Directors are responsible for setting policy and managing risk in their banks. However, many directors are not confident in their knowledge of information technology issues and as a result are not effective at setting policy or managing risks that relate to information technology.
Increasingly occurring cyber hacks make it clear that preventative measures against today’s cyber risks need to become a priority. Attacks such as those on Target, the IRS and even the United States Office of Personnel Management serve to illustrate the increasing severity of the cybersecurity problem.
The FFIEC released the Cybersecurity Assessment tool on June 30, 2015, and regulators are expecting that banks’ board of directors will use this tool to assess their own cybersecurity risks.
The intent is for a bank board to be able to recognize the cyber risks they are taking on and what mitigating controls are in place. Banks engaging in more cyber activities or in higher risk areas are expected to be implementing additional risk mitigation controls.
Agency is not probing hard enough on I.T. exams
It may surprise some bankers to learn that the FDIC has an independent office of Inspector General (OIG) that conducts audits, investigations, and other reviews of the FDIC’s programs and operations. The OIG recently prepared a report assessing the FDIC’s efforts to ensure that over 4,000 institutions it supervises, as well as those banks’ major vendors, are prepared for cyberattacks, and to determine whether the agency has sufficient examination resources dedicated to this goal.
The FFIEC has listed its cyber-security priorities for 2015.(1) Directors and management should consider how these upcoming steps may affect their bank. In recent presentations regulators have identified cybersecurity risk as a bank’s second-highest overall risk, behind only interest-rate risk. Does your board give cybersecurity risk the attention that examiners are expecting?
Regulators are continuing to emphasize that bank CEOs and directors must understand the risks
they are undertaking with regard to cyber security, the same as understanding credit, liquidity and
other risks inherent in banking.
It’s Better to Make a Plan Now Rather than Wait
You may be surprised to learn that many of your bank’s vendors actually outsource to a third party certain critical functions that you perhaps believed your vendor was directly performing for you. As an example, your vendor may not be directly providing a secure e-mail system for you, but instead uses a third party company to host and support your secure e-mail. Maybe your vendor offers data storage for your bank—but your vendor doesn’t provide that service directly.
The FFIEC has released a list of 20 questions that CEOs and directors should ask themselves concerning their bank’s internal information process and preparedness with respect to cybersecurity risks.
The countdown to July 14, 2015, is on. That’s the rapidly-approaching date when Microsoft ends support for its popular Windows Server 2003.
Has your bank upgraded to new servers yet? Lots of banks haven’t. Analysts are predicting that many businesses will ignore the deadline and continue operating with the familiar and stable Windows Server 2003. But the consequences could be very serious.