On February 15, Federal Reserve Board Governor Michelle W. Bowman delivered remarks at the Midwest Cyber Workshop, during which she discussed topics related to third-party service provider reliance and regulatory expectations concerning cyber risk management. “While we expect banks to be in touch with us when an event happens, cyber events should not be the first time a cyber-risk conversation occurs between a bank and its regulator.” Community banks frequently cite cybersecurity as one of the top risks facing the banking industry, Bowman said, adding that bankers have mentioned difficulties in attracting and retaining the staff needed to mitigate cyber risk. She also noted that ransomware disproportionately impacts smaller banks that might not “have sufficient resources to protect against these attacks.”
Pointing out that banks are becoming increasingly reliant on third-party service providers, Bowman said regulators should “consider the appropriateness of shifting the regulatory burden from community banks to more efficiently focus directly on service providers.” Regulators have authority to do so under the Bank Service Company Act, Bowman said, adding that “[i]n a world where third parties are providing far more of these services, it seems to me that these providers should bear more responsibility to ensure the outsourced activities are performed in a safe and sound manner.” She also referenced a 2021 final rule that requires banks to timely notify their primary federal regulator in the event of a significant computer-security incident within 36 hours after the banking organization determines that a cyber incident has taken place (covered by InfoBytes here). The reporting process, Bowman said, is also intended to streamline small banks’ efforts to monitor service providers (which are required to notify a bank-designated point of contact at each affected customer bank when a computer-security incident has occurred).
“We look forward to working with you to assist in clarifying expectations, applying regulatory guidance or seeking feedback on cyber-risk management strategies,” Bowman said. “We encourage bank management teams to engage with regulatory points of contact whenever questions arise on cybersecurity matters just as with any other regulatory matter.”
