In December 2016, Thomas Curry, the Comptroller of the Currency, stated that cybersecurity was the single greatest systemic threat to our financial system. He was not being hyperbolic.
Cybersecurity should be on everyone’s mind. Businesses, politicians, and regulators have all recently paid lip service to the importance of cybersecurity and paid dearly for gaps in their own policies and procedures. Given the nature of financial services, the need is very acute. At a recent dinner, the general counsels of the Office of the Comptroller of the Currency (“OCC”), the Federal Deposit Insurance Corporation (“FDIC”), the Board of Governors of the Federal Reserve System (“Federal Reserve”), the National Credit Union Administration (“NCUA”), and the Consumer Financial Protection Bureau (“CFPB”) all declared that cybersecurity was a top priority in terms of guidance and compliance. Now is the time for bank boards and senior management to review the new, pending and existing rules and regulations regarding their cybersecurity responsibilities, and perhaps ways to be proactive in protecting their banks from known and potential cyber threats.
Despite the very real consequences of a cyberattack, creating and maintaining an up-to-date cybersecurity policy remains a big challenge at most community banks, in part due to the expense of setting up a robust system and the lack of dedicated employees or departments focusing on this issue. The prudential regulators have put increased pressure on the boards of directors of community banks to ensure their institutions are ready to detect and deter any cyberattacks. This increased burden on bank boards is exacerbated by the increased regulatory focus on board accountability with respect to bank relationships with third parties. See e.g. OCC Bulletin 2013-29.
The Gramm-Leach-Bliley Act (“GLBA”) required regulatory implementation of information security standards and the OCC, the Federal Reserve, and the FDIC issued Interagency Guidelines Establishing Information Security Standards, establishing the standards on how banks must protect customer information. A bank’s information security policy and procedures must, like all other policies and procedures, be commensurate with the bank’s risk level. Today, however, all banks large and small are at risk from hackers--the only difference is that the hacker might target a community bank over a larger bank on the assumption its protective measures are weaker. All banks, no matter the size, must develop internal controls to keep up with the ever-evolving world of cybercriminals.
Currently, all banks are encouraged to use the Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity Assessment Tool to identify risk and determine the bank’s enterprise-wide preparedness for a cyberattack. If a decision is made not to use the FFIEC Cybersecurity Assessment Tool, the bank must document its use of another assessment tool or framework. In addition, banks must assess the adequacy of the cybersecurity policies, procedures, and systems of any third party with whom the bank has a relationship.
In October 2016, the OCC, the Federal Reserve, and the FDIC released an advance notice of proposed rulemaking (“ANPR”) regarding enhanced cyber risk management standards. The ANPR provides five categories of cybersecurity standards: (i) cyber risk governance, (ii) cyber risk management, (iii) internal dependency management, (iv) external dependency management, and (v) incident response, cyber resilience, and situational awareness. This ANPR emphasizes that gaps in cybersecurity systems can bring down the global financial system because most financial institutions are interconnected and dependent on each other. While the ANPR’s enhanced standards are currently intended to apply only to those entities with more than $50 billion in assets, once finalized, these standards are likely to trickle down and impact examiner and customer expectations for smaller banks.
In addition to federal regulation and guidance, banks also should monitor relevant state cybersecurity laws and regulations. In September 2013, the New York Department of Financial Institutions (“NY DFS”) issued a proposed rule (which was updated and reissued on December 28, 2016) that mandates, among other requirements: (i) the establishment of cybersecurity programs, (ii) the adoption of a written cybersecurity policy, (iii) the use of qualified cybersecurity personnel of the bank, an affiliate or a third party service provider, (iv) enhanced policies and procedures for dealing with cyber threats resulting from third party relationships, and (iv) periodic assessments of vulnerabilities in the bank’s cybersecurity system. The new comment period runs through January 27, 2016, and the rule becomes effective March 1, 2017. More states may follow suit.
In January, people often make resolutions to plan for a better new year – bank directors and senior management should consider their 2017 resolutions for their banks and ensure they’re ready for the year ahead. Cybersecurity is an area where banks must remain vigilant and engaged.