New Year’s Resolutions for Getting the Best Possible Exam Results

Happy New Year!

Reflecting on 2016, you likely heard more about technology, such as self-driving cars, and used more technology in your everyday life than ever before. You also learned more about technology threats.

You, your bank or a bank client may have been the victim of ransomware, a type of cybersecurity attack that locks up your computer or data files. The culprits behind the attack demand a ransom to provide an unlock key. Technology threats such as these are becoming more prevalent, as there was a 600% growth in ransomware during the first half of 2016, with over 56,000 ransomware events in March of 2016 alone. And, only 47% of ransomware victims were able to recover all of their data. It’s also one reason why the FDIC, OCC and Federal Reserve are asking banks during their examinations what strategies the bank is utilizing to monitor and manage expanding technology risks.

In looking forward to 2017, here are a few suggestions on what you can do to reduce the regulatory, legal and reputational risks you face from technology threats.

1. Doing what you have done in the past won’t get you the same IT exam results in the future.
In a recent discussion, a banking regulator commented that just because a bank received a 1 on its last IT examination does not mean the bank will get a 1 on its next exam. In fact, if the bank has not made any changes in how technology risk is being managed since the last exam, the bank is not going to like the score it gets on its next IT exam. The reason why is that risks have grown and changed. You must continuously adapt to effectively address new risks.

2. Is the board actively managing information technology risks?
Your bank’s board manages credit risk, interest rate risk and liquidity risk, but they should also be just as active in managing technology risks. Regulators expect your board to manage the technology risks directors are accepting for the bank. If you can’t show that is happening, your IT exam results will be worse. Having the board actively involved in managing technology can also reduce legal risk. Think of how it would look if after a successful cyber-attack your bank’s board minutes were subpoenaed and you could not show any director involvement in managing a critical risk your bank has.

3. Do you have an active IT committee?
Your examiners would certainly be surprised, and concerned, if your bank did not have a functioning loan committee. They are going to be just as concerned if your bank does not have an active IT committee that documents regularly held discussions on technology and technology risk. The reason why is that today nearly everything in the bank is impacted by technology, and without having a process to document what is occurring, it is difficult for management and the board to monitor and manage your technology risks.

4. Are you effectively connecting bank board objectives, bank employees and technology in a seamless manner?
It can be challenging to accomplish. For example, most every bank board has a very strong commitment to BSA/AML regulations and every bank compliance officer and frontline employee likely understands how critical it is to report Currency Transaction Report (CTR) and Suspicious Activity Report (SAR) filings accurately and timely (due in part to the civil money penalties that can apply if it is not done correctly). But, are your board members and bank staff aware that certain cybersecurity events require filing of a SAR?* And, is your technical staff collecting the technical details needed to complete the SAR filing? Good communication across the entire bank about strategic goals, cybersecurity and regulatory issues is very necessary to satisfy regulatory requirements.

5. If you are not moving forward, you’re actually falling behind.
Technology is changing rapidly, and so are technology risks. A successful cybersecurity attack creates reputational risk for your bank, but everyday issues such as not being able to print loan documents, having slow networks that require customers to wait and other issues create reputational risks with your customers. This is especially apparent to your customers when they are able to go to competitors that don’t have these operational problems. Have you identified the operational challenges that are creating reputational risks for your bank and preventing you from reaching your strategic goals?

Banks face expanding technology risks that result in more regulatory, reputational and legal risks than ever before. This is not something that your bank can simply wait to respond to. Bank regulators expect to see planning and proactive management addressing this new risk environment.

Continuous evaluation of the strategies, systems and people your bank is relying on to protect against the risks created from emerging cyber threats helps ensure your bank has the capabilities it needs to effectively compete in a rapidly changing environment.

For more information on how BankOnIT can help reduce your regulatory, legal and reputational risks, please contact us at, or 800-498-8877, option 2.