CYBERSECURITY AND THE COMMUNITY BANK
See this article as featured on page 12 of the May/June issue of the Colorado Banker, here.
The threats to the financial services industry posed by cybersecurity events are persistent and well documented. At the same time, technological advancements in the financial sector have dramatically expanded the channels through which banks are able to service their clients. One result is that those tasked with managing a bank’s risk must strike a delicate balance between the legal, operational, regulatory and reputational risks posed by cybersecurity threats and the significant efficiency and cost-saving opportunities presented by these new innovations.
For several years, regulators at the state and federal levels have stressed the importance of implementing and maintaining robust processes and procedures to mitigate the threat and resulting consequences of cybersecurity incidents. One way larger banks have responded to this regulatory pressure, and the fallout from several high-profile cybersecurity incidents, is by expanding budgets dedicated to preventing and responding to cybersecurity incidents. At the 2015 World Economic Forum in Davos, Switzerland, Bank of America CEO Brian Moynihan announced that the bank’s cybersecurity unit would have a “blank check budget” for 2015. Similarly, in late 2015, J.P. Morgan Chase and Co. announced that it expected its 2016 budget for cybersecurity spending to be approximately $500 million.
Despite these headlines, cybersecurity is not just a large bank issue. The Federal Financial Institutions Examination Council (the “FFIEC”) and its member agencies including the FDIC, Federal Reserve, and OCC, and several state banking regulators including the Massachusetts Division of Banks and the New York Department of Financial Services, are pushing for more stringent rules and examination procedures for community banks under their oversight. Recognizing the need for guidance, the increased cost of compliance, and the fact that not every bank has half a billion dollars to spend on their cybersecurity efforts, these regulators have also provided numerous resources for community banks to utilize in assessing their readiness to handle a cybersecurity incident.
Online Resources for Community Banks
In June of 2015, the FFIEC released on its website the Cybersecurity Assessment Tool (the “Assessment”), a two part exercise designed to “help institutions identify their risks and determine their cybersecurity preparedness.” In the materials accompanying the Assessment, the FFIEC notes the following benefits to an institution from using the Assessment:
- Identifying factors contributing to and determining the institution’s overall cyber risk;
- Assessing the institution’s cybersecurity preparedness;
- Evaluating whether the institution’s cybersecurity preparedness is aligned with its risks;
- Determining risk management practices and controls that are needed or need enhancement and actions to be taken to achieve the desired state; and
- Informing risk management strategies.
The Assessment incorporates principles from the FFIEC Information Technology Examination Handbook, regulatory guidance, and concepts from industry standards including the National Institute of Standards and Technology (the “NIST”) Cybersecurity Framework. The Assessment and other cybersecurity resources prepared by the FFIEC are available at www.ffiec.gov/cybersecurity.htm.
The FDIC recently addressed the issue of cybersecurity in an article titled “A Framework for Cybersecurity”in the Winter 2015 issue of its Supervisory Insights Journal, released on February 1, 2016 (available on the Financial Institution Letters page of the FDIC’s website, www.fdic.gov). The article addresses some common cyber-attack strategies, the critical components of information security programs (corporate governance, threat intelligence, security awareness training, and patch-management programs), and actions taken by federal bank regulators to respond to cybersecurity threats. The article stresses that everyone within a financial institution, from entry-level staff to the board of directors, is responsible for prioritizing cybersecurity. The article includes information about several resources available to help educate and inform employees and directors on cybersecurity. One such resource is the Financial Services Information Sharing and Analysis Center (the “FS-ISAC”), a public-private information-sharing forum. The FS-ISAC operates a community bank working group that sends weekly “cyber updates” to community bank executives. Financial institutions with less than $1 billion in assets or less than $10 million in revenue can access these updates, and other helpful resources, by purchasing a basic membership at a cost of $250 per year. More information is available at www.fsisac.com.
Finally, the Conference of State Bank Supervisors (the “CSBS”), through its Executive Leadership of Cybersecurity initiative, has published the CSBS Executive Leadership of Cybersecurity Resource Guide (the “CSBS Guide”), to provide community bank CEOs and executive management with a “non-technical, easy-to-read resource on cybersecurity.” The CSBS Guide is intended to “put in one document industry recognized standards for cyber security, best practices currently used within the financial services industry, and an organizational approach used by the NIST.” The CSBS Guide addresses the five core cybersecurity functions of the NIST’s Cybersecurity Framework, including:
- Identify internal and external cyber risks;
- Protect organizational systems, assets and data;
- Detect system intrusions, data breaches, and unauthorized access;
- Respond to a potential cybersecurity event; and
- Recover from a cybersecurity event by restoring normal operations and services.
The CSBS Guide, and other informational materials prepared by the CSBS on cybersecurity preparedness are available at www.csbs.org/cybersecurity.
While all of these online resources are valuable guides for protecting customer data and your institution, none is a substitute for the exercise of common sense and prudent, consistently applied internal policies and procedures. Your institution’s Chief Technology Officer or Information Security Officer, or those in analogous roles, should be given authority to develop and implement such policies and procedures based on recognized best practices such as those promulgated by the NIST, with involvement from the board of directors and executive management. Furthermore, it is crucial that your institution’s board of directors and executive management be focused on and well-informed about the threats posed by cybersecurity attacks; therefore, they should receive reports on these issues from members of your institution’s information technology team on a regular basis.