Regulators Identify Risk Area for 2015 Operational Risk is 2nd Highest
Here are four of the FFIEC’s cybersecurity priorities for this year, followed by BankOnIT’s comments:
• Cybersecurity Self-Assessment Tool—The FFIEC will issue a self-assessment tool this year to help banks evaluate “their inherent cybersecurity risk and their risk management capabilities.” Comments: The FFIEC worries that directors and management at some banks do not sufficiently understand (1) the cyber-security risks the bank is taking on with certain systems, electronic banking products and vendors, and (2) whether the bank is doing enough to mitigate those risks. In information security (like lending) understanding the risk is necessary for successfully reducing and managing risk.
• Training—The FFIEC is developing training programs for examiners at the FDIC, OCC and Federal Reserve on evolving cyber threats and vulnerabilities. Comments: Such training will help examiners to focus more thoroughly on information security issues in bank exams. Examinations are likely to become more rigorous.
• Policy Development—The FFIEC will update its Information Technology Examination Handbook “to reflect rapidly evolving cyber threats and vulnerabilities.” The FFIEC will be focusing on a bank’s risk management practices and oversight, threat awareness, cybersecurity mitigating controls, dependency on third-party vendors, and preparedness to manage and respond to an incident related to information security. Comments: A bank’s I.T. committee and board should give emphasis to emerging cybersecurity threats; the bank’s current security risks; and whether adequate mitigating controls are in place. A bank’s incident response plan or business continuity plan should include cybersecurity response procedures. Committee and board minutes should show a thorough risk-based review of new vendors and new electronic banking products before they are selected.
• Technology Service Provider Strategy—Regulators will place more focus on a bank’s technology service providers’ “ability to respond to growing cyber threats and vulnerabilities.” Comments: It’s likely that the OCC, FDIC, and Federal Reserve will be examining at least some of the technology service providers (TSPs) not currently under regulatory supervision. If a bank uses a non-regulated technology service provider, it should have adequate documentation in its files to show that the non-regulated TSP has “ability to respond to growing cyber threats and vulnerabilities.” Without adequate information in a bank’s files, examiners may require a non-regulated TSP to provide written documentation, or may conduct an onsite exam of the TSP. Regulators can charge the cost of such exams to the bank. Banks that do not use a regulated technology service provider should consider switching to a regulated TSP.
BankOnIT is a regulated TSP, examined annually by the FFIEC (including examiners from the OCC, FDIC, and Federal Reserve). BankOnIT helps its client banks comply with changing regulatory requirements related to I.T.
(1) FFIEC Focuses on Cybersecurity, Will Debut Self-Assessment Tool, www.ffiec.gov/press/pr031715.htm