Why it matters

The member banking agencies of the Office of the Federal Financial Institutions Examination Council (FFIEC) will soon promulgate a “Cybersecurity Assessment Tool” for use by community banks after a pilot program conducted at 500 community financial institutions in 2014 to evaluate their preparedness to mitigate cyber risks.

For years community banks had a “What? Me Worry?” attitude about their Bank Secrecy Act compliance after receiving no criticisms following several examinations. Now most have been told they were not in fact pillars of their community when it came to their anti-money laundering program. The coming rollout of the cybersecurity assessment tool has similar earmarks of establishing the next best practices standards, which have a way of trickling down to become minimum standards when applied by examiners. In recent remarks, Comptroller of the Currency Thomas J. Curry explained that the tool will allow financial institutions to not only assess their cybersecurity risks but also help them manage and protect against such risks. Curry offered, “The tool does not create an expectation by regulators of stricter compliance.” Instead, it is meant to help improve the cybersecurity of banks from cyber threats, which “are real and … unlikely to abate anytime soon. In fact, they are more likely to increase.”

One has to wonder about the comptroller’s assurances that the tool will not set higher compliance and examination requirements, considering the guidance given to the pilot participants:

The Cybersecurity Assessment supplements existing examination work planned for each institution participating in the pilot. Therefore, if examiners find issues or have concerns that require attention (e.g., practices that do not meet existing legal requirements or supervisory expectations) while conducting their normal examination work, they will inform the institution and communicate necessary corrective action.

Banks that don’t believe the cybersecurity compliance bar is rising may want to check the link to bridges for sale.

Detailed discussion

With data breaches and cyber crime on the rise, the FFIEC has made cybersecurity a top priority. The Cybersecurity Self-Assessment Tool is just one piece of the cybersecurity puzzle being considered by the FFIEC in the wake of a survey conducted last year on more than 500 institutions to assess their current data security practices. Based on those findings, the FFIEC and its member regulators are also working on incident analysis, crisis management, training and policy development with respect to cybersecurity preparedness, as well as improvements in the area of collaborations with other agencies to communicate the importance of and best practices for cybersecurity. An update of the Information Technology Examination Handbook is also in the works, the FFIEC said.

To get a baseline view of the industry, a cybersecurity assessments pilot program was conducted at more than 500 community institutions during the summer of 2014. In general observations released last November, the FFIEC said risk varies significantly across financial institutions, depending on the type, volume and complexity of operational considerations, including connection types, products and services offered, and technologies used.

For example, access points and connection types, like wireless networks or BYOD (bring your own device) programs, raise questions for banks—Do we need all these connections? How do they collectively affect the institution’s risk?—while different technologies like ATMs (presenting concerns about cash-out scams) and Internet services (possible vulnerabilities to distributed denial-of-service, or DDoS, attacks) all raise different considerations.

Based on its findings, the FFIEC emphasized that cybersecurity preparedness is essential for financial institutions, which can establish a range of cybersecurity controls from preventive to detective to corrective.

In a separate statement, the FFIEC members (the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, the National Credit Union Administration and the State Liaison Committee) issued a call to action urging banks to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC).

“Recent cyber attacks and widely reported pervasive vulnerabilities highlight the rapidly changing cyber risk landscape,” the FFIEC stated. “Financial institutions participating in information-sharing forums have improved their ability to identify attack tactics and successfully mitigate cyber attacks on their systems.”

Now the FFIEC has announced its priorities for the remainder of 2015.

First on the list: issuing a Cybersecurity Self-Assessment Tool “to assist institutions in evaluating their inherent cybersecurity risk and their risk management capabilities.” Possible core elements of the expected assessment? Based on previous guidance, the regulator could be looking for the existence of institutionwide cybersecurity policies and programs grounded on an evaluation of risk specific to the bank, with board oversight, participation in information-sharing forums, and consideration of third-party service providers.

Speaking recently at the BITS Emerging Payments Forum, Comptroller of the Currency Thomas J. Curry referenced the forthcoming tool, which will be released “soon.” Financial institutions will find it “useful in evaluating their inherent cybersecurity risks, including those in existing and emerging payment areas, and their risk management capabilities,” Curry said. “The results will shed light on how well cybersecurity measures already undertaken comport with the bank’s cybersecurity risks.”

He also emphasized that the assessment tool is meant “to help banks, particularly community banks, to defend against cybersecurity threats. Those threats are real and they are unlikely to abate anytime soon. In fact, they are more likely to increase. I would caution against anyone viewing this effort and the OCC’s complementary cybersecurity examination program as an unnecessary regulatory burden. The time to act is now.”

Other items on the FFIEC’s agenda: incident analysis (with enhanced processes for gathering, analyzing and sharing information with each other during cyber incidents); training (the development of programs for the staff of FFIEC members on evolving cyber threats and vulnerabilities); and collaboration with law enforcement and intelligence agencies, building on existing relationships to share information about cyber threats and response techniques.

Policy development in the cybersecurity arena will also take place this year. The FFIEC plans to update and supplement the Information Technology Examination Handbook “to reflect rapidly evolving cyber threats and vulnerabilities with a focus on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and incident management and resilience.”

Members will expand their focus on technology service providers and their ability to respond to cyber threats and vulnerabilities, as well as keep an eye on crisis management by aligning, updating and testing emergency protocols to respond to systemwide cyber incidents in coordination with public-private partnerships, the FFIEC said.

To read about the FFIEC’s cybersecurity initiatives, click here.

To read Comptroller Curry’s remarks about the Cybersecurity Self-Assessment Tool, click here.