FFIEC Cyber Assessments: What to ExpectExperts Weigh in on How to Prepare
The Federal Financial Institutions Examination Council's new cybersecurity assessments for community banking institutions will be incorporated into the usual IT examination process, regulators say. Industry associations and analysts say banking leaders should be preparing for more stringent oversight of cybersecurity awareness and initiatives.
A new work program and assessment tool for cybersecurity will be used in banking institutions' regularly scheduled IT exams, says Stephanie Collins, spokeswoman for the Office of the Comptroller of the Currency, one of the banking agencies that's part of the FFIEC.
"[This] will allow us to develop a baseline assessment across the sector of how they are managing cybersecurity risks," she says. "In order to ensure that we comprehensively assess the cybersecurity environment in which financial institutions operate, we also plan to involve a number of the most critical technology service providers."
On May 7 and 8, the FFIEC and the Office of the Comptroller of Currency announced plans to launch a pilot program for new cybersecurity assessments by the end of this year (see FFIEC Plans Cybersecurity Assessments).
But one banking institution executive, who asked not to be named, says regulators are already setting times for cybersecurity-related risk assessment exams with select banking institutions to coincide with their regular IT exams, some of which begin in the coming days.
Ensuring C-Level Awareness
Faced with the increased scrutiny, community banks and credit unions likely will have to prove they have strategic plans in place to ensure ongoing cyberthreat awareness and an understanding of cybersecurity threats at the board and executive levels, says Doug Johnson, vice president of risk management policy for the American Bankers Association.
The overall message from banking regulators: C-level executives and boards of directors at community banks and credit unions must ensure that cybersecurity is part of everyday business, he says.
Regulators won't be asking institutions to make changes in how they conduct their risk assessments, Johnson says. Instead, they just want to ensure community bankers truly understand how emerging cyber-attacks could affect their business, he explains.
"There is a lot of signaling of what needs to be done within the [FFIEC's] authentication guidance and third-party risk guidance - both of which point to the need for continuous monitoring and that you have to continually look at risks and threats and determine what kind of mitigating efforts you have to put in place," Johnson says.
Institutions should be prepared to show that they have identified and understand the risks they face, he adds. "That is really what the regulatory agencies are looking for."
A Clear Message
During a May 7 webinar the FFIEC hosted for C-level executives at community institutions, the clear message was that it's critical for banking leaders to increase awareness of cyber-risks across their institutions.
Bill Nelson, president of the Financial Services Information Sharing and Analysis Center and a participant in the May 7 webinar, says C-level banking executives should be getting more directly involved with security and risk assessments.
"Even if your FI [financial institution] outsources its IT operation, the FI is still responsible for cybersecurity of its enterprise and its customers. It's important to learn about the latest threats, and you need to join information-sharing bodies."
Nelson also says he foresees expanded FFIEC guidance related to cybersecurity coming. "Congress has paid particular attention to the cyber security issue in light of recent breaches," Nelson says. "This has resulted in focus on cybersecurity by regulators to ensure that the organizations they regulate are aware of the issues at the C-suite level."
Shirley Inscoe, a financial fraud analyst at consultancy Aite Group, says recent data breaches and the exposure of consumer information spurred the FFIEC to make cyber-issues more of a priority.
"When politicians feel pressure from their constituents, regulators must respond in a proactive manner," she says.
David Pommerehn, senior counsel and assistant vice president of the Consumer Bankers Association, says most banking institutions should not be too concerned about the greater cybersecurity scrutiny because they're already doing much of what the FFIEC is recommending.
"Banks already have strict data security measures in place," Pommerehn says. "The added scrutiny from the federal regulators just adds another layer to an already top-notch regime."
Still, community banks and credit unions fear the FFIEC's notice could signal more regulatory pressure and additional regulatory requirements, says Dennis Tsang, assistant general counsel at CUNA, the Credit Union National Association.
"We do have some questions and concerns that the upcoming risk and regulatory assessments for cybersecurity that are planned for later this year could potentially lead to increased regulatory and examination burdens for credit unions," Tsang says. "We continue to urge NCUA and other regulators to minimize regulatory burdens."
Smaller Institutions at Risk
An enhanced regulatory focus on cybersecurity risk mitigation at smaller banks and credit unions has been an ongoing mission for the FFIEC.
The FFIEC's creation of the Cybersecurity and Critical Infrastructure Working Group, and the National Institute of Standards and Technology's issuance of the cybersecurity framework at the end of last year, should have prepared institutions for more cyber-oversight, Johnson says (see How Will NIST Framework Affect Banks?).
The recent uptick in retail breaches, perpetrated through malware attacks aimed at point-of-sale systems, has raised new alarms. Ensuring community institutions are addressing third-party risks through vendor management and governance also were catalysts for increased oversight, regulators say.
How to Prepare
The ABA's Johnson says it's clear that community institutions should expect in-depth reviews of their cybersecurity awareness during the examination process.
"We have not had so much focus on cyber specifically in the past," Johnson says. "But at the end of the day, this is about risk assessment. Good cybersecurity just makes good business sense. It's a risk management exercise."
Aite's Inscoe says banks and credit unions should prepare for more questions about their third-party relationships and risk-mitigation strategies for third-parties.
"Institutions should conduct internal security reviews and renew efforts with third parties they deal with to ensure they identify any weak links, particularly with regards to transaction processing and any confidential consumer information that leaves the institution's firewalls," she says.