Only 1 in 5 Directors are Confident in their IT Knowledge

Directors are responsible for setting policy and managing risk in their banks. However, many directors are not confident in their knowledge of information technology issues and as a result are not effective at setting policy or managing risks that relate to information technology.

Moving IT from the Back Room to the Boardroom

Increasingly occurring cyber hacks make it clear that preventative measures against today’s cyber risks need to become a priority. Attacks such as those on Target, the IRS and even the United States Office of Personnel Management serve to illustrate the increasing severity of the cybersecurity problem.

FFIEC Releases Cybersecurity Assessment Tool

The FFIEC released the Cybersecurity Assessment tool on June 30, 2015, and regulators are expecting that banks’ board of directors will use this tool to assess their own cybersecurity risks.

The intent is for a bank board to be able to recognize the cyber risks they are taking on and what mitigating controls are in place. Banks engaging in more cyber activities or in higher risk areas are expected to be implementing additional risk mitigation controls.

FDIC Receives an Exam:

Agency is not probing hard enough on I.T. exams

It may surprise some bankers to learn that the FDIC has an independent office of Inspector General (OIG) that conducts audits, investigations, and other reviews of the FDIC’s programs and operations. The OIG recently prepared a report assessing the FDIC’s efforts to ensure that over 4,000 institutions it supervises, as well as those banks’ major vendors, are prepared for cyberattacks, and to determine whether the agency has sufficient examination resources dedicated to this goal.

Regulators Identify Risk Area for 2015 Operational Risk is 2nd Highest

The FFIEC has listed its cyber-security priorities for 2015.(1) Directors and management should consider how these upcoming steps may affect their bank. In recent presentations regulators have identified cybersecurity risk as a bank’s second-highest overall risk, behind only interest-rate risk. Does your board give cybersecurity risk the attention that examiners are expecting?

FFIEC Releases Two Statements on Cybersecurity

Regulators are continuing to emphasize that bank CEOs and directors must understand the risks
they are undertaking with regard to cyber security, the same as understanding credit, liquidity and
other risks inherent in banking.

Are You Performing Due Diligence on Your Vendors’ Vendors?

You may be surprised to learn that many of your bank’s vendors actually outsource to a third party certain critical functions that you perhaps believed your vendor was directly performing for you. As an example, your vendor may not be directly providing a secure e-mail system for you, but instead uses a third party company to host and support your secure e-mail. Maybe your vendor offers data storage for your bank—but your vendor doesn’t provide that service directly.

A Critical Deadline Is Approaching to Replace Your Windows Server 2003.

The countdown to July 14, 2015, is on. That’s the rapidly-approaching date when Microsoft ends support for its popular Windows Server 2003.

Has your bank upgraded to new servers yet? Lots of banks haven’t. Analysts are predicting that many businesses will ignore the deadline and continue operating with the familiar and stable Windows Server 2003. But the consequences could be very serious.