthcare (31.4%). Only 0.6% use Google Workspace. The remaining 8.1% "unknown" are mostly banks behind CDN proxies (Akamai, Cloudflare) or website builders (WP Engine, Squarespace) that blocked our detection.

Regulatory context

What FFIEC examiners are looking for

The FFIEC IT Examination Handbooks and GLBA Safeguards Rule require specific cybersecurity controls. Here's what examiners evaluate during IT examinations:

Information security program

Written, board-approved, regularly updated

Risk assessment process

Identifies threats to customer information

Access controls & authentication

MFA, least privilege, session management

Email security controls

SPF, DKIM, DMARC to prevent spoofing

Vendor management program

Due diligence on third-party service providers

Incident response plan

Tested, with notification procedures

What a Matters Requiring Attention (MRA) looks like

1IT exam finding citing GLBA/FFIEC

2MRA or MRIA issued

3Board notification required

4Follow-up exam scheduled

Recommendations

Five actions your bank can take this week

Deploy DMARC with a “reject” policy

30 minutes of DNS work to prevent anyone from spoofing your bank’s domain. The single highest-impact control you can implement.

Add SPF and DKIM

SPF tells mail servers which IPs can send for your domain. DKIM cryptographically signs your messages. Both are free and required by FFIEC guidance.

Enable HSTS on your online banking portal

One HTTP header that forces all traffic over HTTPS. Essential for any page handling customer credentials.

Add Content-Security-Policy headers

Prevents cross-site scripting attacks against customers using your online banking portal.

Document your GLBA-compliant security program

Written policies, annual risk assessment, vendor management procedures, incident response plan. This is what examiners ask for first.

Your turn

Find out where your bank stands

Enter your work email and we'll scan your bank's domain for the same gaps we found across the industry. Full report in your inbox in minutes.

Scan your bank free Start free trial — $249/mo

Based on publicly accessible infrastructure only. No systems accessed or tested beyond what any internet user can observe.

Methodology

Behind the data

BlackSheep analyzed the publicly accessible infrastructure of 3,701 FDIC-insured community banks with $100M or more in total assets across four categories: SSL/TLS security, email authentication (SPF, DMARC, DKIM), HTTP security headers, and technology configuration.

Each bank received a composite score (0–100) and letter grade (A through F). All data was collected from publicly accessible infrastructure only — no systems were accessed, penetrated, or tested beyond what any internet user can observe.

Bank data sourced from FDIC quarterly call reports. Asset tiers range from $100M to over $10B. Email authentication statistics (DMARC, SPF) are measured on each bank's primary website domain. Banks that operate email through a parent company domain or subsidiary may have authentication records configured on a different domain than the one measured. Many community banks use third-party core banking platforms that handle online banking on separate domains — our scans measured the bank's public marketing website, not the hosted banking portal.

Data collected April 2026. Individual bank results are not disclosed in this report.

This report was produced by BlackSheep, a cybersecurity compliance platform purpose-built for regulated industries. 21 frameworks. $249/month.

The State ofBanking Cybersecurity